使用Laravel的Azure Active Directory SSO
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用Laravel的Azure Active Directory SSO相关的知识,希望对你有一定的参考价值。
我正在做的SO与蔚蓝活动目录。我已经做了设置,在azure和去的键。我使用metrogisticslaravel-azure-ad-oauth(https:/packagist.orgpackagesmetrogisticslaravel-azure-ad-oauth。)包来实现这个功能。但是,当我点击网址 http:/localhost:8000loginmicrosoft。 我被重定向到微软的登录页面,并给出一个错误信息。
我已经添加了以下配置到env文件,并做了任何包的要求。
已经两天了,我在网上搜索,却找不到解决办法。我这里到底漏了什么?
谢谢你了
对于那些还在纠结于 Azure Active Directory
单元化 Laravel
. 而如果你愿意使用SAML.这里是他们可以使用的repo.https/github.comaacotroneolaravel-saml2。
https:/github.comaacotroneolaravel-saml2。
它的使用非常简单,只要你在Azure门户上正确完成了SSO设置。
它是两个步骤的过程
步骤 1- 在 Azure Portal 上设置 SSO 项目
a) 前往 Azure Active Directory
然后 Enterprise Application
b) 添加新应用程序并选择 Non-gallery Application
c) 点击 Set up single sign on
然后点击 SAML
盒子
d) 编辑 basic SAML configuration
并添加以下内容
识别码(实体ID) - https:/my-laravel-website.comsaml2aadmetata。
回复URL(断言消费者服务URL) - https:/my-laravel-website.comsaml2aadacs。
(这些尿素从哪里来,我将会在 第二步. 目前只要保存即可)。)
e) 下载中心 Federation Metadata XML
从 SAML Signing Certificate
部分,在您的系统上
f) 接下来为您当前的SAML SSO项目分配用户。
注意-如果你的账户中没有用户存在。那么你需要创建一个用户并分配一些角色(这是必要的)。.
这是教程设置步骤1https:/www.youtube.comwatch?v=xn_8Fm7S7y8
.
步骤2- 在你的项目中安装和配置Laravel SAML 2包。
a) 运行 composer require aacotroneo/laravel-saml2
b) 运行 php artisan vendor:publish --provider="Aacotroneo\Saml2\Saml2ServiceProvider"
c) configsaml2_settings.php
<?php
return $settings = array(
/**
* Array of IDP prefixes to be configured e.g. 'idpNames' => ['test1', 'test2', 'test3'],
* Separate routes will be automatically registered for each IDP specified with IDP name as prefix
* Separate config file saml2/<idpName>_idp_settings.php should be added & configured accordingly
*/
'idpNames' => ['aad'],
/**
* If 'useRoutes' is set to true, the package defines five new routes for reach entry in idpNames:
*
* Method | URI | Name
* -------|------------------------------------|------------------
* POST | routesPrefix/idpName/acs | saml_acs
* GET | routesPrefix/idpName/login | saml_login
* GET | routesPrefix/idpName/logout | saml_logout
* GET | routesPrefix/idpName/metadata | saml_metadata
* GET | routesPrefix/idpName/sls | saml_sls
*/
'useRoutes' => true,
/**
* Optional, leave empty if you want the defined routes to be top level, i.e. "/idpName/*"
*/
'routesPrefix' => 'saml2',
/**
* which middleware group to use for the saml routes
* Laravel 5.2 will need a group which includes StartSession
*/
'routesMiddleware' => ['saml'],
/**
* Indicates how the parameters will be
* retrieved from the sls request for signature validation
*/
'retrieveParametersFromServer' => false,
/**
* Where to redirect after logout
*/
'logoutRoute' => '/login',
/**
* Where to redirect after login if no other option was provided
*/
'loginRoute' => '/dashboard',
/**
* Where to redirect after login if no other option was provided
*/
'errorRoute' => '/login',
// If 'proxyVars' is True, then the Saml lib will trust proxy headers
// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
// your application is running behind a load balancer which terminates
// SSL.
'proxyVars' => true,
/**
* (Optional) Which class implements the route functions.
* If commented out, defaults to this lib's controller (Aacotroneo\Saml2\Http\Controllers\Saml2Controller).
* If you need to extend Saml2Controller (e.g. to override the `login()` function to pass
* a `$returnTo` argument), this value allows you to pass your own controller, and have
* it used in the routes definition.
*/
'saml2_controller' => 'App\Http\Controllers\Auth\SAML2LoginController',
);
注 - 部分 d) 的 第一步 是来自以下方面
d) 创建一个新文件 config/saml2/aad_idp_settings.php
的内容,并复制到 config/saml2/test_idp_settings.php
成。改变 $this_idp_env_id
在 aad_idp_settings.php
到 "AAD. 所以,最后 aad_idp_settings.php
将会是如下的样子。
<?php
// If you choose to use ENV vars to define these values, give this IdP its own env var names
// so you can define different values for each IdP, all starting with 'SAML2_'.$this_idp_env_id
$this_idp_env_id = 'AAD';
//This is variable is for simplesaml example only.
// For real IdP, you must set the url values in the 'idp' config to conform to the IdP's real urls.
$idp_host = env('SAML2_'.$this_idp_env_id.'_IDP_HOST', 'http://localhost:8000/simplesaml');
return $settings = array(
/*****
* One Login Settings
*/
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config
// Enable debug mode (to print errors)
'debug' => env('APP_DEBUG', false),
// Service Provider Data that we are deploying
'sp' => array(
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => env('SAML2_'.$this_idp_env_id.'_SP_x509',''),
'privateKey' => env('SAML2_'.$this_idp_env_id.'_SP_PRIVATEKEY',''),
// Identifier (URI) of the SP entity.
// Leave blank to use the 'idpName_metadata' route, e.g. 'test_metadata'.
'entityId' => env('SAML2_'.$this_idp_env_id.'_SP_ENTITYID',''),
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned,
// using HTTP-POST binding.
// Leave blank to use the 'idpName_acs' route, e.g. 'test_acs'
'url' => '',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
// Remove this part to not include any URL Location in the metadata.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned,
// using HTTP-Redirect binding.
// Leave blank to use the 'idpName_sls' route, e.g. 'test_sls'
'url' => '',
),
),
// Identity Provider Data that we want connect 以上是关于使用Laravel的Azure Active Directory SSO的主要内容,如果未能解决你的问题,请参考以下文章
Azure AD B2C 连接的用户使用 Graph AD API 更改密码
使用 azure-cli 访问 Azure Active Directory 的令牌
用于查询Azure Active Directory的Azure服务
[Azure - Security] Azure的多重身份验证:使用AD(Azure Active Directory)开启用户MFA