SpPhpTutorial¶
This exemple show a php script implementing two services needed by a service provider:- a metadata endpoint, returning an XML file describing metadata to connect to this service provider ;
- an assertion consumer endpoint.
No attribute extraction is done but you can do it easily by iterating the ``$login->assertion->attributeStatement`` array.
No session creation is done, you must find a user corresponding to the received NameID and log this user by creating a php session for him.
<? require "lasso.php"; $sp_metadata_xml = <<<'XML' <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://yourdomain.com/index.php?metadata"> <SPSSODescriptor AuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://yourdomain.com/index.php?assertion_consumer" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> </SPSSODescriptor> <Organization> <OrganizationName xml:lang="en">Example SAML 2.0 metadatas</OrganizationName> </Organization> </EntityDescriptor> XML; $idp_metadata_xml = <<<'XML' <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://localhost:3001/saml/metadata"> <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyValue xmlns="http://www.w3.org/2000/09/xmldsig#"> <RSAKeyValue> <Modulus>4yalpsp9Sxlsj07PEI8jJxhSJdo4F0iW0H8u1dhwmsW5YQvRUw/yPlmC09q4WjImmnFVNCJarAOYeFgQCxfIoBasKNnUeBQpogo8W0Q/3mCuKl6lNSr/PIuxMVVNPDWmWkhHXJx/MVar2IREKa1P4jHL0Uxl69/idLwc7TtK1h8=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </ds:KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <KeyValue xmlns="http://www.w3.org/2000/09/xmldsig#"> <RSAKeyValue> <Modulus>wLu5SdmwyS4o1On/aw4nElLGERFG931exvkzu0ewaM1/oUyD3dO7UC5xMGnPfc6IaH5BcJc3fLr6PJhX55ZrMR98ToPwoUFwuLKK43exwYBEBOOMe1CrCB/Bq+EH6/2sKNXKfgJqj06/3yzafLRiWpMxy2isllxMAvaZXrkpm4c=</Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </ds:KeyInfo> </KeyDescriptor> </IDPSSODescriptor> </EntityDescriptor> XML; if (isset($_GET["metadata"])) { header('Content-Type: text/xml'); echo $sp_metadata_xml; exit(0); } if (isset($_GET["assertion_consumer"])) { $server = LassoServer::newFromBuffers($sp_metadata_xml); $server->addProviderFromBuffer(LASSO_PROVIDER_ROLE_IDP, $idp_metadata_xml); $login = new LassoLogin($server); function error($msg) { header("HTTP/1.0 500 Internal Error"); ?> <h1>Erreur:</h1><pre> <? echo htmlentities($msg); ?></pre><? exit(0); } try { try { $login->processAuthnResponseMsg($_POST["SAMLResponse"]); } catch (LassoDsError $e) { error('Invalid signature'); } catch (LassoProfileCannotVerifySignatureError $e) { error('Invalid signature'); } catch (LassoError $e) { error('Misc error, ' . $e); } try { $login->acceptSso(); } catch (LassoError $e) { error('Invalid assertion'); } } catch (Exception $e) { error('Unexpected error: ' . $e); } ?> You are identified as <? echo $login->assertion->subject->nameId->content;