BookStack/app/Config/saml2.php

<?php

return [

    // Display name, shown to users, for SAML2 option
    'name' => env('SAML2_NAME', 'SSO'),
    // Toggle whether the SAML2 option is active
    'enabled' => env('SAML2_ENABLED', false),
    // Enable registration via SAML2 authentication
    'auto_register' => env('SAML2_AUTO_REGISTER', true),

    // Dump user details after a login request for debugging purposes
    'dump_user_details' => env('SAML2_DUMP_USER_DETAILS', false),

    // Attribute, within a SAML response, to find the user's email address
    'email_attribute' => env('SAML2_EMAIL_ATTRIBUTE', 'email'),
    // Attribute, within a SAML response, to find the user's display name
    'display_name_attributes' => explode('|', env('SAML2_DISPLAY_NAME_ATTRIBUTES', 'username')),
    // Attribute, within a SAML response, to use to connect a BookStack user to the SAML user.
    'external_id_attribute' => env('SAML2_EXTERNAL_ID_ATTRIBUTE', null),

    // Group sync options
    // Enable syncing, upon login, of SAML2 groups to BookStack groups
    'user_to_groups' => env('SAML2_USER_TO_GROUPS', false),
    // Attribute, within a SAML response, to find group names on
    'group_attribute' => env('SAML2_GROUP_ATTRIBUTE', 'group'),
    // When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.
    'remove_from_groups' => env('SAML2_REMOVE_FROM_GROUPS', false),

    // Autoload IDP details from the metadata endpoint
    'autoload_from_metadata' => env('SAML2_AUTOLOAD_METADATA', false),

    // Overrides, in JSON format, to the configuration passed to underlying onelogin library.
    'onelogin_overrides' => env('SAML2_ONELOGIN_OVERRIDES', null),


    'onelogin' => [
        // If 'strict' is True, then the PHP Toolkit will reject unsigned
        // or unencrypted messages if it expects them signed or encrypted
        // Also will reject the messages if not strictly follow the SAML
        // standard: Destination, NameId, Conditions ... are validated too.
        'strict' => true,

        // Enable debug mode (to print errors)
        'debug' => env('APP_DEBUG', false),

        // Set a BaseURL to be used instead of try to guess
        // the BaseURL of the view that process the SAML Message.
        // Ex. http://sp.example.com/
        //     http://example.com/sp/
        'baseurl' => null,

        // Service Provider Data that we are deploying
        'sp' => [
            // Identifier of the SP entity  (must be a URI)
            'entityId' => '',

            // Specifies info about where and how the <AuthnResponse> message MUST be
            // returned to the requester, in this case our SP.
            'assertionConsumerService' => [
                // URL Location where the <Response> from the IdP will be returned
                'url' => '',
                // SAML protocol binding to be used when returning the <Response>
                // message.  Onelogin Toolkit supports for this endpoint the
                // HTTP-POST binding only
                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            ],

            // Specifies info about where and how the <Logout Response> message MUST be
            // returned to the requester, in this case our SP.
            'singleLogoutService' => [
                // URL Location where the <Response> from the IdP will be returned
                'url' => '',
                // SAML protocol binding to be used when returning the <Response>
                // message.  Onelogin Toolkit supports for this endpoint the
                // HTTP-Redirect binding only
                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            ],

            // Specifies constraints on the name identifier to be used to
            // represent the requested subject.
            // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
            // Usually x509cert and privateKey of the SP are provided by files placed at
            // the certs folder. But we can also provide them with the following parameters
            'x509cert' => '',
            'privateKey' => '',
        ],
        // Identity Provider Data that we want connect with our SP
        'idp' => [
            // Identifier of the IdP entity  (must be a URI)
            'entityId' => env('SAML2_IDP_ENTITYID', null),
            // SSO endpoint info of the IdP. (Authentication Request protocol)
            'singleSignOnService' => [
                // URL Target of the IdP where the SP will send the Authentication Request Message
                'url' => env('SAML2_IDP_SSO', null),
                // SAML protocol binding to be used when returning the <Response>
                // message.  Onelogin Toolkit supports for this endpoint the
                // HTTP-Redirect binding only
                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            ],
            // SLO endpoint info of the IdP.
            'singleLogoutService' => [
                // URL Location of the IdP where the SP will send the SLO Request
                'url' => env('SAML2_IDP_SLO', null),
                // URL location of the IdP where the SP will send the SLO Response (ResponseLocation)
                // if not set, url for the SLO Request will be used
                'responseUrl' => '',
                // SAML protocol binding to be used when returning the <Response>
                // message.  Onelogin Toolkit supports for this endpoint the
                // HTTP-Redirect binding only
                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            ],
            // Public x509 certificate of the IdP
            'x509cert' => env('SAML2_IDP_x509', null),
            /*
             *  Instead of use the whole x509cert you can use a fingerprint in
             *  order to validate the SAMLResponse, but we don't recommend to use
             *  that method on production since is exploitable by a collision
             *  attack.
             *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
             *   or add for example the -sha256 , -sha384 or -sha512 parameter)
             *
             *  If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
             *  let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
             *  'sha1' is the default value.
             */
            // 'certFingerprint' => '',
            // 'certFingerprintAlgorithm' => 'sha1',
            /* In some scenarios the IdP uses different certificates for
             * signing/encryption, or is under key rollover phase and more
             * than one certificate is published on IdP metadata.
             * In order to handle that the toolkit offers that parameter.
             * (when used, 'x509cert' and 'certFingerprint' values are
             * ignored).
             */
            // 'x509certMulti' => array(
            //      'signing' => array(
            //          0 => '<cert1-string>',
            //      ),
            //      'encryption' => array(
            //          0 => '<cert2-string>',
            //      )
            // ),
        ],
    ],

];
Started using OneLogin SAML lib directly - Aligned and formatted config options. - Provided way to override onelogin lib options if required. - Added endpoints in core bookstack routes. - Provided way to debug details provided by idp and formatted by bookstack. - Started on test work - Handled case of email address already in use. 2019-11-17 08:26:43 -05:00			`<?php`

			`return [`

			`// Display name, shown to users, for SAML2 option`
			`'name' => env('SAML2_NAME', 'SSO'),`
			`// Toggle whether the SAML2 option is active`
			`'enabled' => env('SAML2_ENABLED', false),`
			`// Enable registration via SAML2 authentication`
			`'auto_register' => env('SAML2_AUTO_REGISTER', true),`

			`// Dump user details after a login request for debugging purposes`
			`'dump_user_details' => env('SAML2_DUMP_USER_DETAILS', false),`

			`// Attribute, within a SAML response, to find the user's email address`
			`'email_attribute' => env('SAML2_EMAIL_ATTRIBUTE', 'email'),`
			`// Attribute, within a SAML response, to find the user's display name`
			`'display_name_attributes' => explode('\|', env('SAML2_DISPLAY_NAME_ATTRIBUTES', 'username')),`
			`// Attribute, within a SAML response, to use to connect a BookStack user to the SAML user.`
			`'external_id_attribute' => env('SAML2_EXTERNAL_ID_ATTRIBUTE', null),`

			`// Group sync options`
			`// Enable syncing, upon login, of SAML2 groups to BookStack groups`
			`'user_to_groups' => env('SAML2_USER_TO_GROUPS', false),`
			`// Attribute, within a SAML response, to find group names on`
			`'group_attribute' => env('SAML2_GROUP_ATTRIBUTE', 'group'),`
			`// When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.`
			`'remove_from_groups' => env('SAML2_REMOVE_FROM_GROUPS', false),`

Added the ability to auto-load config from metadata url 2019-11-17 09:44:26 -05:00			`// Autoload IDP details from the metadata endpoint`
			`'autoload_from_metadata' => env('SAML2_AUTOLOAD_METADATA', false),`

Started using OneLogin SAML lib directly - Aligned and formatted config options. - Provided way to override onelogin lib options if required. - Added endpoints in core bookstack routes. - Provided way to debug details provided by idp and formatted by bookstack. - Started on test work - Handled case of email address already in use. 2019-11-17 08:26:43 -05:00			`// Overrides, in JSON format, to the configuration passed to underlying onelogin library.`
			`'onelogin_overrides' => env('SAML2_ONELOGIN_OVERRIDES', null),`


			`'onelogin' => [`
			`// If 'strict' is True, then the PHP Toolkit will reject unsigned`
			`// or unencrypted messages if it expects them signed or encrypted`
			`// Also will reject the messages if not strictly follow the SAML`
			`// standard: Destination, NameId, Conditions ... are validated too.`
			`'strict' => true,`

			`// Enable debug mode (to print errors)`
			`'debug' => env('APP_DEBUG', false),`

			`// Set a BaseURL to be used instead of try to guess`
			`// the BaseURL of the view that process the SAML Message.`
			`// Ex. http://sp.example.com/`
			`// http://example.com/sp/`
			`'baseurl' => null,`

			`// Service Provider Data that we are deploying`
			`'sp' => [`
			`// Identifier of the SP entity (must be a URI)`
			`'entityId' => '',`

			`// Specifies info about where and how the <AuthnResponse> message MUST be`
			`// returned to the requester, in this case our SP.`
			`'assertionConsumerService' => [`
			`// URL Location where the <Response> from the IdP will be returned`
			`'url' => '',`
			`// SAML protocol binding to be used when returning the <Response>`
			`// message. Onelogin Toolkit supports for this endpoint the`
			`// HTTP-POST binding only`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',`
			`],`

			`// Specifies info about where and how the <Logout Response> message MUST be`
			`// returned to the requester, in this case our SP.`
			`'singleLogoutService' => [`
			`// URL Location where the <Response> from the IdP will be returned`
			`'url' => '',`
			`// SAML protocol binding to be used when returning the <Response>`
			`// message. Onelogin Toolkit supports for this endpoint the`
			`// HTTP-Redirect binding only`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`

			`// Specifies constraints on the name identifier to be used to`
			`// represent the requested subject.`
			`// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',`
			`// Usually x509cert and privateKey of the SP are provided by files placed at`
			`// the certs folder. But we can also provide them with the following parameters`
			`'x509cert' => '',`
			`'privateKey' => '',`
			`],`
			`// Identity Provider Data that we want connect with our SP`
			`'idp' => [`
			`// Identifier of the IdP entity (must be a URI)`
			`'entityId' => env('SAML2_IDP_ENTITYID', null),`
			`// SSO endpoint info of the IdP. (Authentication Request protocol)`
			`'singleSignOnService' => [`
			`// URL Target of the IdP where the SP will send the Authentication Request Message`
			`'url' => env('SAML2_IDP_SSO', null),`
			`// SAML protocol binding to be used when returning the <Response>`
			`// message. Onelogin Toolkit supports for this endpoint the`
			`// HTTP-Redirect binding only`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`// SLO endpoint info of the IdP.`
			`'singleLogoutService' => [`
			`// URL Location of the IdP where the SP will send the SLO Request`
			`'url' => env('SAML2_IDP_SLO', null),`
			`// URL location of the IdP where the SP will send the SLO Response (ResponseLocation)`
			`// if not set, url for the SLO Request will be used`
			`'responseUrl' => '',`
			`// SAML protocol binding to be used when returning the <Response>`
			`// message. Onelogin Toolkit supports for this endpoint the`
			`// HTTP-Redirect binding only`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`// Public x509 certificate of the IdP`
			`'x509cert' => env('SAML2_IDP_x509', null),`
			`/*`
			`* Instead of use the whole x509cert you can use a fingerprint in`
			`* order to validate the SAMLResponse, but we don't recommend to use`
			`* that method on production since is exploitable by a collision`
			`* attack.`
			`* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,`
			`* or add for example the -sha256 , -sha384 or -sha512 parameter)`
			`*`
			`* If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to`
			`* let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512`
			`* 'sha1' is the default value.`
			`*/`
			`// 'certFingerprint' => '',`
			`// 'certFingerprintAlgorithm' => 'sha1',`
			`/* In some scenarios the IdP uses different certificates for`
			`* signing/encryption, or is under key rollover phase and more`
			`* than one certificate is published on IdP metadata.`
			`* In order to handle that the toolkit offers that parameter.`
			`* (when used, 'x509cert' and 'certFingerprint' values are`
			`* ignored).`
			`*/`
			`// 'x509certMulti' => array(`
			`// 'signing' => array(`
			`// 0 => '<cert1-string>',`
			`// ),`
			`// 'encryption' => array(`
			`// 0 => '<cert2-string>',`
			`// )`
			`// ),`
			`],`
			`],`

			`];`