Merge pull request #187 from darynmitchell/merge-multi-idp-back-into-…

…aactroneo

Merge multi-idp fork (nirajp) into laravel-saml2

.travis.yml

@@ -9,6 +9,6 @@ php:
 
 before_script:
   - travis_retry composer self-update
-  - travis_retry composer install --prefer-source --no-interaction --dev
+  - travis_retry composer install --prefer-source --no-interaction
 
-script: phpunit
+script: vendor/bin/phpunit

README.md

@@ -14,86 +14,141 @@ You can install the package via composer:
 ```
 composer require aacotroneo/laravel-saml2
 ```
+Or manually add this to your composer.json:
+
+```json
+"aacotroneo/laravel-saml2": "*"
+```
 
 If you are using Laravel 5.5 and up, the service provider will automatically get registered.
 
-For older versions of Laravel (<5.5), you have to add the service provider and alias to config/app.php:
+For older versions of Laravel (<5.5), you have to add the service provider to config/app.php:
 
 ```php
 'providers' => [
         ...
     	Aacotroneo\Saml2\Saml2ServiceProvider::class,
 ]
-
-'alias' => [
-        ...
-        'Saml2' => Aacotroneo\Saml2\Facades\Saml2Auth::class,
-]
 ```
 
-Then publish the config file with `php artisan vendor:publish --provider="Aacotroneo\Saml2\Saml2ServiceProvider"`. This will add the file `app/config/saml2_settings.php`. This config is handled almost directly by  [OneLogin](https://github.com/onelogin/php-saml) so you may get further references there, but will cover here what's really necessary. There are some other config about routes you may want to check, they are pretty straightforward.
+Then publish the config files with `php artisan vendor:publish --provider="Aacotroneo\Saml2\Saml2ServiceProvider"`. This will add the files `app/config/saml2_settings.php` & `app/config/saml2/test_idp_settings.php`, which you will need to customize.
+
+The test_idp_settings.php config is handled almost directly by  [OneLogin](https://github.com/onelogin/php-saml) so you should refer to that for full details, but we'll cover here what's really necessary. There are some other config about routes you may want to check, they are pretty strightforward.
 
 ### Configuration
 
-Once you publish your saml2_settings.php to your own files, you need to configure your sp and IDP (remote server). The only real difference between this config and the one that OneLogin uses, is that the SP entityId, assertionConsumerService url and singleLogoutService URL are injected by the library. They are taken from routes 'saml_metadata', 'saml_acs' and 'saml_sls' respectively.
+#### Define the IDPs
+Define names of all the IDPs you want to configure in saml2_settings.php. Optionally keep 'test' as the first IDP if you want to use the simplesamlphp demo, and add real IDPs after that. The name of the IDP will show up in the URL used by the Saml2 routes this library makes, as well as internally in the filename for each IDP's config.
+
+```php
+    'idpNames' => ['test', 'myidp1', 'myidp2'],
+```
+
+#### Configure laravel-saml2 to know about each IDP
+
+You will need to create a separate configuration file for each IDP under `app/config/saml2/` folder. e.g. `myidp1_idp_settings.php`. You can use `test_idp_settings.php` as the starting point; just copy it and rename it.
+
+Configuration options are note explained in this project as they come from the [OneLogin project](https://github.com/onelogin/php-saml), please refer there for details.
+
+The only real difference between this config and the one that OneLogin uses, is that the SP entityId, assertionConsumerService url and singleLogoutService URL are injected by the library. If you don't specify those URLs in the corresponding IDP config optional values, this library provides defaults values: the metadata, acs, and sls routes that this library creates for each IDP. If specify different values in the config, note that the acs and sls URLs should correspond to actual routes that you set up that are directed to the corresponding Saml2Controller function.
+
+If you want to optionally define values in ENV vars instead of the \*\_idp_settings file, you'll see in there that there is a naming pattern you can follow for ENV values. For example, if in myipd1_idp_settings.php you set `$this_idp_env_id = 'MYIDP1';`, and in myidp2_idp_settings.php you set it to `'SECONDIDP'`, then you can set ENV vars starting with `SAML2_MYDP1_` and `SAML2_SECONDIDP_`, e.g.
+```env
+SAML2_MYIDP1_SP_x509="..."
+SAML2_MYIDP1_SP_PRIVATEKEY="..."
+// Other  SAML2_MYIDP1_* values
+
+SAML2_SECONDIDP_SP_x509="..."
+SAML2_SECONDIDP_SP_PRIVATEKEY="..."
+// Other SAML2_SECONDIDP_* values
+```
+
+#### URLs To Pass to The IDP configuration
+As mentioned above, you don't need to implement the SP entityId, assertionConsumerService url and singleLogoutService routes, because Saml2Controller already does by default. But you need to know these routes, to provide them to the configuration of your actual IDP, i.e. the 3rd party you are asking to authenticate users.
+
+You can check the actual routes in the metadata, by navigating to 'http(s)://laravel_url/myidp1/metadata', which incidentally will be the default entityId for this SP.
+
+If you configure the optional `routesPrefix` setting in saml2_settings.php, then all idp routes will be prefixed by that value, so you'll need to adjust the metadata url accordingly. For example, if you configure routesPrefix to be `'single_sign_on'`, then your IDP metadata for myidp1 will be found at http://laravel_url/single_sign_on/myidp1/metadata.
 
-Remember that you don't need to implement those routes, but you'll need to add them to your IDP configuration. For example, if you use simplesamlphp, add the following to /metadata/sp-remote.php
+#### Example: simplesamlphp IDP configuration
+If you use simplesamlphp as a test IDP, and your SP metadata url is `http://laravel_url/myidp1/metadata`, add the following to /metadata/sp-remote.php to inform the IDP of your laravel-saml2 SP identity:
 
 ```php
-$metadata['http://laravel_url/saml2/metadata'] = array(
-    'AssertionConsumerService' => 'http://laravel_url/saml2/acs',
-    'SingleLogoutService' => 'http://laravel_url/saml2/sls',
+$metadata['http://laravel_url/myidp1/metadata'] = array(
+    'AssertionConsumerService' => 'http://laravel_url/myidp1/acs',
+    'SingleLogoutService' => 'http://laravel_url/myidp1/sls',
     //the following two affect what the $Saml2user->getUserId() will return
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
     'simplesaml.nameidattribute' => 'uid' 
 );
 ```
-You can check that metadata if you actually navigate to 'http://laravel_url/saml2/metadata'
 
 
 ### Usage
 
-When you want your user to login, just call `Saml2Auth::login()` or redirect to route 'saml2_login'. Just remember that it does not use any session storage, so if you ask it to login it will redirect to the IDP whether the user is logged in or not. For example, you can change your authentication middleware.
+When you want your user to login, just redirect to the login route configured for the particular IDP, `route('saml2_login', 'myIdp1')`. You can also instantiate a `Saml2Auth` for the desired IDP using the `Saml2Auth::loadOneLoginAuthFromIpdConfig('myIdp1')` function to load the config and construct the OneLogin auth argment; just remember that it does not use any session storage, so if you ask it to login it will redirect to the IDP whether the user is already logged in or not. For example, you can change your authentication middleware.
 ```php
-	public function handle($request, Closure $next)
-	{
-		if ($this->auth->guest())
-		{
-			if ($request->ajax())
-			{
-				return response('Unauthorized.', 401);
-			}
-			else
-			{
-        			 return Saml2::login(URL::full());
-                		 //return redirect()->guest('auth/login');
-			}
-		}
-
-		return $next($request);
-	}
+public function handle($request, Closure $next)
+{
+    if ($this->auth->guest())
+    {
+        if ($request->ajax())
+        {
+            return response('Unauthorized.', 401); // Or, return a response that causes client side js to redirect to '/routesPrefix/myIdp1/login'
+        }
+        else
+        {
+            $saml2Auth = new Saml2Auth(Saml2Auth::loadOneLoginAuthFromIpdConfig('myIdp1'));
+            return $saml2Auth->login(URL::full());
+        }
+    }
+
+    return $next($request);
+}
 ```
 
 Since Laravel 5.3, you can change your unauthenticated method in ```app/Exceptions/Handler.php```.
 ```php
 protected function unauthenticated($request, AuthenticationException $exception)
 {
-	if ($request->expectsJson())
-        {
-            return response()->json(['error' => 'Unauthenticated.'], 401);
-        }
+    if ($request->expectsJson())
+    {
+        return response()->json(['error' => 'Unauthenticated.'], 401); // Or, return a response that causes client side js to redirect to '/routesPrefix/myIdp1/login'
+    }
 
-        return Saml2Auth::login();
+    $saml2Auth = new Saml2Auth(Saml2Auth::loadOneLoginAuthFromIpdConfig('myIdp1'));
+    return $saml2Auth->login('/my/redirect/path');
 }
 ```
 
-The Saml2::login will redirect the user to the IDP and will came back to an endpoint the library serves at /saml2/acs. That will process the response and fire an event when ready. The next step for you is to handle that event. You just need to login the user or refuse.
+For login requests that come through redirects to the login route, 'routesPrefix/myidp1/login', the default login call does not pass a redirect URL to the Saml login request. That login argument is useful because the ACS handler can gets that value (passed back from the IDP as RelayPath) and by default will redirect there. To pass the redirect URL from the controller login, extend the Saml2Controller class and implement your own `login()` function. Set the saml2_settings value `saml2_controller` to be your extended class so that the routes will direct requests to your controller instead of the default.  
+E.g.  
+**saml_settings.php**
+```
+    'saml2_controller' => 'App\Http\Controllers\MyNamespace\MySaml2Controller'
+```
+**MySaml2Controller.php**
+```php
+use Aacotroneo\Saml2\Http\Controllers\Saml2Controller;
+
+class MySaml2Controller extends Saml2Controller
+{
+    public function login()
+    {
+        $loginRedirect = '...'; // Determine redirect URL
+        $this->saml2Auth->login($loginRedirect);
+    }
+}
+```
+
+After login is called, the user will be redirected to the IDP login page. Then the IDP, which you have configured with an endpoint the library serves, will call back, e.g. `/myidp1/acs` or `/routesPrefix/myidp1/acs`. That will process the response and fire an event when ready. The next step for you is to handle that event. You just need to login the user or refuse.
 
 ```php
 
  Event::listen('Aacotroneo\Saml2\Events\Saml2LoginEvent', function (Saml2LoginEvent $event) {
             $messageId = $event->getSaml2Auth()->getLastMessageId();
-            // your own code preventing reuse of a $messageId to stop replay attacks
+            // Add your own code preventing reuse of a $messageId to stop replay attacks
+
             $user = $event->getSaml2User();
             $userData = [
                 'id' => $user->getUserId(),
@@ -108,7 +163,7 @@ The Saml2::login will redirect the user to the IDP and will came back to an endp
 ```
 ### Auth persistence
 
-Becarefull about necessary Laravel middleware for Auth persistence in Session.
+Be careful about necessary Laravel middleware for Auth persistence in Session.
 
 For exemple, it can be:
 
@@ -141,9 +196,9 @@ And in `config/saml2_settings.php` :
 ### Log out
 Now there are two ways the user can log out.
  + 1 - By logging out in your app: In this case you 'should' notify the IDP first so it closes global session.
- + 2 - By logging out of the global SSO Session. In this case the IDP will notify you on /saml2/slo endpoint (already provided)
+ + 2 - By logging out of the global SSO Session. In this case the IDP will notify you on /myidp1/slo endpoint (already provided), if the IDP supports SLO
 
-For case 1 call `Saml2Auth::logout();` or redirect the user to the route 'saml_logout' which does just that. Do not close the session inmediately as you need to receive a response confirmation from the IDP (redirection). That response will be handled by the library at /saml2/sls and will fire an event for you to complete the operation.
+For case 1 call `Saml2Auth::logout();` or redirect the user to the logout route, e.g. 'myidp1_logout' which does just that. Do not close the session immediately as you need to receive a response confirmation from the IDP (redirection). That response will be handled by the library at /myidp1/sls and will fire an event for you to complete the operation.
 
 For case 2 you will only receive the event. Both cases 1 and 2 receive the same event. 
 

composer.json

@@ -1,14 +1,18 @@
 {
     "name": "aacotroneo/laravel-saml2",
-    "description": "A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lightweight than simplesamlphp",
+    "description": "A Laravel package for Saml2 integration as a SP (service provider) for multiple IdPs, based on OneLogin toolkit which is much more lightweight than simplesamlphp.",
     "keywords": ["laravel","saml", "saml2", "onelogin"],
     "homepage": "https://github.com/aacotroneo/laravel-saml2",
     "license": "MIT",
-    "version": "1.0.0",
+    "version": "2.0.0",
     "authors": [
         {
             "name": "aacotroneo",
             "email": "[email protected]"
+        },
+        {
+            "name": "Niraj Patkar",
+            "email": "[email protected]"
         }
     ],
     "require": {
@@ -18,7 +22,8 @@
         "onelogin/php-saml": "^3.0.0"
     },
     "require-dev": {
-        "mockery/mockery": "0.9.*"
+        "mockery/mockery": "0.9.*",
+        "phpunit/phpunit": "~4.0"
     },
     "autoload": {
         "psr-0": {
@@ -29,10 +34,7 @@
         "laravel": {
             "providers": [
                 "Aacotroneo\\Saml2\\Saml2ServiceProvider"
-            ],
-            "aliases": {
-                "Saml2": "Aacotroneo\\Saml2\\Facades\\Saml2Auth"
-            }
+            ]
         }
     },
     "minimum-stability": "stable"

src/Aacotroneo/Saml2/Events/Saml2Event.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace Aacotroneo\Saml2\Events;
+
+class Saml2Event {
+
+    protected $idp;
+
+    function __construct($idp)
+    {
+        $this->idp = $idp;
+    }
+
+    public function getSaml2Idp()
+    {
+        return $this->idp;
+    }
+
+}

src/Aacotroneo/Saml2/Events/Saml2LoginEvent.php

@@ -5,13 +5,14 @@
 use Aacotroneo\Saml2\Saml2User;
 use Aacotroneo\Saml2\Saml2Auth;
 
-class Saml2LoginEvent {
+class Saml2LoginEvent extends Saml2Event {
 
     protected $user;
     protected $auth;
 
-    function __construct(Saml2User $user, Saml2Auth $auth)
+    function __construct($idp, Saml2User $user, Saml2Auth $auth)
     {
+        parent::__construct($idp);
         $this->user = $user;
         $this->auth = $auth;
     }
@@ -25,5 +26,4 @@ public function getSaml2Auth()
     {
         return $this->auth;
     }
-
 }

src/Aacotroneo/Saml2/Events/Saml2LogoutEvent.php

@@ -2,9 +2,11 @@
 
 namespace Aacotroneo\Saml2\Events;
 
-class Saml2LogoutEvent {
-
-
+class Saml2LogoutEvent extends Saml2Event {
 
+    function __construct($idp)
+    {
+        parent::__construct($idp);
+    }
 
 }

src/Aacotroneo/Saml2/Http/Controllers/Saml2Controller.php

@@ -6,21 +6,28 @@
 use Aacotroneo\Saml2\Saml2Auth;
 use Illuminate\Routing\Controller;
 use Illuminate\Http\Request;
-
+use OneLogin\Saml2\Auth as OneLogin_Saml2_Auth;
+use URL;
 
 class Saml2Controller extends Controller
 {
 
     protected $saml2Auth;
 
+    protected $idp;
+
     /**
-     * @param Saml2Auth $saml2Auth injected.
      */
-    function __construct(Saml2Auth $saml2Auth)
-    {
-        $this->saml2Auth = $saml2Auth;
-    }
+    function __construct(){
+        $idpName = request()->route('idpName');
+        if (!in_array($idpName, config('saml2_settings.idpNames'))) {
+            abort(404);
+        }
 
+        $this->idp = $idpName;
+        $auth = Saml2Auth::loadOneLoginAuthFromIpdConfig($this->idp);
+        $this->saml2Auth = new Saml2Auth($auth);
+    }
 
     /**
      * Generate local sp metadata
@@ -52,7 +59,7 @@ public function acs()
         }
         $user = $this->saml2Auth->getSaml2User();
 
-        event(new Saml2LoginEvent($user, $this->saml2Auth));
+        event(new Saml2LoginEvent($this->idp, $user, $this->saml2Auth));
 
         $redirectUrl = $user->getIntendedUrl();
 
@@ -71,8 +78,10 @@ public function acs()
      */
     public function sls()
     {
-        $error = $this->saml2Auth->sls(config('saml2_settings.retrieveParametersFromServer'));
-        if (!empty($error)) {
+        $errors = $this->saml2Auth->sls($this->idp, config('saml2_settings.retrieveParametersFromServer'));
+        if (!empty($errors)) {
+            logger()->error('Saml2 error', $errors);
+            session()->flash('saml2_error', $errors);
             throw new \Exception("Could not log out");
         }
 
@@ -99,5 +108,4 @@ public function login()
     {
         $this->saml2Auth->login(config('saml2_settings.loginRoute'));
     }
-
 }