使用Laravel的Azure Active Directory SSO

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用Laravel的Azure Active Directory SSO相关的知识,希望对你有一定的参考价值。

我正在做的SO与蔚蓝活动目录。我已经做了设置,在azure和去的键。我使用metrogisticslaravel-azure-ad-oauth(https:/packagist.orgpackagesmetrogisticslaravel-azure-ad-oauth。)包来实现这个功能。但是,当我点击网址 http:/localhost:8000loginmicrosoft。 我被重定向到微软的登录页面,并给出一个错误信息。

enter image description here

我已经添加了以下配置到env文件,并做了任何包的要求。

已经两天了,我在网上搜索,却找不到解决办法。我这里到底漏了什么?

谢谢你了

答案

对于那些还在纠结于 Azure Active Directory 单元化 Laravel. 而如果你愿意使用SAML.这里是他们可以使用的repo.https/github.comaacotroneolaravel-saml2。

https:/github.comaacotroneolaravel-saml2。

它的使用非常简单,只要你在Azure门户上正确完成了SSO设置。

它是两个步骤的过程

步骤 1- 在 Azure Portal 上设置 SSO 项目


a) 前往 Azure Active Directory 然后 Enterprise Application

b) 添加新应用程序并选择 Non-gallery Application

c) 点击 Set up single sign on 然后点击 SAML 盒子

d) 编辑 basic SAML configuration 并添加以下内容

识别码(实体ID) - https:/my-laravel-website.comsaml2aadmetata。

回复URL(断言消费者服务URL) - https:/my-laravel-website.comsaml2aadacs。

(这些尿素从哪里来,我将会在 第二步. 目前只要保存即可)。)

e) 下载中心 Federation Metadata XMLSAML Signing Certificate 部分,在您的系统上

f) 接下来为您当前的SAML SSO项目分配用户。

注意-如果你的账户中没有用户存在。那么你需要创建一个用户并分配一些角色(这是必要的)。.

这是教程设置步骤1https:/www.youtube.comwatch?v=xn_8Fm7S7y8

.

步骤2- 在你的项目中安装和配置Laravel SAML 2包。


a) 运行 composer require aacotroneo/laravel-saml2

b) 运行 php artisan vendor:publish --provider="Aacotroneo\Saml2\Saml2ServiceProvider"

c) configsaml2_settings.php

<?php

return $settings = array(

    /**
     * Array of IDP prefixes to be configured e.g. 'idpNames' => ['test1', 'test2', 'test3'],
     * Separate routes will be automatically registered for each IDP specified with IDP name as prefix
     * Separate config file saml2/<idpName>_idp_settings.php should be added & configured accordingly
     */
    'idpNames' => ['aad'],

    /**
     * If 'useRoutes' is set to true, the package defines five new routes for reach entry in idpNames:
     *
     *    Method | URI                                | Name
     *    -------|------------------------------------|------------------
     *    POST   | routesPrefix/idpName/acs       | saml_acs
     *    GET    | routesPrefix/idpName/login     | saml_login
     *    GET    | routesPrefix/idpName/logout    | saml_logout
     *    GET    | routesPrefix/idpName/metadata  | saml_metadata
     *    GET    | routesPrefix/idpName/sls       | saml_sls
     */
    'useRoutes' => true,

    /**
     * Optional, leave empty if you want the defined routes to be top level, i.e. "/idpName/*"
     */
    'routesPrefix' => 'saml2',

    /**
     * which middleware group to use for the saml routes
     * Laravel 5.2 will need a group which includes StartSession
     */
    'routesMiddleware' => ['saml'],

    /**
     * Indicates how the parameters will be
     * retrieved from the sls request for signature validation
     */
    'retrieveParametersFromServer' => false,

    /**
     * Where to redirect after logout
     */
    'logoutRoute' => '/login',

    /**
     * Where to redirect after login if no other option was provided
     */
    'loginRoute' => '/dashboard',

    /**
     * Where to redirect after login if no other option was provided
     */
    'errorRoute' => '/login',

    // If 'proxyVars' is True, then the Saml lib will trust proxy headers
    // e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
    // your application is running behind a load balancer which terminates
    // SSL.
    'proxyVars' => true,

    /**
     * (Optional) Which class implements the route functions.
     * If commented out, defaults to this lib's controller (Aacotroneo\Saml2\Http\Controllers\Saml2Controller).
     * If you need to extend Saml2Controller (e.g. to override the `login()` function to pass
     * a `$returnTo` argument), this value allows you to pass your own controller, and have
     * it used in the routes definition.
     */
     'saml2_controller' => 'App\Http\Controllers\Auth\SAML2LoginController',
);

- 部分 d)第一步 是来自以下方面

enter image description here

d) 创建一个新文件 config/saml2/aad_idp_settings.php 的内容,并复制到 config/saml2/test_idp_settings.php 成。改变 $this_idp_env_idaad_idp_settings.php"AAD. 所以,最后 aad_idp_settings.php 将会是如下的样子。

<?php

// If you choose to use ENV vars to define these values, give this IdP its own env var names
// so you can define different values for each IdP, all starting with 'SAML2_'.$this_idp_env_id
$this_idp_env_id = 'AAD';

//This is variable is for simplesaml example only.
// For real IdP, you must set the url values in the 'idp' config to conform to the IdP's real urls.
$idp_host = env('SAML2_'.$this_idp_env_id.'_IDP_HOST', 'http://localhost:8000/simplesaml');

return $settings = array(

    /*****
     * One Login Settings
     */

    // If 'strict' is True, then the PHP Toolkit will reject unsigned
    // or unencrypted messages if it expects them signed or encrypted
    // Also will reject the messages if not strictly follow the SAML
    // standard: Destination, NameId, Conditions ... are validated too.
    'strict' => true, //@todo: make this depend on laravel config

    // Enable debug mode (to print errors)
    'debug' => env('APP_DEBUG', false),

    // Service Provider Data that we are deploying
    'sp' => array(

        // Specifies constraints on the name identifier to be used to
        // represent the requested subject.
        // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

        // Usually x509cert and privateKey of the SP are provided by files placed at
        // the certs folder. But we can also provide them with the following parameters
        'x509cert' => env('SAML2_'.$this_idp_env_id.'_SP_x509',''),
        'privateKey' => env('SAML2_'.$this_idp_env_id.'_SP_PRIVATEKEY',''),

        // Identifier (URI) of the SP entity.
        // Leave blank to use the 'idpName_metadata' route, e.g. 'test_metadata'.
        'entityId' => env('SAML2_'.$this_idp_env_id.'_SP_ENTITYID',''),

        // Specifies info about where and how the <AuthnResponse> message MUST be
        // returned to the requester, in this case our SP.
        'assertionConsumerService' => array(
            // URL Location where the <Response> from the IdP will be returned,
            // using HTTP-POST binding.
            // Leave blank to use the 'idpName_acs' route, e.g. 'test_acs'
            'url' => '',
        ),
        // Specifies info about where and how the <Logout Response> message MUST be
        // returned to the requester, in this case our SP.
        // Remove this part to not include any URL Location in the metadata.
        'singleLogoutService' => array(
            // URL Location where the <Response> from the IdP will be returned,
            // using HTTP-Redirect binding.
            // Leave blank to use the 'idpName_sls' route, e.g. 'test_sls'
            'url' => '',
        ),
    ),

    // Identity Provider Data that we want connect 

以上是关于使用Laravel的Azure Active Directory SSO的主要内容,如果未能解决你的问题,请参考以下文章

扩展azure活动目录访问令牌声明

Azure AD B2C 连接的用户使用 Graph AD API 更改密码

使用 azure-cli 访问 Azure Active Directory 的令牌

Azure Functions 中的 DI

用于查询Azure Active Directory的Azure服务

[Azure - Security] Azure的多重身份验证:使用AD(Azure Active Directory)开启用户MFA