I use this package = https://github.com/aacotroneo/laravel-saml2 I configured everything in the SP and iDP sections in saml2_settings.php as instructed.
STEPS
I go to : /admin/login
I got redirected and landed on my iDP log-in page immediately, it is a correct behavior.
I log-in with the proper username and password.
After successfully authenticated by my iDP, I got the SAML Response from my iDP like this sample
{
"SAMLResponse": "PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6
U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL3Rlc3RzZXJ2
ZXIuYmVudW5ldHMuY29tL2FkbWluL3NlY3VyZS9kYXNoYm9hcmQiIElEPSJpZC1C
NlBFSnhLNFhGWUg3T1hzbGZLU2trbGt0YmMtIiBJblJlc3BvbnNlVG89Ik9ORUxP
R0lOXzIxNjFiNTA1OTFmNjc1ZmUzZGM0MmZlYzRlZDJkOGU1MWRlZmQ2ZmQiIElz
c3VlSW5zdGFudD0iMjAxNy0wMy0yOFQxOTozMzo1M1oiIFZlcnNpb249IjIuMCI+
PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1M
OjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6
Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5UZWxlbmV0PC9zYW1sOklzc3Vlcj48
c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6
bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1
cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRj
OlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9ImlkLThvWVBULWlwVFZhR2UwSHpwRGdS
SEoyWEp4Zy0iIElzc3VlSW5zdGFudD0iMjAxNy0wMy0yOFQxOTozMzo1M1oiIFZl
cnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVz
OnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5UZWxlbmV0PC9zYW1s
Oklzc3Vlcj48ZHNpZzpTaWduYXR1cmUgeG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53
My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzaWc6U2lnbmVkSW5mbz48ZHNpZzpD
YW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5v
cmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzaWc6U2lnbmF0dXJlTWV0aG9k
IEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3Jz
YS1zaGExIi8+PGRzaWc6UmVmZXJlbmNlIFVSST0iI2lkLThvWVBULWlwVFZhR2Uw
SHpwRGdSSEoyWEp4Zy0iPjxkc2lnOlRyYW5zZm9ybXM+PGRzaWc6VHJhbnNmb3Jt
IEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2Vu
dmVsb3BlZC1zaWduYXR1cmUiLz48ZHNpZzpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJo
dHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzaWc6
VHJhbnNmb3Jtcz48ZHNpZzpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8v
d3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkc2lnOkRpZ2VzdFZh
bHVlPitTQkNSRjNTenZvMzgxVlJ0dWcvRUJvallCUT08L2RzaWc6RGlnZXN0VmFs
dWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWdu
YXR1cmVWYWx1ZT5SaWt5czdsQWNOc250ZlVkZVg0dC9jWjBRelRyRTNGc3RTempx
ZDEyaU5sUGpJVkxJVitHTXM1UXQ3U2ZUbXJaMk9oVnF1RUxZUkhuOTY5SHArZFhU
dlYwaEQ5ZHQ5a3NSVE9wbTdnSkN5bzF2MlVhckpMSzdGRCtPZ1N3Y3kwNW9VSWhp
NFV1ajRweGFoMzlrZzZlZUpTZHhtMHNiejBKNUM1bmZRSnhyYWMvOVBDVVJjQkpC
SVJCOExTeGlJemdFTS9VQWkwaEIwdmdTZ0pqRzlSb05Wd2V1S0J6MWlGM0I0NzU2
dXVjVmtOL1dvcG4rdWVwMVlDaEFlRGs3ZlcyUzR2anlocGJWa05STC81MDRUMVFR
RTFhZ3JQdzdPREFvalhpaUZpaGtTbEZJUGxtMVlNY0k4UXdmOExCUXNHUTI4TTZC
cFBya3ROQ0QwdjhxOVRjSnc9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpL
ZXlJbmZvPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlG
RURDQ0EvaWdBd0lCQWdJU0VTR1BVRnY2bnJkejlNUWhQZFVIb2dHTk1BMEdDU3FH
U0liM0RRRUJDd1VBTUdBeEN6QUpCZ05WQkFZVEFrSkZNUmt3RndZRFZRUUtFeEJI
Ykc5aVlXeFRhV2R1SUc1MkxYTmhNVFl3TkFZRFZRUURFeTFIYkc5aVlXeFRhV2R1
SUVSdmJXRnBiaUJXWVd4cFpHRjBhVzl1SUVOQklDMGdVMGhCTWpVMklDMGdSekl3
SGhjTk1UVXdOREE1TVRVek9ETXlXaGNOTVRnd05qSTFNRFkwTWpRNFdqQlBNU0V3
SHdZRFZRUUxFeGhFYjIxaGFXNGdRMjl1ZEhKdmJDQldZV3hwWkdGMFpXUXhLakFv
QmdOVkJBTVRJWGRzYzA5ellrMXVaMlJXYVhBdWRXRjBMbU52Y25BdWRHVnNaVzVs
ZEM1aVpUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VC
QU1ESXRxSVRZUmRoY1dvOGZteW8wWlVRd0xmQ3doN2c4QndSQStFT2xuTUFLcXRX
MG4vZ3JCRTRadThrQVZUNVpJUTlBZVU3STJNR0FOeks2MTBqU2ZRbWtHRElTUjF3
WXBDbms2b1hxNWhQcFlHblJmRmtURW84d1VwZ1BXc3ZyTVR0RW9MeEVHdU1lZTYr
d05RVXpsN1BHTEpGdkwvcE9QZ095Y2k3Sjh2U2d4ZVB3RFlURUJEa3RYOWtnRlBZ
cXlVcVBTck94aDcyWmsrUFZjaHlVWDNzTFIrZ2VkcTFWQ2lISWdwQUVLMjNxL05W
ZlEwakRTaUhaMmZOc1lZdng3c1RlL0crR0w2djRnamxDNit5ODZ4U3lOZGFteHkv
MmRPbGEyM2lWRDNoQ1d6amM1ZnpKTkc3OVRpUGVteWR1akhUcFg4MXhhUWs5aDFM
UHRibzBzTUNBd0VBQWFPQ0FkTXdnZ0hQTUE0R0ExVWREd0VCL3dRRUF3SUZvREJK
QmdOVkhTQUVRakJBTUQ0R0JtZUJEQUVDQVRBME1ESUdDQ3NHQVFVRkJ3SUJGaVpv
ZEhSd2N6b3ZMM2QzZHk1bmJHOWlZV3h6YVdkdUxtTnZiUzl5WlhCdmMybDBiM0o1
THpBc0JnTlZIUkVFSlRBamdpRjNiSE5QYzJKTmJtZGtWbWx3TG5WaGRDNWpiM0p3
TG5SbGJHVnVaWFF1WW1Vd0NRWURWUjBUQkFJd0FEQWRCZ05WSFNVRUZqQVVCZ2dy
QmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3UXdZRFZSMGZCRHd3T2pBNG9EYWdOSVl5
YUhSMGNEb3ZMMk55YkM1bmJHOWlZV3h6YVdkdUxtTnZiUzluY3k5bmMyUnZiV0Zw
Ym5aaGJITm9ZVEpuTWk1amNtd3dnWlFHQ0NzR0FRVUZCd0VCQklHSE1JR0VNRWNH
Q0NzR0FRVUZCekFDaGp0b2RIUndPaTh2YzJWamRYSmxMbWRzYjJKaGJITnBaMjR1
WTI5dEwyTmhZMlZ5ZEM5bmMyUnZiV0ZwYm5aaGJITm9ZVEpuTW5JeExtTnlkREE1
QmdnckJnRUZCUWN3QVlZdGFIUjBjRG92TDI5amMzQXlMbWRzYjJKaGJITnBaMjR1
WTI5dEwyZHpaRzl0WVdsdWRtRnNjMmhoTW1jeU1CMEdBMVVkRGdRV0JCVG40ckhR
MFF3MzhaTDdWTm1JSjVzWGpFeC85VEFmQmdOVkhTTUVHREFXZ0JUcVRuelVnQzNs
RllHR0pveUNiY0NZcE0rWER6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFIUHRY
L2EvRXA4MWhWWnF0MWlKN1ArZ0dZaWhRL1pJRjNUMmdkMDlia0lIVjBUemNPQjhW
QTM0ODdTSno4QkNCektkS2Jncng5K25uY2hYMlZrYURaNisySTM0a0ROczF3UDlW
OUVxMlZKQTdudDk0S3ZqWWU2bjlidm5ZL1JPclNOSmxURVRNYkRSRWp1WEErMEp4
czN4SFFQS1RvRUxkZHJROUxjWUw3ZEhEOUNuVHEreEkremlXWVVySWFPN1VHc1p3
Z2tSa1BFZ201cnFyTjBndiswVVFXMEJra21BM1RuR2VDV2dRMVFRUHdKSzU3OVpw
Z2R3VVNBTlZ0LzFpc2RrUzhmbGcrclBOUXljNnBZMUdMbFd5WEI5Y3FrRVpsamt4
M2NUVmVKY01JSmtwRE4yRERpUHg4L1lPZUFwV05aNG9CVTRkc3FwSFVZLzFiUEZq
L2c9PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjwvZHNp
ZzpLZXlJbmZvPjwvZHNpZzpTaWduYXR1cmU+PHNhbWw6U3ViamVjdD48c2FtbDpO
YW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlk
LWZvcm1hdDp0cmFuc2llbnQiIE5hbWVRdWFsaWZpZXI9IlRlbGVuZXQiIFNQTmFt
ZVF1YWxpZmllcj0idGVzdHNlcnZlci5iZW51bmV0cy5jb20iPmlkLUFRT3pzZ0pE
UU1BbG8zdmxvS2NINVRSd1BmMC08L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RD
b25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6
Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3Bv
bnNlVG89Ik9ORUxPR0lOXzIxNjFiNTA1OTFmNjc1ZmUzZGM0MmZlYzRlZDJkOGU1
MWRlZmQ2ZmQiIE5vdE9uT3JBZnRlcj0iMjAxNy0wMy0yOFQxOTo0ODo1M1oiIFJl
Y2lwaWVudD0iaHR0cHM6Ly90ZXN0c2VydmVyLmJlbnVuZXRzLmNvbS9hZG1pbi9z
ZWN1cmUvZGFzaGJvYXJkIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9z
YW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDMt
MjhUMTk6MzM6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTctMDMtMjhUMTk6Mzg6NTNa
Ij48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPnRlc3Rz
ZXJ2ZXIuYmVudW5ldHMuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5j
ZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVt
ZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wMy0yOFQxOTozMzo1M1oiIFNlc3Npb25J
bmRleD0iaWQtWEVRcWVNZFRiRHRaLXNhaFN4ZnNYdVA2MWlJLSIgU2Vzc2lvbk5v
dE9uT3JBZnRlcj0iMjAxNy0wMy0yOFQyMDozMzo1M1oiPjxzYW1sOkF1dGhuQ29u
dGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6
dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9y
dDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0
Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6
UmVzcG9uc2U+
",
"RelayState": "https://testserver.benunets.com/admin/login"
}
kernel.php
I can only see this response only because I comment out my CFRF token on my app/Http/kernel.php
// \App\Http\Middleware\VerifyCsrfToken::class,
ROUTE
Route::post('admin/secure/dashboard', 'SAMLController@post');
CONTROLLER
public function post(){
return Input::all();
}
What is the best practice to deal with SAML POST and still maintaining CSRF protection ?
Should I create a middleware or anything similar to that ?
