通过
搜索
搜索mari0theminer / symfony_5_saml
Symfony2 的 OneLogin SAML Bundle
该软件包的官方仓库似乎已不存在,因此软件包已被冻结。
dev-master
2020-05-20 11:11 UTC
Requires
- onelogin/php-saml: ^3.0
- symfony/framework-bundle: ~2.3|~3.0|^4.0|^5.0
- symfony/security-bundle: ~2.3|~3.0|^4.0|^5.0
Requires (Dev)
- doctrine/orm: ~2.3
- phpunit/phpunit: ~5.7
- satooshi/php-coveralls: ~1.0
- symfony/phpunit-bridge: ~2.7|~3.0|^4.0|^5.0
This package is auto-updated.
Last update: 2024-02-20 19:09:09 UTC
README
使用 composer 安装
"require": { "mari0theminer/symfony_5_saml": "dev-master" }
运行 composer update
composer update mari0theminer/symfony_5_saml
在 app/AppKernel.php 中启用该 bundle
$bundles = array( // ... new Hslavich\OneloginSamlBundle\HslavichOneloginSamlBundle(), )
配置
在 app/config/config.yml 中配置 SAML 元数据。更多信息请参阅 https://github.com/onelogin/php-saml#settings。
hslavich_onelogin_saml: # Basic settings idp: entityId: 'http://id.example.com/saml2/idp/metadata.php' singleSignOnService: url: 'http://id.example.com/saml2/idp/SSOService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' singleLogoutService: url: 'http://id.example.com/saml2/idp/SingleLogoutService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' x509cert: '' sp: entityId: 'http://myapp.com/app_dev.php/saml/metadata' assertionConsumerService: url: 'http://myapp.com/app_dev.php/saml/acs' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' singleLogoutService: url: 'http://myapp.com/app_dev.php/saml/logout' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' privateKey: '' # Optional settings baseurl: 'http://myapp.com' strict: true debug: true security: nameIdEncrypted: false authnRequestsSigned: false logoutRequestSigned: false logoutResponseSigned: false wantMessagesSigned: false wantAssertionsSigned: false wantNameIdEncrypted: false requestedAuthnContext: true signMetadata: false wantXMLValidation: true signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256' contactPerson: technical: givenName: 'Tech User' emailAddress: 'techuser@example.com' support: givenName: 'Support User' emailAddress: 'supportuser@example.com' organization: en: name: 'Example' displayname: 'Example' url: 'http://example.com'
如果您不想设置 contactPerson 或 organization,请不要添加这些参数,而不是留空。
在 app/config/security.yml 中配置防火墙和用户提供者
security: # ... providers: saml_provider: # Basic provider instantiates a user with default roles saml: user_class: 'AppBundle\Entity\User' default_roles: ['ROLE_USER'] firewalls: app: pattern: ^/ anonymous: true saml: # Match SAML attribute 'uid' with username. # Uses getNameId() method by default. username_attribute: uid # Use the attribute's friendlyName instead of the name use_attribute_friendly_name: true check_path: /saml/acs login_path: /saml/login logout: path: /saml/logout access_control: - { path: ^/saml/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/saml/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/, roles: ROLE_USER }
编辑您的 app/config/routing
hslavich_saml_sp: resource: "@HslavichOneloginSamlBundle/Resources/config/routing.yml"
将 SAML 属性注入到用户对象(可选)
您的用户类必须实现 SamlUserInterface
<?php namespace AppBundle\Entity; use Hslavich\OneloginSamlBundle\Security\User\SamlUserInterface; class User implements SamlUserInterface { protected $username; protected $email; // ... public function setSamlAttributes(array $attributes) { $this->email = $attributes['mail'][0]; } }
然后您可以从用户对象中获取属性
$email = $this->getUser()->getEmail();
与经典登录表单集成
您可以通过编辑您的 security.yml 将 SAML 身份验证与传统登录表单集成
security: providers: user_provider: # Loads user from user repository entity: class: AppBundle:User property: username firewalls: default: anonymous: ~ saml: username_attribute: uid check_path: /saml/acs login_path: /saml/login failure_path: /login always_use_default_target_path: true # Traditional login form form_login: login_path: /login check_path: /login_check always_use_default_target_path: true logout: path: /saml/logout
然后您可以在登录页面添加到路由 saml_login 的链接,以启动 SAML 登录。
<a href="{{ path('saml_login') }}">SAML Login</a>
即时用户供应(可选)
当用户提供者找不到用户时,您可以设置用户工厂来创建一个新的用户,并将其与 SAML 属性映射。
在 security.yml 中编辑防火墙设置
firewalls: default: anonymous: ~ saml: username_attribute: uid # User factory service user_factory: my_user_factory # Persist new user. Doctrine is required. persist_user: true logout: path: /saml/logout
通过编辑 services.yml 创建用户工厂服务
services: my_user_factory: class: Hslavich\OneloginSamlBundle\Security\User\SamlUserFactory arguments: # User class - AppBundle\Entity\User # Attribute mapping. - password: 'notused' email: $mail name: $cn lastname: $sn roles: ['ROLE_USER']
带有 '$' 引用的字段是 SAML 属性值。
或者,您可以创建自己的 User Factory,该工厂实现了 SamlUserFactoryInterface
<?php namespace AppBundle\Security; use AppBundle\Entity\User; use Hslavich\OneloginSamlBundle\Security\Authentication\Token\SamlTokenInterface; use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface; class UserFactory implements SamlUserFactoryInterface { public function createUser(SamlTokenInterface $token) { $attributes = $token->getAttributes(); $user = new User(); $user->setRoles(array('ROLE_USER')); $user->setUsername($token->getUsername()); $user->setPassword('notused'); $user->setEmail($attributes['mail'][0]); $user->setName($attributes['cn'][0]); return $user; } }
services: my_user_factory: class: AppBundle\Security\UserFactory