h1. SpPhpTutorial

This exemple show a php script implementing two services needed by a service provider:
* a metadata endpoint, returning an XML file describing metadata to connect to this service provider ;
* an assertion consumer endpoint.

No attribute extraction is done but you can do it easily by iterating the ``$login->assertion->attributeStatement`` array.

No session creation is done, you must find a user corresponding to the received NameID and log this user by creating a php session for him.

<pre>
  <?
  require "lasso.php";

  $sp_metadata_xml = <<<'XML'
  <?xml version="1.0"?>
  <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        entityID="http://yourdomain.com/index.php?metadata">
    <SPSSODescriptor
        AuthnRequestsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
      <AssertionConsumerService isDefault="true" index="0"
        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        Location="http://yourdomain.com/index.php?assertion_consumer" />
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    </SPSSODescriptor>
    <Organization>
       <OrganizationName xml:lang="en">Example SAML 2.0 metadatas</OrganizationName>
    </Organization>
  </EntityDescriptor>
  XML;

  $idp_metadata_xml = <<<'XML'
  <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
      entityID="http://localhost:3001/saml/metadata">


    <IDPSSODescriptor
        WantAuthnRequestsSigned="true"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="signing">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <KeyValue  xmlns="http://www.w3.org/2000/09/xmldsig#">
      <RSAKeyValue>
          <Modulus>4yalpsp9Sxlsj07PEI8jJxhSJdo4F0iW0H8u1dhwmsW5YQvRUw/yPlmC09q4WjImmnFVNCJarAOYeFgQCxfIoBasKNnUeBQpogo8W0Q/3mCuKl6lNSr/PIuxMVVNPDWmWkhHXJx/MVar2IREKa1P4jHL0Uxl69/idLwc7TtK1h8=</Modulus>
          <Exponent>AQAB</Exponent>
      </RSAKeyValue>
  </KeyValue>
        </ds:KeyInfo>
      </KeyDescriptor>
      <KeyDescriptor use="encryption">
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <KeyValue  xmlns="http://www.w3.org/2000/09/xmldsig#">
      <RSAKeyValue>
          <Modulus>wLu5SdmwyS4o1On/aw4nElLGERFG931exvkzu0ewaM1/oUyD3dO7UC5xMGnPfc6IaH5BcJc3fLr6PJhX55ZrMR98ToPwoUFwuLKK43exwYBEBOOMe1CrCB/Bq+EH6/2sKNXKfgJqj06/3yzafLRiWpMxy2isllxMAvaZXrkpm4c=</Modulus>
          <Exponent>AQAB</Exponent>
      </RSAKeyValue>
  </KeyValue>
        </ds:KeyInfo>
      </KeyDescriptor>
    </IDPSSODescriptor>

  </EntityDescriptor>
  XML;

  if (isset($_GET["metadata"])) {
    header('Content-Type: text/xml');
    echo $sp_metadata_xml;
    exit(0);
  }

  if (isset($_GET["assertion_consumer"])) {
    $server = LassoServer::newFromBuffers($sp_metadata_xml);
    $server->addProviderFromBuffer(LASSO_PROVIDER_ROLE_IDP, $idp_metadata_xml);
    $login = new LassoLogin($server);

    function error($msg) {
        header("HTTP/1.0 500 Internal Error");
        ?> <h1>Erreur:</h1><pre> <?  echo htmlentities($msg); ?></pre><?
        exit(0);
    }

    try {
        try {
            $login->processAuthnResponseMsg($_POST["SAMLResponse"]);
        } catch (LassoDsError $e) {
            error('Invalid signature');
        } catch (LassoProfileCannotVerifySignatureError $e) {
            error('Invalid signature');
        } catch (LassoError $e) {
            error('Misc error, ' . $e);
        }
        try {
            $login->acceptSso();
        } catch (LassoError $e) {
            error('Invalid assertion');
        }
    } catch (Exception $e) {
        error('Unexpected error: ' . $e);
    }
    ?> You are identified as <? echo $login->assertion->subject->nameId->content;
</pre>