theodorejb / saml-utils
Utilities to streamline Light Saml usage
Requires
- php: >=8.4
- guzzlehttp/psr7: ^2.12
- litesaml/lightsaml: ^5.0.1
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.95
- phpstan/phpstan: ^2.2.3
- phpunit/phpunit: ^13.2
README
This package provides a few helpful utilities on top of Lite Saml to streamline common tasks.
Install via Composer
composer require theodorejb/saml-utils
Working with metadata
The SamlMetadata class simplifies getting data from Identity Provider metadata.
Call SamlMetadata::fromXml($xml) to create an instance from an Entity Descriptor XML string.
The underlying EntityDescriptor object can be accessed via a readonly $entityDescriptor property.
SamlMetadata implements the following methods:
getIdpCertificate()
Returns an X509Certificate instance for the Identity Provider certificate.
getIdpSsoService()
Returns the Redirect or POST SingleSignOnService defined by the Identity Provider
for receiving a SAML request to initiate single sign-on.
getIdpLogoutService()
Returns the Redirect or POST SingleLogoutService defined by the Identity Provider.
Utility methods
The SamlUtils class implements the following static utility methods:
getRequestFromGlobals(): MessageContext
Returns an object for the SAML request or response from the global GET/POST data.
getMessageHttpResponse(SamlMessage $message, string $bindingType): ResponseInterface
Returns a PSR-7 Psr\Http\Message\ResponseInterface instance for sending the SAML message.
sendResponse(ResponseInterface $response): void
Emits a PSR-7 Psr\Http\Message\ResponseInterface to the client by sending its status line, headers, and body.
createSpMetadata(string $entityId, string $acsPostUrl, string $slsRedirectUrl, X509Certificate $certificate): string
Returns signed Service Provider metadata XML with an HTTP-POST assertion consumer service and HTTP-Redirect single logout service.
validateSignature(SamlMessage $message, X509Certificate $certificate): void
Throws an Exception if the message signature is missing or fails verification with the certificate.
getSubjectNameId(SamlResponse $response): string
Returns the user identity being asserted by the identity provider.
getFirstAttributeStatement(SamlResponse $response): AttributeStatement|null
Returns the first assertion attribute statement if one exists.
getAttributeStatementValue(AttributeStatement $statement, string $name): string
Returns the assertion attribute value for the specified attribute name. Throws an exception if the attribute doesn't exist.
getResponseAttributeValue(SamlResponse $response, string $name): string
Same as getAttributeStatementValue(), but can be used directly from
a SamlResponse rather than an AttributeStatement.