Project

General

Profile

IdpPhpTutorial

This snippet gives a very simple implementation of a SAML 2.0 IdP endpoint for handling authnrequest sent using the POST or GET binding.

It can only respond using the POST binding.

Assertion are produced using the email NameID format. All attributes found in the user object are returned to the service provider.

<?
require "lasso.php";

/* we suppose the user is already authenticated, if not, save the 
   request (POST raw content or query string) and come back here 
   after authentication. there should be a $user variable in scope;
   $user->email and $user->attributes exists and should be respectively
   a string and an array. */

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
   $msg = $_POST['SAMLResponse']; /* handle POST binding */
} else (
   $msg = $_SERVER["QUERY_STRING"]; /* handle GET binding */
}

$server = new LassoServer("idp_metadata.xml", "private-key.pem");
$login = new Login($server);

$login->processAuthnRequest_msg($msg);
$login->validateRequestMsg(TRUE, TRUE);
/* here we fill the assertions with attribute and identifiers */
$login->buildAssertion($LASSO_SAML2_AUTHN_CONTEXT_PASSWORD,
    date("Y-m-dTH:i:sZ") /* use authentication timestamp if you saved it */,Au
    "", date("Y-m-dTH:i:sZ"), date("Y-m-dTH:i:sZ", time()+120); /* it give a 2-minutes window to consume the assertion */
/* here you can fill the assertion, nameid, attributes */
$login->assertion->subject->nameId->format = $LASSO_SAML2_NAME_IDENTIFIER_FORMAT_EMAIL; /* our idp will identify people by their email */
$login->assertion->subject->nameId->content = $user->email;
$attributes = array();
foreach ($user_attributes as $key => $value) {
  $misc = new LassoMiscTextNode();
  $misc->content = $value;
  $misc->textChild = TRUE;
  $attribute_value = new LassoSaml2AttributeValue();
  $attribute_value->any = array($misc);
  $attribute = new LassoSaml2Attribute();
  $attribute->nameFormat = LASSO_SAML2_ATTRIBUTE_NAME_FORMAT_BASIC;
  $attribute->name = $key;
  $attribute->attributeValue = array($attribute_value);
  array_push($attributes, $attribute);
}
$attribute_statement = new LassoSaml2AttributeStatement();
$attribute_statement->attribute = $attributes;
$login->assertion->attributeStatement = array($attribute_statement);

$login->buildAuthnResponseMsg();

?>

<html>
<body>
<form method="post" action="<? $login->msgUrl ?>">
<input type="hidden" name="SAMLResponse" value="<? print $login->msgBody; ?>"/>
<input type="hidden" name="RelayState" value="<? print htmlentities($_REQUEST['RelayState']); ?>"/>
<input type="submit" name="Click to login"/>
</form>
</body>
</html>

Also available in: PDF HTML TXT