Azure SAML 2.0 With PHP Login API | SimpleSAMLPhp | Login With Microsoft...

### Make sure to create index.php file inside your (renamed)folder. ###

index.php code :-

<?php
require_once 'lib/_autoload.php';
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();

$attributes = $as->getAttributes();

echo '<pre>';
print_r($attributes);
echo '</pre>';

$url = $as->getLogoutURL();
echo '<a href="' . htmlspecialchars($url) . '">Logout</a>';

?>

------------------------------------
Please avoid or flag spams/hateful comments. And do not spam. Enjoy :)
------------------------------------------------

Azure Tutorial | Login Using Microsoft Azure Active Directory And PHP | Single Sign On ( SSO ):
https://youtu.be/IbJt7tr8kL0

Azure Link:
https://portal.azure.com/

SimpleSAMLphp Download Link:
https://simplesamlphp.org/

SimpleSAMLphp install documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-install

List Of Timezones:
https://www.php.net/manual/en/timezones.php

Index.php Code Link:


Subscribe my Channel:-
http://www.youtube.com/user/SanketRooney?sub_confirmation=1

Facebook Page:-
https://www.facebook.com/UnpossibleNS

Twitter Account:-
https://twitter.com/UnpossiblePOG

Blog :-
https://unpossiblepog.blogspot.in/
------------------------------------------------

Hey guys.
This tutorial is about about Microsoft Azure’s SAML coonection with PHP.
Previously I made tutorial about Azure’s Simple SSO. You can check that out if you want to.
The Objective of SAML and Simple SSO tutorial is the same, that is to login using Microsoft account. But there is a huge difference between the approaches and security they provide.
1st is, Simple Single Sign On (SSO) is just a procedure where you can perform login operation. But SAML is a language which has similar structure as XML. That XML then helps to generate a configuration. Developers had to store those configuration in code or in database so that user can login later. You will understand that at the end of tutorial.
2nd is, in Simple SSO, anyone with microsoft email account can perform login. But in SAML, you can decide who which user can login.
3rd is, In Simple SSO, you must have original microsoft email account like xyz@outlook.com, but in SAML you can create subdomain account. For example, if your email address is abc@outlook.com and if your friend “DEF” doesn’t have any email account, you can create his email as def@xyz.microsoft.com.
Which doesn’t exists as an email but can login in your web application. Here XYZ.microsoft.com becomes a subdomain for your friend’s id.

4th is You can use Simple SSO for public websites like e-commerce or social media to create account by adding a button as LOGIN WITH MICROSOFT ACCOUNT, but SAML is mostly used
for private access websites like any admin sites or management systems where logins need restrictions.

There are few requirements for SAML implementation
1. At least 1 microsoft email account.
2. LINUX or Windows Operating systems with XAMPP  installed. (Just for testing)
3. LINUX hosted live website with SSL implemented and with an access of CPANEL, WHM or FTP (eg filezilla).
4. Linux Operating system (with zip compressor) or Windows OS (with WinRAR, or 7zip),

Lets jump to PORTAL.AZURE.COM.
I am using trial version which is available for 14 days max.
Go to top menu, and select Azure Active Directory, this AZURE ACTIVE DIRECTORY is IdP, means Identity provider which authenticates if user has permission to access website or not.
Go to enterprise application and then new application.
If you are using trial version, you will see something like this but in pink color, which says something about create a trial version or something like that. I don’t know, Just click on it and you click on “skip for now”.
Then this type of page will appear.
Click on “Create your own application”, Give any name,  click on “Integrate any other”.
Then create it and wait for around 20 seconds, they will redirect you on configuration page automatically.
Now we shall create users with subdomains for your friends, colleagues or clients.
Go to top menu, Azure Active Directory, then users. Create new user.
Click on show password.
Save the user id & password somewhere else.
Click on create.
I shall create another one to demonstrate how the SAML authentication works.
Lets go to enterprise application by clicking on side-menu, Azure Active Directory.
Enterprise Apps.
Select then app we created from the list.
Click on Set UP SINGLE SIGN ON.
Select SAML.
Now I have one website with SSL enabled.
Copy that path, go back to azure site, click on edit button of BASIC SAML Configuration.
Paste the link in, Entity ID and reply URL.
Actually, I shall just rename entity id, because you can give any name if you want to.
Then save it.
Don’t test it now because more configuration is yet to perform.
Now click on SAML Signing Certificate edit button.
then New Certificate, make sure to have same configuration as I have for signing option and algorithm.
Save it.
Now refresh the page.
The certificate configuration is generated automatically.
Now you can test it using your own main account.
As you can see even I don’t have any access right now.
Also notice that, in URL there is SAML2 written, means the restriction is provided by SAML module.
For that i shall go to “users and groups”, then “add user”, select a user from list.
I shall add myself.
Then,  go to single sign on, and click on test, and click on “sign in as current user”.
As you can see, I successfully redirected after logged it.
Now I shall give access to steve rogers sub-user.
And lets see if he gets an access or not.
First I shall try tony stark who doesn’t have an access.
Click on “Sign in as someone else”.
But even then it gives me direct access to this site so click on “use a different account”.
They ask me to change password because we are using default password.
But still it will not redirect me.
Lets try using steve rogers account.
And you see, that it redirects me.
Now copy logout URL and paste it in URL browser to logout from any account.
Now lets jump to PHP code.
Go to google and search “simpleSAMLphp”
Go to website, click on download.
Make sure not to download from GITHUB as they don’t provide vendor folder which is required for login.
Download the latest version from top link which is has the extension of tar.gz which is compressed version like .rar or .zip file
Now go to “documentation”, and click on “Using SimpleSamlphp as SAML service provider”.
this is just a documentation although you should avoid it because it tells you to make virtual host on your computer which doesn’t help at all.
But if you are using LINUX OS, then execute this command in terminal.
Go to the folder where you downloaded it.
Go back and open that folder in terminal.
type tar then space, then xzf then space then type the filename. Hint,is just type first few letters of that downloaded file and press tab it will automatically paste it’s name.
Then we have to rename this file to any name by using MV command.
If you are using windows OS, then just extract that folder using winrar or 7zip and rename that folder to anything you want.
You can ignore the rest of the information.
I am using sublime text for text-editor. You can use notepad ++ or netbeans etc.
If you see inside it, there is a vendor folder which has libraries.
Open xampp and try to access the project using localhost.
As you can see there is an error, also notice that it automatically redirect so somewhere else.
Open the file config.php which is  inside config folder.
Re-write the baseurlpath.
First add the folder name that we renamed, in my case, it was unpossible_2, then www.
Save it.
Let’s again try to access website and you see that there is no error even when it auto-redirects.
Now we are ready to implement it on live server.
Compress this folder.
Upload it in live website via cpanel or you can upload whole folder through FTP without compressing it.
But will take a lot of time to upload file via FTP. Choice is yours.
After uploaded, extract that file.
Now lets go to azure website. and in application configuration, click on “edit button” of BASIC SAML config.
Now paste that extra path in reply url. which is your website, then your folder, then www.
Save it.
Then copy the whole URL.
Go inside that folder and open config folder.
Then open config.php.
Here paste that path we copied.
Scroll down, and add any timezone you prefer.
add any random password.
Save it.
Then lets access that URL.
And you will see that it redirects.
Click on configuration tab.
Everything is working.
Now go to cpanel, and open authsources.php file.
Now go to azure site and copy entity id.
Copy it and paste it in code.
Then copy azure AD identifier and paste it in Idp value.
Now lets refresh website.
Go to authentication tab, click on “test configured authentication sources”,then click on admin.
Type the password that we gave in config file.
Now again access www folder.
Go to federation tab.
Click on XML to SImpleSAMLPHP metadata converter.
Here you have to add xml file.
so go to azure site and save the xml file.
Browser that downloaded XML file and click on parse.
Now scroll down.
Here the provide you the PHP code and tell us to paste it in “samp20-idp-remote” file.
Copy this code
Go to cpanel.
Go inside metadata, and find the file “samp20-idp-remote” .
Open it.
and paste that code in this file. close php tag.
save it.
No again access www folder on browser.
Click on authentication tab.
Click on “test configured authentication sources”.
then default-sp.
You will be redirected to login.
Once logged in, you will see yours details like email ID, name etc.
And there is a logout button too.
Click on it to logout from current account.
Lets try that again using incorrect account.
Let try using correct account.
Now it is very lengthy to fetch out required info from Default user interface they provided.
So I made a manual code to directly get the file.
Link of that code is given in the description.
Add that in index file.
Also in azure configuration, change the reply url path, just remove /www.
Paste index.php file inside your folder.
Lets access that index.php file.
And you will see that code is now displaying that data in array.
You can get any data and push it in SESSION to maintain login.
Also there is a logout button at the bottom.

Don’t forget to like, share and subscribe.
Required links are given in the description.
Thanks for watching.