mauthi
commented
3 years ago +1
Closed robbykrlos closed 3 years ago
mauthi
commented
3 years ago +1
robbykrlos
commented
3 years ago OK, so if this is not needed here's how I did / will do (still in progress) this:
used https://github.com/aacotroneo/laravel-saml2 (which is using https://github.com/onelogin/php-saml)
followed the instructions, published vendor, configured settings
{routesPrefix}/{idpName}/login calls the {IdPName}Saml2Controller configured as custom controller in config/saml2_settings.php 'saml2_controller' => 'App\Http\Controllers\Auth{IdPName}Saml2Controller', which calls $saml2Auth->login(); that redirects to WAC based on parameters:
.env configuration used:
SAML2_XXX_SP_ENTITYID=xxx-dev
SAML2_XXX_IDP_HOST=https://myidp.com
SAML2_XXX_IDP_ENTITYID=myidp.com
SAML2_XXX_IDP_SSO_URL=https://myidp.com/SingleSignOnService
SAML2_XXX_IDP_x509=myidp.com.crtchanged @enso-ui/auth/src/bulma/pages/auth/components/AuthForm.vue in order to inject new "SSO Login" button that redirects to {routesPrefix}/{idpName}/login ( local endpoint generated by aacotroneo/laravel-saml2 )
changed @enso-ui/auth/src/bulma/routes/auth.js and added a new route that will handle my IdP response:
name: 'loginsso',
path: '/loginsso/:token',
component: Login,
meta: {
guestGuard: true,
title: 'LoginSSO',
},
This will be the endpoint that will handle responses from IdP. This route has the same Login component the normal login has.changed @enso-ui/ui/src/modules/store.js in order to allow ui to load loginsso route.
if (!['login', 'password.email', 'password.reset'].includes(state.route.name)) {
if (!['login', 'loginsso', 'password.email', 'password.reset'].includes(state.route.name)) {
implemented the Event listener for "Saml2LoginEvent" so that the returned IdP data is handled. Inside this listener, a unique encryption key is generated once every login, and stored inside DB table for the user trying to login (the user coming as $user->id from IdP). With this token user information in serialized, encrypted and base64encoded (and some additional measures in order to keep things complicated and unable to brute-force, or reuse tokens). At the end of the listener, a redirect is made to /loginsso/user_id:encrypted_data
app/Providers/EventServiceProvider.php:
protected $listen = [
'Aacotroneo\Saml2\Events\Saml2LoginEvent' => [
'App\Listeners\Saml2LoginListener',
],
];class OverrideEnsoLoginController extends EnsoLoginController is used to handle loggableUser where in case sso token is set, the u/p check will be skipped, token is checked, decrypted with DB token for current user(which is destroy after use), unseriallized, and verified and if user details matches with local user and it's authorized to login, normal user login flow is continued. If not, throw ValidationExceptions.
(the only part altered is the yellow part, where "wac" is my {IdPName})
Code flow:
{routesPrefix}/{idpName}/login - which redirects to IdP and login is requested there.{routesPrefix}/{idpName}/acs which raises an event Aacotroneo\Saml2\Events\Saml2LoginEvent.
This is a feature request.
We are starting implementing a new login option using simpleSAMLphp for SSO (Single Sign On). We were wondering if you consider this in the future, or you have already support for such login option.
If you are interested, I can change my implementation so it goes in the same direction with your vision, so later we will PR for everyone.
Just an idea...