How to use it

[fmarquis]

Hi,

thank you for your great work on LightSaml, it allowed me to implement SAML authentication on a Symfony 3 SP very easily !
The only problem I have concern the logout :
I understand that this functionality is not yet integrated in your sp-bundle, and tried to use the "lightSAML-logout" directly.
I managed to create a LogoutRequest that should allow the users to disconnect on the IdP, but I don't see how to use this object...

Is there somewhere a small example of code or documentation explaining how to create a logout request and send it in a symfony environment ?

Thanks in advance,
Franck
(and sorry if my english is not good !)

[fmarquis]

Hi,

I managed to create a logout Post Request which works. Here is my code :

use LightSaml\Model\Protocol\LogoutRequest;
use LightSaml\Model\Assertion\Issuer;
use LightSaml\Binding\SamlPostResponse;
use LightSaml\Model\Context\SerializationContext;

    // Symfony action in a controller
    public function samlLogoutAction() {
        $logoutRequest = new LogoutRequest();
        $destination = $this->get('lightsaml.container.build')->getPartyContainer()->getIdpEntityDescriptorStore()->get(0)->getFirstIdpSsoDescriptor()->getFirstSingleLogoutService()->getLocation();
        $logoutRequest
            ->setDestination($destination)
            ->setID(\LightSaml\Helper::generateID())
            ->setIssueInstant(new \DateTime())
            //the parameter "saml.entity_id" must contain your Service Provider ID
            ->setIssuer(new Issuer($this->getParameter('saml.entity_id')));
        $serializationContext = new SerializationContext();
        $logoutRequest->serialize($serializationContext->getDocument(), $serializationContext);
        $XMLrequest = $serializationContext->getDocument()->saveXML();
        $reponse = new SamlPostResponse($destination, ['SAMLRequest' => base64_encode($XMLrequest)]);
        $reponse->renderContent();
        return $reponse;
    }

Be careful, this code should be changed to work with Redirect Logout, or if you have more than one Logout Service defined by the IdP and the first one is not a Post Logout...
I just hope this can help someone

Regards,
Franck

[INSEAD-asim]

Hi @tmilos,

I think wiki for this library is missing. Can you help regarding logout route configuration? It is also missing in metadata.xml so our IdP don't know how to logout (except for browser close).

[ntoniazzi]

@fmarquis I managed to inject the SingleLogoutService in the metadata.xml. Until I find out the proper way to declare it, I'm overriding the lightsaml_sp.metadata route:

lightsaml_sp.metadata:
    path: /metadata.xml
    defaults: { _controller: AcmeSecurityBundle:Security:metadata }

class SecurityController extends Controller
{
    public function metadataAction()
    {
        $router = $this->container->get('router');
        /* @var $router RouterInterface */

        $profile = $this->container->get('ligthsaml.profile.metadata');
        /* @var $profile MetadataProfileBuilder */

        $context = $profile->buildContext();
        /* @var $context ProfileContext */

        $spDescriptor = $context->getOwnEntityDescriptor()->getFirstSpSsoDescriptor();
        $spDescriptor->addSingleLogoutService(
            new SingleLogoutService(
                $router->generate('lightsaml_sp.logout', [], RouterInterface::ABSOLUTE_URL),
                SamlConstants::BINDING_SAML2_HTTP_REDIRECT
            )
        );

        $action = $profile->buildAction();
        /* @var $action CompositeAction */

        $action->execute($context);

        return $context->getHttpResponseContext()->getResponse();
    }
}

But then, I don't know what to do with this library to handle SLO (SP initiated logout and IdP initiated logout).
Does anyone have a small example?

Thanks.

[tmilos]

Hello,
This logout lib is not quite finished, the profile actions are missing, but you have all the saml data model classes to serialize/deserialize from bindings, so you would have to create LogoutRequest and LogoutResponse yourself.

Regarding the metadata, see whole lightSAML symfony bridge configuration here. You can set the light_saml_symfony_bridge.own.entity_descriptor_provider.id config to the service id of your class implementing the EntityDescriptorProviderInterface.

You can see how configuration is resolved in LightSamlSymfonyBridgeExtension. First the above mentioned id is looked for, if not provieded, the filename, and finally it defaults to the SimpleEntityDescriptorBuilder - source. You could extend it, or write your own from scratch.

[ntoniazzi]

It's working well now. Still waiting for a cleaner and bundled way to Sign Out 🙂

Great work 👍
Thanks.

[mathielen]

@ntoniazzi can you commit your work somewhere so we can see how to integrate it?

[ntoniazzi]

@mathielen Here are the main files involved in our SingleLogout process. I extracted them from a bundle so there could be something missing.
https://gist.github.com/ntoniazzi/cc9a5f020f9bbde0d9dea7d53ce2e6e1

[INSEAD-asim]

Thanks @ntoniazzi ! I able to implement logout with your help. I also added signing as our IdP require it for LogoutRequest. The changes include getting own Entity ID and Signature.

Get own Entity ID and Signature:

/** @var OwnContainer $own */
$own = $builder->getOwnContainer();

$ownEntityId    = $own->getOwnEntityDescriptorProvider()->get()->getEntityID();
$ownCredentials = $own->getOwnCredentials();
$ownCredential  = $ownCredentials[0];

/** @var Signature $ownSignature */
$ownSignature = new SignatureWriter($ownCredential->getCertificate(), $ownCredential->getPrivateKey());

Set this in LogoutRequest:

$logoutRequest
    ...
    ->setIssuer(new Issuer($ownEntityId))
    ->setSignature($ownSignature);

Or in LogoutResponse:

$logoutResponse
    ...
    ->setIssuer(new Issuer($ownEntityId))
    ->setSignature($ownSignature);

I hope it will help somebody looking for it. As you mentioned, still looking for cleaner solution.

[INSEAD-asim]

@tmilos , I think @kaz231 implemented logout functionality at https://github.com/kaz231/SpBundle. Did you tested or have any plan to merge that code?

[gabma]

@INSEAD-asim @kaz231 Yes! the implemented logout functionality worked perfectly! Helped me integrate it with OKTA.

[tmilos]

@INSEAD-asim
Didn't have opportunity to look at PiwikPRO/SpBundle but looked at SpBundle#29 and they look similar. That logout implementation supports only logout with a single IDP, and idea with lightSAML-logout is to be universal implementation of the logout profile with multiple parties for both for SP and IDP. And regarding that very simple case with only one IDP I would rather put it in a separate bundle then together with SpBundle

[gawpertron]

I've managed to implement logout in the scenario where the is one service provider (SP), however do you have any examples of how to use this when you have multiple SP sessions? Specifically when it's SP initiated? My current set up is a SP sends a LogoutRequest to Identity Provider (IdP) this then loops through all the active sessions $ssoState->getSsoSessions() as $session and LogoutRequest is sent to each SP, however I don't know what response the SPs should return to the IdP on success?

[ntoniazzi]

@gawpertron When the SP has terminated his logout process, it must return a LogoutResponse to the IdP, which can then call the next SP.
An example here: https://gist.github.com/ntoniazzi/cc9a5f020f9bbde0d9dea7d53ce2e6e1#file-samllogouthandler-php-L76

[gawpertron]

@ntoniazzi Thanks, that was the guidance I needed. Using your SP implementation I was able to extrapolate an IdP logout service.

[williamhector]

Does anyone have an example of an implementation from the IdP side they could share?