Introduction

Are you a developer looking to implement Single Sign-On (SSO) for your Laravel application using Azure Active Directory (Azure AD)? If so, you're in the right place! In this blog post, we'll dive into the details of how to set up SSO with Azure AD and Laravel.

Before we begin, let's briefly discuss what Single Sign-On is and why it's essential for modern applications.

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with a single set of credentials. Instead of remembering separate usernames and passwords for each application, users log in once and gain access to all the connected applications seamlessly. SSO improves user experience, simplifies access management, and enhances security.

Why Azure Active Directory (Azure AD)?

Azure AD is a cloud-based identity and access management service provided by Microsoft. It's a robust solution for implementing SSO, user provisioning, and identity management. Azure AD supports various authentication protocols, including OAuth 2.0 and OpenID Connect, making it compatible with a wide range of applications, including Laravel.

Implementing Azure AD SSO with Laravel

Let's break down the steps involved: 

Step 1- Setup SSO project on Azure Portal

a) Go to Azure Active Directory and then Enterprise Application.

b) Add New Application and choose Non-gallery Application.

c) Click Set up single sign on and then click on SAML Box.

d) Edit the basic SAML configuration and add the following.

Identifier (Entity ID) - https://my-laravel-website.com/saml2/aad/metadata

Reply URL (Assertion Consumer Service URL) - https://my-laravel-website.com/saml2/aad/acs

(From where these urls are coming, I will explain in Step 2. For now just save it.)

e) Download Federation Metadata XML from SAML Signing Certificate section, on your system.

f) Next assign users to your current SAML SSO project.

Note- If there is no user exist in your account. Then you need to create one and assign some role(it's necessary).

This is the tutorial to setup step 1 https://www.youtube.com/watch?v=xn_8Fm7S7y8

Step 2- Install and configure Laravel SAML 2 package in your Project

a) run composer require aacotroneo/laravel-saml2

b) run php artisan vendor:publish --provider="Aacotroneo\Saml2\Saml2ServiceProvider"

c) open config/saml2_settings.php  

'routesPrefix' => 'saml2', // should be same with the Identifier url path after url.
'idpNames' => ['aad'], // should be same with the Identifier url path after saml2.
'logoutRoute' => '/login', //Where to redirect after logout
'loginRoute' => '/dashboard', // Where to redirect after login if no other option was provided
'errorRoute' => '/login', // Where to redirect after login if no other option was provided

 

Note - Part d) of Step 1 is coming from the following

enter image description here

d) Create a new file config/saml2/aad_idp_settings.php and copy the contents of config/saml2/test_idp_settings.php into it. Change $this_idp_env_id in aad_idp_settings.php to 'AAD'. So the final aad_idp_settings.php will look like the following.

e) Now we need to put following ENV vars

SAML2_AAD_IDP_ENTITYID=

SAML2_AAD_IDP_SSO_URL=

SAML2_AAD_IDP_SL_URL=

SAML2_AAD_IDP_x509=

The value of first 3 env vars will be coming from here.

enter image description here

The last Env variable SAML2_AAD_IDP_x509 will come from following.

enter image description here
enter image description here

f) run php artisan make:provider SAML2ServiceProvider. This will create a file in app/Providers/SAML2ServiceProvider.php.

In the boot method paste the following snippet.  


Event::listen('Aacotroneo\Saml2\Events\Saml2LoginEvent', function (Saml2LoginEvent $event) {
    $messageId = $event->getSaml2Auth()->getLastMessageId();
    // Add your own code preventing reuse of a $messageId to stop replay attacks
    $user = $event->getSaml2User();
    // you can retrieve successfully authenticated user email & name by following
    $email = $user->getAttribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
    $name = $user->getAttribute("http://schemas.microsoft.com/identity/claims/displayname");
    //Do you business logic here
});
Event::listen('Aacotroneo\Saml2\Events\Saml2LogoutEvent', function ($event) { 
    Auth::logout();
});

 

and finally register this provider in providers array of config/app.php

Test the SAML AAD SSO

Go to https://[your-site-url]/saml2/aad/login.

Conclusion

Implementing Single Sign-On with Azure Active Directory and Laravel can greatly enhance your application's user experience and security. By following the steps outlined in the this blog post, you can simplify the process and provide your users with a seamless authentication experience.

Remember to stay up-to-date with Laravel and Azure AD documentation for any updates or changes in the configuration process. Happy coding, and may your SSO implementation be a success!