Symfony 6.4 - Update SAML configuration setup

- Update controllers to point to new lib - Adjust base onelogin config - Update firewall configuration
2025-08-29 07:50:08 +08:00 · 2024-06-03 11:11:12 +01:00 · 2024-06-03 11:11:12 +01:00 · c6ab4c31e4
commit c6ab4c31e4
parent ccb15fb027
4 changed files with 44 additions and 41 deletions
--- a/config/packages/nbgrp_onelogin_saml.yaml
+++ b/config/packages/nbgrp_onelogin_saml.yaml
@ -1,27 +1,27 @@
 nbgrp_onelogin_saml:
  onelogin_settings:
    default:
-      # Basic settings
+      # Mandatory SAML settings
      idp:
-        entityId: '<idp-entity>'
+        entityId: 'https://id.example.com/saml2/idp/metadata.php'
        singleSignOnService:
-          url: '<idp-single-sign-on-url>'
+          url: 'https://id.example.com/saml2/idp/SSOService.php'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
        singleLogoutService:
-          url: '<idp-single-logout-url>'
+          url: 'https://id.example.com/saml2/idp/SingleLogoutService.php'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-        certFingerprint: ''
+        x509cert: 'MIIC...'
      sp:
-        entityId: 'https://<your-instance-host>/'
+        entityId: 'https://myapp.com/saml/metadata'  #  Default: '<request_scheme_and_host>/saml/metadata'
        assertionConsumerService:
-          url: 'https://<your-instance-host>/saml/acs'
+          url: 'https://myapp.com/saml/acs'  #  Default: '<request_scheme_and_host>/saml/acs'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
        singleLogoutService:
-          url: 'https://<your-instance-host>/saml/logout'
+          url: 'https://myapp.com/saml/logout'  #  Default: '<request_scheme_and_host>/saml/logout'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-        privateKey: '/var/www/html/docroot/certs/key.pem'
-      # Optional settings
-      baseurl: 'https://<your-instance-host>/saml'
+        privateKey: 'MIIE...'
+      # Optional SAML settings
+      baseurl: 'https://myapp.com/saml/'  #  Default: '<request_scheme_and_host>/saml/'
      strict: true
      debug: true
      security:
@ -29,14 +29,22 @@ nbgrp_onelogin_saml:
        authnRequestsSigned: false
        logoutRequestSigned: false
        logoutResponseSigned: false
+        signMetadata: false
        wantMessagesSigned: false
-        wantAssertionsSigned: false
+        wantAssertionsEncrypted: false
+        wantAssertionsSigned: true
+        wantNameId: false
        wantNameIdEncrypted: false
        requestedAuthnContext: true
-        signMetadata: false
-        wantXMLValidation: true
+        wantXMLValidation: false
+        relaxDestinationValidation: false
+        destinationStrictlyMatches: true
+        allowRepeatAttributeName: false
+        rejectUnsolicitedResponsesWithInResponseTo: false
        signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
        digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
+        encryption_algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+        lowercaseUrlencoding: false
      contactPerson:
        technical:
          givenName: 'Tech User'
@ -44,8 +52,14 @@ nbgrp_onelogin_saml:
        support:
          givenName: 'Support User'
          emailAddress: 'supportuser@example.com'
+        administrative:
+          givenName: 'Administrative User'
+          emailAddress: 'administrativeuser@example.com'
      organization:
-        en:
+        en-US:
          name: 'Example'
          displayname: 'Example'
          url: 'http://example.com'
+      compress:
+        requests: false
+        responses: false
--- a/config/packages/security.php
+++ b/config/packages/security.php
@ -36,11 +36,6 @@ use Symfony\Component\Ldap\Ldap;
 use Symfony\Component\Security\Core\User\InMemoryUserChecker;
 use Symfony\Component\Security\Http\RateLimiter\DefaultLoginRateLimiter;

-/** @var $container Container */
-if (!isset($container)) {
-    return;
-}
-
 return static function (ContainerConfigurator $containerConfig) {

    $env = $_ENV ?? [];
@ -74,6 +69,8 @@ return static function (ContainerConfigurator $containerConfig) {
                new Reference('limiter.ip_login'),
                // 2nd argument is the limiter for username+IP
                new Reference('limiter.username_ip_login'),
+                // 3rd argument is the app secret
+                param('kernel.secret'),
            ]
        );

@ -125,7 +122,7 @@ return static function (ContainerConfigurator $containerConfig) {
                        'limiter' => 'app.login_rate_limiter'
                    ],
                    'logout' => [
-                        'path' => 'app_logout'
+                        'path' => 'app_logout',
                    ],
                ],
            ]),
@ -234,7 +231,7 @@ return static function (ContainerConfigurator $containerConfig) {
                'provider' => 'app_user_provider',
                // Match SAML attribute 'uid' with username.
                // Uses getNameId() method by default.
-                'username_attribute' => '%env(SAML_USERNAME_ATTRIBUTE)%',
+                'identifier_attribute' => '%env(SAML_USERNAME_ATTRIBUTE)%',
                'use_attribute_friendly_name' => '%env(bool:SAML_USE_ATTRIBUTE_FRIENDLY_NAME)%',
                // Use the attribute's friendlyName instead of the name
                'check_path' => 'saml_acs',
@ -257,8 +254,8 @@ return static function (ContainerConfigurator $containerConfig) {
            ['path' => '^/logout$', 'roles' => 'PUBLIC_ACCESS'],
            ['path' => '^/saml/login', 'roles' => 'PUBLIC_ACCESS'],
            ['path' => '^/saml/metadata', 'roles' => 'PUBLIC_ACCESS'],
-            ['path' => '^/saml/acs', 'roles' => 'ROLE_USER'],
-            ['path' => '^/saml/logout', 'roles' => 'ROLE_USER'],
+            ['path' => '^/saml/acs', 'roles' => 'PUBLIC_ACCESS'],
+            ['path' => '^/saml/logout', 'roles' => 'PUBLIC_ACCESS'],
            ['path' => '^/logged-out', 'roles' => 'PUBLIC_ACCESS'],
            ['path' => '^/auth', 'roles' => 'PUBLIC_ACCESS'],
            ['path' => '^/auth/login', 'roles' => 'PUBLIC_ACCESS'],
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@ -14,19 +14,6 @@ security:
        entity:
          class: App\Module\Users\Entity\User

-    firewalls:
-        dev:
-            pattern: ^/(_(profiler|wdt)|css|images|js)/
-            security: false
-        main:
-            lazy: false
-            # provider: users_in_memory
-
-            # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#the-firewall
-
-            # https://symfony.com/doc/current/security/impersonating_user.html
-            # switch_user: true
 when@test:
  security:
    password_hashers:
--- a/config/routes/routes.yaml
+++ b/config/routes/routes.yaml
@ -1,15 +1,20 @@
 saml_metadata:
  path: /saml/metadata
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::metadataAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\Metadata
+  defaults: { idp: null }

 saml_acs:
  path: /saml/acs
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::assertionConsumerServiceAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\AssertionConsumerService
+  defaults: { idp: null }

 saml_login:
  path: /saml/login
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::loginAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\Login
+  defaults: { idp: null }

 saml_logout:
  path: /saml/logout
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::singleLogoutServiceAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\Logout
+  defaults: { idp: null }
+  methods: ['POST', 'GET']