提供hslavich / oneloginsaml-bundle
Symfony 的 OneLogin SAML Bundle
Requires
- onelogin/php-saml: ^3.0
- symfony/dependency-injection: ^5.4
- symfony/deprecation-contracts: ^2.1 | ^3
- symfony/event-dispatcher-contracts: ^2.4
- symfony/framework-bundle: ^5.4
- symfony/security-bundle: ^5.4
Requires (Dev)
- dms/phpunit-arraysubset-asserts: ^0.2.0
- doctrine/orm: ~2.3
- php-coveralls/php-coveralls: ^2.2
- phpunit/phpunit: ^9.0
- symfony/event-dispatcher: ^5.4
- symfony/phpunit-bridge: ^5.4
- 2.x-dev
- v2.10.0
- v2.9.0
- v2.8.0
- v2.7.0
- v2.6.1
- v2.6.0
- v2.5.0
- v2.4.2
- v2.4.1
- v2.4.0
- v2.3.3
- v2.3.2
- v2.3.1
- v2.3.0
- v2.2.2
- v2.2.1
- v2.2.0
- v2.1.4
- v2.1.3
- v2.1.2
- v2.1.1
- v2.1.0
- v2.0.0
- 1.x-dev
- v1.8.2
- v1.8.1
- v1.8.0
- v1.7.0
- v1.6.4
- v1.6.3
- v1.6.2
- v1.6.1
- v1.6.0
- v1.5.4
- v1.5.3
- v1.5.2
- v1.5.1
- v1.5.0
- v1.4.1
- v1.4.0
- v1.3.1
- v1.3.0
- v1.2.0
- v1.1.0
- v1.0.0
- v0.0.1
- dev-multipleidps
This package is auto-updated.
Last update: 2024-09-23 21:13:40 UTC
README
Symfony 的 OneLogin SAML Bundle. (https://github.com/onelogin/php-saml)
此包支持 Symfony 5 及更早版本。
对于更新的 Symfony 版本,您可以使用 nbgrp/onelogin-saml-bundle。
安装
使用 composer 安装
composer require hslavich/oneloginsaml-bundle
在 config/bundles.php 中启用此包(如果您不使用 Symfony Flex)
return [ // ... Hslavich\OneloginSamlBundle\HslavichOneloginSamlBundle::class => ['all' => true], ]
配置
在 config/packages/hslavich_onelogin_saml.yaml 中配置 SAML 元数据。更多信息请参阅 https://github.com/onelogin/php-saml#settings。
hslavich_onelogin_saml: # Basic settings idp: entityId: 'http://id.example.com/saml2/idp/metadata.php' singleSignOnService: url: 'http://id.example.com/saml2/idp/SSOService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' singleLogoutService: url: 'http://id.example.com/saml2/idp/SingleLogoutService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' x509cert: '' sp: entityId: 'http://myapp.com/app_dev.php/saml/metadata' assertionConsumerService: url: 'http://myapp.com/app_dev.php/saml/acs' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' singleLogoutService: url: 'http://myapp.com/app_dev.php/saml/logout' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' privateKey: '' # Optional settings baseurl: 'http://myapp.com' strict: true debug: true security: nameIdEncrypted: false authnRequestsSigned: false logoutRequestSigned: false logoutResponseSigned: false wantMessagesSigned: false wantAssertionsSigned: false wantNameIdEncrypted: false requestedAuthnContext: true signMetadata: false wantXMLValidation: true relaxDestinationValidation: false destinationStrictlyMatches: true rejectUnsolicitedResponsesWithInResponseTo: false signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256' contactPerson: technical: givenName: 'Tech User' emailAddress: 'techuser@example.com' support: givenName: 'Support User' emailAddress: 'supportuser@example.com' administrative: givenName: 'Administrative User' emailAddress: 'administrativeuser@example.com' organization: en: name: 'Example' displayname: 'Example' url: 'http://example.com'
如果您不想设置 contactPerson 或 organization,不要添加这些参数,而是保留空白。
在 config/packages/security.yaml 中配置防火墙和用户提供者
security: # ... providers: saml_provider: # Basic provider instantiates a user with default roles saml: user_class: 'AppBundle\Entity\User' default_roles: ['ROLE_USER'] firewalls: app: pattern: ^/ saml: # Match SAML attribute 'uid' with username. # Uses getNameId() method by default. username_attribute: uid # Use the attribute's friendlyName instead of the name use_attribute_friendly_name: true check_path: saml_acs login_path: saml_login logout: path: saml_logout access_control: - { path: ^/saml/login, roles: PUBLIC_ACCESS } - { path: ^/saml/metadata, roles: PUBLIC_ACCESS } - { path: ^/, roles: ROLE_USER }
根据您的 Symfony 版本,编辑您的 config/routing 或 config/routes.yaml
hslavich_saml_sp: resource: "@HslavichOneloginSamlBundle/Resources/config/routing.yml"
将 SAML 属性注入到用户对象中(可选)
您的用户类必须实现 SamlUserInterface
<?php namespace App\Entity; use Hslavich\OneloginSamlBundle\Security\User\SamlUserInterface; class User implements SamlUserInterface { protected $username; protected $email; // ... public function setSamlAttributes(array $attributes) { $this->email = $attributes['mail'][0]; } }
然后您可以从用户对象中获取属性
$email = $this->getUser()->getEmail();
与经典登录表单集成
您可以通过编辑您的 security.yaml 将 SAML 身份验证与传统的登录表单集成
security: enable_authenticator_manager: true providers: user_provider: # Loads user from user repository entity: class: App:User property: username firewalls: default: saml: username_attribute: uid check_path: saml_acs login_path: saml_login failure_path: saml_login always_use_default_target_path: true # Traditional login form form_login: login_path: /login check_path: /login_check always_use_default_target_path: true logout: path: saml_logout
然后您可以在登录页面中添加到 saml_login 路由的链接,以启动 SAML 登录。
<a href="{{ path('saml_login') }}">SAML Login</a>
即时用户配置(可选)
当用户提供者找不到用户时,可以根据接收到的 SAML 属性创建新的用户。
在 security.yaml 中编辑防火墙设置
security: # ... providers: saml_provider: # Loads user from user repository entity: class: App\Entity\User property: username firewalls: default: provider: saml_provider saml: username_attribute: uid # User factory service user_factory: my_user_factory logout: path: saml_logout
为了创建用户,您必须使用抛出
UserNotFoundException的用户提供者(例如,使用上述示例中的EntityUserProvider)。SamlUserProvider不会抛出此异常,当找不到匹配的用户时,将返回空用户。
通过编辑 services.yaml 创建用户工厂服务
services: my_user_factory: class: Hslavich\OneloginSamlBundle\Security\User\SamlUserFactory arguments: # User class - App\Entity\User # Attribute mapping. - password: 'notused' email: $mail name: $cn lastname: $sn roles: ['ROLE_USER']
带有 '$' 引用的字段表示 SAML 属性值。
或者,您可以创建自己的 User Factory,该 Factory 实现 SamlUserFactoryInterface
<?php namespace App\Security; use App\Entity\User; use Hslavich\OneloginSamlBundle\Security\Authentication\Token\SamlTokenInterface; use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface; use Symfony\Component\Security\Core\User\UserInterface; class UserFactory implements SamlUserFactoryInterface { public function createUser($username, array $attributes = []): UserInterface { $user = new User(); $user->setRoles(['ROLE_USER']); $user->setUsername($username); $user->setPassword('notused'); $user->setEmail($attributes['mail'][0]); $user->setName($attributes['cn'][0]); return $user; } }
services: my_user_factory: class: App\Security\UserFactory
对于 2.1 版本之前的版本,
createUser的签名是不同的public function createUser(SamlTokenInterface $token): UserInterface { $username = $token->getUsername(); $attributes = $token->getAttributes(); ... }
在创建和 SAML 属性注入时持久化用户(可选)
需要 Symfony EventDispatcher 组件和 Doctrine ORM。
在 security.yaml 中编辑防火墙设置
security: # ... firewalls: # ... default: saml: # ... persist_user: true
要使用非默认实体管理器,请通过 hslavich_onelogin_saml.entityManagerName 配置选项指定其名称。
用户持久化是通过事件监听器 Hslavich\OneloginSamlBundle\EventListener\User\UserCreatedListener 和 Hslavich\OneloginSamlBundle\EventListener\User\UserModifiedListener 来执行的,必要时可以进行装饰以覆盖默认行为。此外,您可以为 Hslavich\OneloginSamlBundle\Event\UserCreatedEvent 和 Hslavich\OneloginSamlBundle\Event\UserModifiedEvent 事件创建自己的监听器。