OneloginSamlBundle
OneLogin SAML Bundle for Symfony
Install / Use
/learn @hslavich/OneloginSamlBundleREADME
OneloginSamlBundle
OneLogin SAML Bundle for Symfony. (https://github.com/onelogin/php-saml)
This bundle supports Symfony 5 and earlier. <br> For newer Symfony versions you can use nbgrp/onelogin-saml-bundle.
Installation
Install with composer
composer require hslavich/oneloginsaml-bundle
Enable the bundle in config/bundles.php (if you don't use Symfony Flex)
return [
// ...
Hslavich\OneloginSamlBundle\HslavichOneloginSamlBundle::class => ['all' => true],
]
Configuration
Configure SAML metadata in config/packages/hslavich_onelogin_saml.yaml. Check https://github.com/onelogin/php-saml#settings for more info.
hslavich_onelogin_saml:
# Basic settings
idp:
entityId: 'http://id.example.com/saml2/idp/metadata.php'
singleSignOnService:
url: 'http://id.example.com/saml2/idp/SSOService.php'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
singleLogoutService:
url: 'http://id.example.com/saml2/idp/SingleLogoutService.php'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: ''
sp:
entityId: 'http://myapp.com/app_dev.php/saml/metadata'
assertionConsumerService:
url: 'http://myapp.com/app_dev.php/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
url: 'http://myapp.com/app_dev.php/saml/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
privateKey: ''
# Optional settings
baseurl: 'http://myapp.com'
strict: true
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: false
logoutRequestSigned: false
logoutResponseSigned: false
wantMessagesSigned: false
wantAssertionsSigned: false
wantNameIdEncrypted: false
requestedAuthnContext: true
signMetadata: false
wantXMLValidation: true
relaxDestinationValidation: false
destinationStrictlyMatches: true
rejectUnsolicitedResponsesWithInResponseTo: false
signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
contactPerson:
technical:
givenName: 'Tech User'
emailAddress: 'techuser@example.com'
support:
givenName: 'Support User'
emailAddress: 'supportuser@example.com'
administrative:
givenName: 'Administrative User'
emailAddress: 'administrativeuser@example.com'
organization:
en:
name: 'Example'
displayname: 'Example'
url: 'http://example.com'
If you don't want to set contactPerson or organization, don't add those parameters instead of leaving them blank.
Configure firewall and user provider in config/packages/security.yaml
security:
# ...
providers:
saml_provider:
# Basic provider instantiates a user with default roles
saml:
user_class: 'AppBundle\Entity\User'
default_roles: ['ROLE_USER']
firewalls:
app:
pattern: ^/
saml:
# Match SAML attribute 'uid' with username.
# Uses getNameId() method by default.
username_attribute: uid
# Use the attribute's friendlyName instead of the name
use_attribute_friendly_name: true
check_path: saml_acs
login_path: saml_login
logout:
path: saml_logout
access_control:
- { path: ^/saml/login, roles: PUBLIC_ACCESS }
- { path: ^/saml/metadata, roles: PUBLIC_ACCESS }
- { path: ^/, roles: ROLE_USER }
Edit your config/routing or config/routes.yaml depending on your Symfony version.
hslavich_saml_sp:
resource: "@HslavichOneloginSamlBundle/Resources/config/routing.yml"
Inject SAML attributes into User object (Optional)
Your user class must implement SamlUserInterface
<?php
namespace App\Entity;
use Hslavich\OneloginSamlBundle\Security\User\SamlUserInterface;
class User implements SamlUserInterface
{
protected $username;
protected $email;
// ...
public function setSamlAttributes(array $attributes)
{
$this->email = $attributes['mail'][0];
}
}
Then you can get attributes from user object
$email = $this->getUser()->getEmail();
Integration with classic login form
You can integrate SAML authentication with traditional login form by editing your security.yaml:
security:
enable_authenticator_manager: true
providers:
user_provider:
# Loads user from user repository
entity:
class: App:User
property: username
firewalls:
default:
saml:
username_attribute: uid
check_path: saml_acs
login_path: saml_login
failure_path: saml_login
always_use_default_target_path: true
# Traditional login form
form_login:
login_path: /login
check_path: /login_check
always_use_default_target_path: true
logout:
path: saml_logout
Then you can add a link to route saml_login in your login page in order to start SAML sign on.
<a href="{{ path('saml_login') }}">SAML Login</a>
Just-in-time user provisioning (optional)
It's possible to have a new user provisioned based off the received SAML attributes when the user provider cannot find a user.
Edit firewall settings in security.yaml:
security:
# ...
providers:
saml_provider:
# Loads user from user repository
entity:
class: App\Entity\User
property: username
firewalls:
default:
provider: saml_provider
saml:
username_attribute: uid
# User factory service
user_factory: my_user_factory
logout:
path: saml_logout
In order for a user to be provisioned, you must use a user provider that throws
UserNotFoundException(e.g.EntityUserProvideras used in the example above). TheSamlUserProviderdoes not throw this exception which will cause an empty user to be returned when a matching user cannot be found.
Create the user factory service editing services.yaml:
services:
my_user_factory:
class: Hslavich\OneloginSamlBundle\Security\User\SamlUserFactory
arguments:
# User class
- App\Entity\User
# Attribute mapping.
- password: 'notused'
email: $mail
name: $cn
lastname: $sn
roles: ['ROLE_USER']
Fields with '$' references to SAML attribute value.
Or you can create your own User Factory that implements SamlUserFactoryInterface
<?php
namespace App\Security;
use App\Entity\User;
use Hslavich\OneloginSamlBundle\Security\Authentication\Token\SamlTokenInterface;
use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class UserFactory implements SamlUserFactoryInterface
{
public function createUser($username, array $attributes = []): UserInterface
{
$user = new User();
$user->setRoles(['ROLE_USER']);
$user->setUsername($username);
$user->setPassword('notused');
$user->setEmail($attributes['mail'][0]);
$user->setName($attributes['cn'][0]);
return $user;
}
}
services:
my_user_factory:
class: App\Security\UserFactory
For versions prior to 2.1 the
createUsersignature was different:public function createUser(SamlTokenInterface $token): UserInterface { $username = $token->getUsername(); $attributes = $token->getAttributes(); ... }
Persist user on creation and SAML attributes injection (Optional)
Symfony EventDispatcher component and Doctrine ORM are required.
Edit firewall settings in security.yaml:
security:
# ...
firewalls:
# ...
default:
saml:
# ...
persist_user: true
To use non-default entity manager specify it name by hslavich_onelogin_saml.entityManagerName config option.
User pe
Related Skills
node-connect
341.0kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
84.4kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
341.0kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
84.4kCommit, push, and open a PR
