From c6ab4c31e4335e5f576d234c2e60791c3a5fd6bb Mon Sep 17 00:00:00 2001
From: Clemente Raposo <clemente.raposo@salesagility.com>
Date: Mon, 3 Jun 2024 11:11:12 +0100
Subject: [PATCH] Symfony 6.4 - Update SAML configuration setup

- Update controllers to point to new lib
- Adjust base onelogin config
- Update firewall configuration
---
 config/packages/nbgrp_onelogin_saml.yaml | 44 ++++++++++++++++--------
 config/packages/security.php             | 15 ++++----
 config/packages/security.yaml            | 13 -------
 config/routes/routes.yaml                | 13 ++++---
 4 files changed, 44 insertions(+), 41 deletions(-)

diff --git a/config/packages/nbgrp_onelogin_saml.yaml b/config/packages/nbgrp_onelogin_saml.yaml
index 399e49da9..5420d2457 100644
--- a/config/packages/nbgrp_onelogin_saml.yaml
+++ b/config/packages/nbgrp_onelogin_saml.yaml
@@ -1,27 +1,27 @@
 nbgrp_onelogin_saml:
   onelogin_settings:
     default:
-      # Basic settings
+      # Mandatory SAML settings
       idp:
-        entityId: '<idp-entity>'
+        entityId: 'https://id.example.com/saml2/idp/metadata.php'
         singleSignOnService:
-          url: '<idp-single-sign-on-url>'
+          url: 'https://id.example.com/saml2/idp/SSOService.php'
           binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
         singleLogoutService:
-          url: '<idp-single-logout-url>'
+          url: 'https://id.example.com/saml2/idp/SingleLogoutService.php'
           binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-        certFingerprint: ''
+        x509cert: 'MIIC...'
       sp:
-        entityId: 'https://<your-instance-host>/'
+        entityId: 'https://myapp.com/saml/metadata'  #  Default: '<request_scheme_and_host>/saml/metadata'
         assertionConsumerService:
-          url: 'https://<your-instance-host>/saml/acs'
+          url: 'https://myapp.com/saml/acs'  #  Default: '<request_scheme_and_host>/saml/acs'
           binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
         singleLogoutService:
-          url: 'https://<your-instance-host>/saml/logout'
+          url: 'https://myapp.com/saml/logout'  #  Default: '<request_scheme_and_host>/saml/logout'
           binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-        privateKey: '/var/www/html/docroot/certs/key.pem'
-      # Optional settings
-      baseurl: 'https://<your-instance-host>/saml'
+        privateKey: 'MIIE...'
+      # Optional SAML settings
+      baseurl: 'https://myapp.com/saml/'  #  Default: '<request_scheme_and_host>/saml/'
       strict: true
       debug: true
       security:
@@ -29,14 +29,22 @@ nbgrp_onelogin_saml:
         authnRequestsSigned: false
         logoutRequestSigned: false
         logoutResponseSigned: false
+        signMetadata: false
         wantMessagesSigned: false
-        wantAssertionsSigned: false
+        wantAssertionsEncrypted: false
+        wantAssertionsSigned: true
+        wantNameId: false
         wantNameIdEncrypted: false
         requestedAuthnContext: true
-        signMetadata: false
-        wantXMLValidation: true
+        wantXMLValidation: false
+        relaxDestinationValidation: false
+        destinationStrictlyMatches: true
+        allowRepeatAttributeName: false
+        rejectUnsolicitedResponsesWithInResponseTo: false
         signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
         digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
+        encryption_algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
+        lowercaseUrlencoding: false
       contactPerson:
         technical:
           givenName: 'Tech User'
@@ -44,8 +52,14 @@ nbgrp_onelogin_saml:
         support:
           givenName: 'Support User'
           emailAddress: 'supportuser@example.com'
+        administrative:
+          givenName: 'Administrative User'
+          emailAddress: 'administrativeuser@example.com'
       organization:
-        en:
+        en-US:
           name: 'Example'
           displayname: 'Example'
           url: 'http://example.com'
+      compress:
+        requests: false
+        responses: false
diff --git a/config/packages/security.php b/config/packages/security.php
index 7011c2bc3..cae91a32e 100644
--- a/config/packages/security.php
+++ b/config/packages/security.php
@@ -36,11 +36,6 @@ use Symfony\Component\Ldap\Ldap;
 use Symfony\Component\Security\Core\User\InMemoryUserChecker;
 use Symfony\Component\Security\Http\RateLimiter\DefaultLoginRateLimiter;
 
-/** @var $container Container */
-if (!isset($container)) {
-    return;
-}
-
 return static function (ContainerConfigurator $containerConfig) {
 
     $env = $_ENV ?? [];
@@ -74,6 +69,8 @@ return static function (ContainerConfigurator $containerConfig) {
                 new Reference('limiter.ip_login'),
                 // 2nd argument is the limiter for username+IP
                 new Reference('limiter.username_ip_login'),
+                // 3rd argument is the app secret
+                param('kernel.secret'),
             ]
         );
 
@@ -125,7 +122,7 @@ return static function (ContainerConfigurator $containerConfig) {
                         'limiter' => 'app.login_rate_limiter'
                     ],
                     'logout' => [
-                        'path' => 'app_logout'
+                        'path' => 'app_logout',
                     ],
                 ],
             ]),
@@ -234,7 +231,7 @@ return static function (ContainerConfigurator $containerConfig) {
                 'provider' => 'app_user_provider',
                 // Match SAML attribute 'uid' with username.
                 // Uses getNameId() method by default.
-                'username_attribute' => '%env(SAML_USERNAME_ATTRIBUTE)%',
+                'identifier_attribute' => '%env(SAML_USERNAME_ATTRIBUTE)%',
                 'use_attribute_friendly_name' => '%env(bool:SAML_USE_ATTRIBUTE_FRIENDLY_NAME)%',
                 // Use the attribute's friendlyName instead of the name
                 'check_path' => 'saml_acs',
@@ -257,8 +254,8 @@ return static function (ContainerConfigurator $containerConfig) {
             ['path' => '^/logout$', 'roles' => 'PUBLIC_ACCESS'],
             ['path' => '^/saml/login', 'roles' => 'PUBLIC_ACCESS'],
             ['path' => '^/saml/metadata', 'roles' => 'PUBLIC_ACCESS'],
-            ['path' => '^/saml/acs', 'roles' => 'ROLE_USER'],
-            ['path' => '^/saml/logout', 'roles' => 'ROLE_USER'],
+            ['path' => '^/saml/acs', 'roles' => 'PUBLIC_ACCESS'],
+            ['path' => '^/saml/logout', 'roles' => 'PUBLIC_ACCESS'],
             ['path' => '^/logged-out', 'roles' => 'PUBLIC_ACCESS'],
             ['path' => '^/auth', 'roles' => 'PUBLIC_ACCESS'],
             ['path' => '^/auth/login', 'roles' => 'PUBLIC_ACCESS'],
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 1fcaec9c4..07f86806e 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -14,19 +14,6 @@ security:
         entity:
           class: App\Module\Users\Entity\User
 
-    firewalls:
-        dev:
-            pattern: ^/(_(profiler|wdt)|css|images|js)/
-            security: false
-        main:
-            lazy: false
-            # provider: users_in_memory
-
-            # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#the-firewall
-
-            # https://symfony.com/doc/current/security/impersonating_user.html
-            # switch_user: true
 when@test:
   security:
     password_hashers:
diff --git a/config/routes/routes.yaml b/config/routes/routes.yaml
index d5cce71e6..f73a9e3bb 100644
--- a/config/routes/routes.yaml
+++ b/config/routes/routes.yaml
@@ -1,15 +1,20 @@
 saml_metadata:
   path: /saml/metadata
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::metadataAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\Metadata
+  defaults: { idp: null }
 
 saml_acs:
   path: /saml/acs
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::assertionConsumerServiceAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\AssertionConsumerService
+  defaults: { idp: null }
 
 saml_login:
   path: /saml/login
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::loginAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\Login
+  defaults: { idp: null }
 
 saml_logout:
   path: /saml/logout
-  defaults: { _controller: Hslavich\OneloginSamlBundle\Controller\SamlController::singleLogoutServiceAction }
+  controller: Nbgrp\OneloginSamlBundle\Controller\Logout
+  defaults: { idp: null }
+  methods: ['POST', 'GET']