CODEWITHSUNDEEP
phpsingle-sign-onsamlsimplesamlphp
Andrei
Andrei

Reputation: 11

IdP initiated SSO with SimplesamlPHP

I am having trouble implementing an IdP initiated login with SimplesamlPHP. Understanding what I have to do from the documentation is not the easiest thing.

I am redirecting the user to the IdP server and after logging in, the server sends the SP an XML file which includes the email user's address, ID and other data. This looks like a successful login but at this point I don't know what to do with that XML. Should i parse it myself or use simplesaml for that? How do i validate the signature?

Here is the XML I am receiving:

<samlp:Response Destination="http://example.com/auth/acs" ID="HK1goP6OuzQs2Xrd-CN9gAkRt0Z" IssueInstant="2016-05-25T13:52:32.075Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Stage-az:sp:MediEventsregapp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="#HK1goP6OuzQs2Xrd-CN9gAkRt0Z">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>anIASGQuZD+Z7oBVc/VJ9TuTDCcddHOkUHJuo4KGE4o=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Pw5N1U+IxXAkCARDLFHkSyinhCqy5jJ8ljkJRfVSCzWl9z/gZb87aSGs+1XH+yJJs9wOKlSisnaNBHDOPocoweqXMCePskQp0d46GX8FKLKrFPwNeyta/MnC+y2ujT/mRbd8znTkXt9ZKS2WNZbQuAgRP+4mIh+C4R0J7xjzBgPhJR+IpaAeSlFuI3oS2ggh5+fe68BQtreEAcwc4ehbt93SQA5ryXgVAWRX4COeuETj/4t5dVhk1f34JdUSO0n13U6xRheAyGJJ7njRMntNQCAGkcB6F7GEK0bEnLFTfImYhJOascURyjWUnCqyZbWt5SBKUNdWL1P90W2b17eqmg==</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion ID="VFBGJiVRjw.GE4s8KVI2G0oyIOv" IssueInstant="2016-05-25T13:52:32.106Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>Stage-az:sp:MediEventsregapp</saml:Issuer>
    <saml:Subject>
        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml:NameID>
        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2016-05-25T13:57:32.106Z" Recipient="http://example.com/auth/acs"/>
        </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2016-05-25T13:47:32.106Z" NotOnOrAfter="2016-05-25T13:57:32.106Z">
        <saml:AudienceRestriction>
            <saml:Audience>Stage-az:sp:MediEventsregapp</saml:Audience>
        </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2016-05-25T13:52:32.106Z" SessionIndex="VFBGJiVRjw.GE4s8KVI2G0oyIOv">
        <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
        </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
        <saml:Attribute Name="PRID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">kyjh364</saml:AttributeValue>
        </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

Upvotes: 1

Views: 2355

Answers (1)

smartin
smartin

Reputation: 3047

simpleSAMLphp gives you the functions that you need in order to validate and process the SAMLResponse.

The IdP should be sending the SAMLResponse to the Service Provider's Assertion Consumer URL where the state is saved. All you need to do is to create a php file and use the following methods: https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api

Upvotes: 0

Related Questions