Единый выход с одним логином PHP и ADFS
Я создаю веб-приложение на основе платформы Laravel, и мне нужно добавить поддержку SSO с использованием ADFS в качестве поставщика удостоверений.
Мне удалось включить Single Sign On с помощью пакета laravel-saml2, который основан на наборе инструментов onelogin, но теперь я застрял в Single Logout.
Когда LogoutRequest выполняется из веб-приложения, в журналах ошибок ADFS отображается следующая ошибка.
Microsoft.IdentityServer.RequestFailedException: MSIS7054: выход из SAML не завершен должным образом. System.Security.Cryptography.CryptographicException: параметр неверен. при System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 ч) при System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, булевой fOAEP, ObjectHandleOnStack ohRetDecryptedKey) в System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(байт [], Boolean RGB fOAEP) при System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(байт [] rgbIn) при System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& ключ) на Microsoft.IdentityModel, adEncryptedId(читатель XmlReader) в Microsoft.IdentityServer.Protocols.Saml.Saml2AssertionSerializer.ReadEncryptedId(читатель XmlReader) в Microsoft.IdentityServer.Web.Protocols.Saml.) при Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Logout(HttpSamlMessage logoutMessage, струнного sessionState, струнного logoutState, булевой partialLogout, булевой isUrlTranslationNeeded, HttpSamlMessage& newLogoutMessage, String& newSessionState, String& newLogoutState, Boolean& validLogoutRequest)
Ниже перечислены настройки onelogin, которые я использую.
<?php
//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_hostname = 'login.adfs.pt';
return $settings = array(
/*****
* Cosmetic settings - controller routes
**/
'useRoutes' => true, //include library routes and controllers
'routesPrefix' => '/saml2',
/**
* Where to redirect after logout
*/
'logoutRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'loginRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'errorRoute' => '/',
/*****
* One Loign Settings
*/
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config
// Enable debug mode (to print errors)
'debug' => true, //@todo: make this depend on laravel config
// Service Provider Data that we are deploying
'sp' => array(
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => 'XXXXXXXXXXXXXXXX MY SP Public key XXXXXXXXXXXXXXX',
'privateKey' => 'XXXXXXXXXXXYXX My SP Private key YXYYYYYYYYYYYYYY',
//LARAVEL - You don't need to change anything else on the sp
// Identifier of the SP entity (must be a URI)
'entityId' => '', //LARAVEL: This would be set to saml_metadata route
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => '', //LARAVEL: This would be set to saml_acs route
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
//'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => '', //LARAVEL: This would be set to saml_sls route
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
//'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
),
// Identity Provider Data that we want connect with our SP
'idp' => array(
// Identifier of the IdP entity (must be a URI)
'entityId' => 'http://' . $idp_hostname . '/adfs/services/trust',
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array(
// URL Target of the IdP where the SP will send the Authentication Request Message
'url' => 'https://' . $idp_hostname . '/adfs/ls/',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-POST binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array(
// URL Location of the IdP where the SP will send the SLO Request
//'url' => $idp_host . '/saml2/idp/SingleLogoutService.php',
'url' => 'https://' . $idp_hostname . '/adfs/ls/',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Public x509 certificate of the IdP
'x509cert' => 'XXXXXXXXXXXXXXX ADFS Identity Provider public key XXXXXXXXXXXXX',
/*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
//'certFingerprint' => '',
),
/***
*
* OneLogin advanced settings
*
*
*/
// Security settings
'security' => array(
/** signatures and encryptions offered */
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
'nameIdEncrypted' => true,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [The Metadata of the SP will offer this info]
'authnRequestsSigned' => true,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
'logoutRequestSigned' => true,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
'logoutResponseSigned' => true,
/* Sign the Metadata
False || True (use sp certs) || array (
keyFileName => 'metadata.key',
certFileName => 'metadata.crt'
)
*/
'signMetadata' => false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
// <samlp:LogoutResponse> elements received by this SP to be signed.
'wantMessagesSigned' => false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [The Metadata of the SP will offer this info]
'wantAssertionsSigned' => false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
'wantNameIdEncrypted' => false,
// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
'requestedAuthnContext' => false,
),
// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array(
'technical' => array(
'givenName' => 'name',
'emailAddress' => 'my@email.pt'
),
'support' => array(
'givenName' => 'Support',
'emailAddress' => 'my@email.pt'
),
),
// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array(
'en-US' => array(
'name' => 'Michael',
'displayname' => 'Michael',
'url' => ''
),
),
/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
// MUST NOT assume that the IdP validates the sign
'wantAssertionsSigned' => true,
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
'wantNameIdEncrypted' => false,
*/
);
Я искал об этой ошибке некоторое время, но я не смог найти никакой помощи в том, как ее исправить. Я что-то пропустил?