3 namespace BookStack\Http\Controllers\Auth;
5 use BookStack\Auth\Access\Saml2Service;
6 use BookStack\Http\Controllers\Controller;
7 use Illuminate\Http\Request;
8 use Illuminate\Support\Facades\Cache;
11 class Saml2Controller extends Controller
13 protected $samlService;
16 * Saml2Controller constructor.
18 public function __construct(Saml2Service $samlService)
20 $this->samlService = $samlService;
21 $this->middleware('guard:saml2');
25 * Start the login flow via SAML2.
27 public function login()
29 $loginDetails = $this->samlService->login();
30 session()->flash('saml2_request_id', $loginDetails['id']);
32 return redirect($loginDetails['url']);
36 * Start the logout flow via SAML2.
38 public function logout()
40 $logoutDetails = $this->samlService->logout();
42 if ($logoutDetails['id']) {
43 session()->flash('saml2_logout_request_id', $logoutDetails['id']);
46 return redirect($logoutDetails['url']);
50 * Get the metadata for this SAML2 service provider.
52 public function metadata()
54 $metaData = $this->samlService->metadata();
56 return response()->make($metaData, 200, [
57 'Content-Type' => 'text/xml',
62 * Single logout service.
63 * Handle logout requests and responses.
67 $requestId = session()->pull('saml2_logout_request_id', null);
68 $redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
70 return redirect($redirect);
74 * Assertion Consumer Service start URL. Takes the SAMLResponse from the IDP.
75 * Due to being an external POST request, we likely won't have context of the
76 * current user session due to lax cookies. To work around this we store the
77 * SAMLResponse data and redirect to the processAcs endpoint for the actual
78 * processing of the request with proper context of the user session.
80 public function startAcs(Request $request)
82 // Note: This is a bit of a hack to prevent a session being stored
83 // on the response of this request. Within Laravel7+ this could instead
84 // be done via removing the StartSession middleware from the route.
85 config()->set('session.driver', 'array');
87 $samlResponse = $request->get('SAMLResponse', null);
89 if (empty($samlResponse)) {
90 $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
92 return redirect('/login');
95 $acsId = Str::random(16);
96 $cacheKey = 'saml2_acs:' . $acsId;
97 cache()->set($cacheKey, encrypt($samlResponse), 10);
99 return redirect()->guest('/saml2/acs?id=' . $acsId);
103 * Assertion Consumer Service process endpoint.
104 * Processes the SAML response from the IDP with context of the current session.
105 * Takes the SAML request from the cache, added by the startAcs method above.
107 public function processAcs(Request $request)
109 $acsId = $request->get('id', null);
110 $cacheKey = 'saml2_acs:' . $acsId;
111 $samlResponse = null;
114 $samlResponse = decrypt(cache()->pull($cacheKey));
115 } catch (\Exception $exception) {
117 $requestId = session()->pull('saml2_request_id', 'unset');
119 if (empty($acsId) || empty($samlResponse)) {
120 $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
122 return redirect('/login');
125 $user = $this->samlService->processAcsResponse($requestId, $samlResponse);
126 if (is_null($user)) {
127 $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
129 return redirect('/login');
132 return redirect()->intended();
projects / bookstack / blob