Sending SAML request with Symfony2 - symfony

I am using Symfony2 and I have to Connect my user through SSO to another service using Saml Request , in this Case we are the Service provider , from what i gathered ; once the user hit the link im supposed to redirect him to the bridge with a Saml request having the data so he can be authenticated , but i don't know which bundle to install or how to send a Saml request in the first place .
any help will be appreciated

You have 3 alternatives here:
Use bundles based on php-saml like OneloginSamlBundle
Use bundles based on simplesamlphp like SimplesamlphpBundle
Use SamlSPBundle, a bundle based on lightsaml
If you decide to use OneloginSamlBundle, the AuthNRequest is sent from the SP to the IdP when the SP-initiated SSO happens.
Resources/config/routing.yml defines the SAML routes. /saml/login will initiates the SSO process.
When you access /saml/login the loginAction defined on the SamlController.php happens and an AuthNrequest is sent to the IdP SSO url, and a SAMLResponse is expected at the SP on the ACS endpoint. That SAMLResponse is the one that will contain user attributes in order to SSO or provision that user on symfony2 app.

Related

FOSOAuthServerBundle + Amazon Alexa: How to manually authenticate user with Access Token?

In short: How can I manually authenticate a users with a given access token?
The long story:
An Amazon Alexa Skill should access user data within a Symfony 3.4 based web services.
The web services uses FOSOAuthServerBundle to handle the OAauth authentication and link the users Alexa account to the web services user account.
Once the account is linked Alexa API includes the OAuth Access Token in every request. However, the token is not included in the request header but simply within the JSON content. Additionally all request, both linked/authorized and not-linked/unauthorized call the same endpoint / route.
Thus using the Symfony firewall to authenticate the user does not work, does it?
Instead I manually check wether the Alexa request contains an access token to provide the correct response.
If the request contains an access token I would need to manually check and authenticate the user. How can this be done?

How to build a Spring MVC based application to connect with any service provider to do the SSO

We want to build one spring MVC based application which will support below use case:
User access the application URL to login into application.
Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).
The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.
Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.
This basically means
- your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib)
- your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO
Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)
Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?
SAML way: You would first have to do a 'passive AuthnRequest' to check this.
Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.

generate a SAML response with attributes OneLogin

I'm using Onelogin bundle under symfony2 and as an Identity Provider i need to send a SAML Response to the Service Provider with the user values needed by the SP . i found how to send a Request but i couldn't find how to generate a Response and send it
any help would be appreciated , Thank you
The Onelogin bundle cover the Service Provider part, if you need to generate a SAMLResponse (that means that you need to act as an Identity Provider), then you need another piece of code not the Onelogin bundle / php-saml that only implements the Service Provider part.
You can get a Onelogin trial account, create there the users and configure a SAML Test Connector (that will act as IdP)
If you need to deploy your own IdP, try with simpleSAMLphp and use as authsource, the sqlauth:SQL module connected with the symfony2 database (if that is your user source)

Implementation of user login via REST api (fosuserbundle)

I have an angularJS application that communicates with a Symfony2 REST server
both of the app & server is under my responsibility I am wondering how to login a specific user using the FOSUserBundle.
I thought about the following scenario:
Login action that will get username & password from the AngularJS application and will return to it some kind of an access_token string that will have a timeout of let's say 12 hours.
after reciving the access_token the angularJS application will use it in every single request to identify the user.
Now I wonder if this is how I should do this kind of authentication
and also how could I implement it using FOSUserBundle in Symfony2? what would be the "BEST Practice"?
For future people that ends here googling , check :
https://gist.github.com/tjamps/11d617a4b318d65ca583
that's the way to go .
Basic RESTful API with Symfony 2 + FOSRestBundle (JSON format only) + FOSUserBundle + FOSOauthServerBundle
The API we are creating in this gist will follow these rules :
The API only returns JSON responses
All API routes require authentication
Authentication is handled via OAuth2 with password
Grant Type only (no need for Authorization pages and such).
API
versioning is managed via a subdomain (e.g. v1.api.example.com)

IdP-initiated SSO without a dedicated SSO server

I have an ASP.NET application which uses login cookies already. I need to provide a link in my application upon clicking which the user should be able to access their info in SalesForce.com using SSO. I'm planning to implement this link as an ASP page that constructs a SAML assertion with the corresponding username in SalesForce.com, posts the SAML assertion to SalesForce.com SAML Endpoint URL, receives the SAML response from SalesForce.com and redirects the user to the session URL contained in the response.
Has anyone tried this approach instead of using a dedicated SSO server (such as OpenAM) ? Are there any issues in this approach ?
You won't be able to do that, because it would require you to implement most of SAML IdP (identity provider) piece on your own.
SAML is a complex standard involving multiple interactions between IdP and SP (service provider), it is so much more than just sending an assertion.
To enable SAML you'll need to install IdP (like OpenAM), connect it to your user database and to convert your application to SP.
Wikipedia has more detail on SAML iteractions.

Resources