SAML support to make a laravel application to both a SAML IDP and a SAML SP.







Laravel + SAML2 Goodness

This repo was originally a fork of kingstarter/laravel-saml. It has since grown from that, and is now gives any laravel application the following abilities: 1 - Become a IDP 2 - Generate certs for signing messages, signing assertions and encrypting attributes. These certs use data inputed from the config file 3 - Configure attributes to be sent (From Config File) 4 - Configure for each SP if the message and/or assertion should be signed 5 - Provides the ability on the logout page to logout from any of the service provides via iframe

This package makes it so easy to maintain and a IDP. Docs need a little work, if you are willing to help let me know.


Basic package installation

Using composer:

composer require "pkeogan/laravel-saml2":"dev-master"

Laravel 5.4

Add the service provider to config/app.php


Laravel 5.5+

This package supports Laravel's Package Auto Discovery and should be automatically loaded when required using composer. If the package is not auto discovered run

    php artisan package:discover


There is one configuration file to publish and the config/filesystem.php file that needs to be extended. The command

php artisan vendor:publish --tag="saml_config"

will publish the config/saml.php file.

FileSystem configuration

Within config/filesystem.php following entry needs to be added:

    'disks' => [

        'saml' => [
            'driver' => 'local',
            'root' => storage_path().'/saml',


Fill out the config file


Generating metadata and certificates

Once the config is filled out correcly, run the command below to generate the metadata and the cert. Please note, if no certs are located the system will generate them. If you would like to overide the certs, please use the --cert flag

php artisan laravel-saml:generate-meta

SAML SP entries

Within the saml.php config file the SAML Service Provider array needs to be filled.

    'sp' => [

        'https://sso.online.tableau.com/public/sp/SSO?alias=xxxx-xxxx-xxxx-xxxx-xxxxxxxx' => [
            'entity-id' => 'https://sso.online.tableau.com/public/sp/metadata?alias=xxxx-xxxx-xxxx-xxxx-xxxxxxxx',
            'certificate' => 'MIICozC........dUvTnGP18g=='

        //A nifty testing service provider
        'https://sptest.iamshowcase.com/acs' => [



Using the SAML package

To use the SAML package, some files need to be modified. Within your login view, probably resources/views/auth/login.blade.php add a SAMLRequest field beneath the CSRF field (this is actually a good place for it):

    {{-- The hidden CSRF field for secure authentication --}}
    {{ csrf_field() }}
    {{-- Add a hidden SAML Request field for SAML authentication --}}
        <input type="hidden" id="SAMLRequest" name="SAMLRequest" value="{{ $_GET['SAMLRequest'] }}">
        <input type="hidden" id="SAMLRequest" name="SAMLRequest" value="{{ $saml }}">
    @if( config('saml.logout_apps_via_iframe') && session('samlLogout') ) 

The SAMLRequest field will be filled automatically when a SAMLRequest is sent by a http request and therefore initiate a SAML authentication attempt. To initiate the SAML auth, the login and redirect functions need to be modified. Within app/Http/Controllers/Auth/LoginController.php change use AuthenticatesUsers to use SamlAuthenticatesUsers

use App\Http\Controllers\Controller;
use KingStarter\LaravelSaml\Http\Traits\SamlAuthenticatesUsers;

class LoginController extends Controller

     * The user has been authenticated.
     * @param  \Illuminate\Http\Request  $request
     * @param  mixed  $user
     * @return mixed
    protected function authenticated(Request $request, $user)
        if(Auth::check() && isset($request['SAMLRequest'])) {

        return redirect()->intended($this->redirectPath());


To allow later direct redirection when somebody is already logged in, we need to add also some lines to app/Http/Middleware/RedirectIfAuthenticated.php:


namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Session;
use Pkeogan\LaravelSaml\Http\Traits\SamlAuth;
use Illuminate\Http\Request;
use Illuminate\Http\Response;

class RedirectIfAuthenticated
        use SamlAuth;

     * Handle an incoming request.
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @param  string|null  $guard
     * @return mixed
    public function handle(Request $request, Closure $next, $guard = null)
		if(Auth::check() && isset($request['SAMLRequest'])){
            $saml = $this->handleSamlLoginRequest($request);
			return new Response(view('saml::post')->withSaml($saml));
        if(Auth::guard($guard)->check() && !isset($request['SAMLRequest']) ) {
            return redirect('/');
        return $next($request);


If you're using HTTP post bindings then you'll need to allow saml to get the login request via post.

in web.php add the new route

Route::post('/postLogin', 'Auth\[email protected]');

You'll also need to add a csrf exemption to App\Http\Middleware\VerifyCsrfToken

class VerifyCsrfToken extends Middleware { /** * The URIs that should be excluded from CSRF verification. * * @var array */ protected $except = [ 'login/saml', 'logout/saml' ]; }

Debugging Connection

You can enable logging with the config/saml.php setting debug_saml_request

    // Allow debugging within SamlAuth trait to get SP data  
    // during SAML authentication request
    'debug_saml_request' => true,

Make sure that the environmental logging variable APP_LOG_LEVEL is set to debug within your .env file. It will log to storage/logs/laravel.log