基于SAML和Laravel的SSO
我正在为一个php web应用程序实现基于SAML的SSO。我在用谷歌做IDP。我使用了Laravel 5- Saml2插件,并按照文档中给出的步骤进行了配置。我还在谷歌管理控制台中添加了这个应用程序,作为SAML应用程序,使用给定的这里步骤,并在saml2_settings.php中配置entityId和acs。但是,我无法配置x509cert证书。当我点击登录url时,用户将被重定向到google进行身份验证,但是当我输入凭据时,它不会返回应用程序并给出以下错误:
- 这是个错误。
错误: app_not_configured_for_user
服务未为此用户配置。
以下是我的saml2_settings文件:
'sp' => array(
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => 'I ADDED x509certs here which I downloaded from google',
'privateKey' => '',
//LARAVEL - You don't need to change anything else on the sp
// Identifier of the SP entity (must be a URI)
'entityId' => 'snipeit', //LARAVEL: This would be set to saml_metadata route
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => 'http://dev.sb.com/snipeit/public/account/profile', //LARAVEL: This would be set to saml_acs route
//SAML protocol binding to be used when returning the <Response>
//message. Onelogin Toolkit supports for this endpoint the
//HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => '', //LARAVEL: This would be set to saml_sls route
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
),
// Identity Provider Data that we want connect with our SP
'idp' => array(
// Identifier of the IdP entity (must be a URI)
'entityId' => '',
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array(
// URL Target of the IdP where the SP will send the Authentication Request Message
'url' => $idp_host,
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-POST binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array(
// URL Location of the IdP where the SP will send the SLO Request
'url' => $idp_host . '/saml2/idp/SingleLogoutService.php',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Public x509 certificate of the IdP
'x509cert' => 'SAME CERTIFICATES I ADDED HERE AS WELL', /*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
// 'certFingerprint' => '',
),有人能帮帮我吗。
回答 1
Stack Overflow用户
发布于 2016-04-06 09:32:33
‘'sp’=>数组( 'x509cert‘=>’我在这里添加了从谷歌下载的x509certs,privateKey‘=>’,
您使用Google作为IdP,那么,为什么在sp部分使用google公共证书呢?
如果您计划对SP发送的SAML消息进行签名,那么您需要将您自己的证书/私钥放在那里。可以使用以下工具生成自签名证书:certs.php
如果您对某些设置字段有疑问,请查看Lavarel插件的文档,还可以查看插件使用的php-saml文档工具包。
为了调试正在发生的事情,我还建议您使用浏览器扩展来记录SAML消息,例如使用SAML示踪器并检查将通知您可能出现的错误的响应状态。
https://stackoverflow.com/questions/36013522
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号