fleet/tools/saml/config.php

<?php

$metadata['https://localhost:8080'] = array(
    'AssertionConsumerService' => [
        'https://localhost:8080/api/v1/fleet/sso/callback',
    ],
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
    'simplesaml.nameidattribute' => 'email',
);

# Used in integration tests and to validate SSO flows that use a
# separate application for MDM SSO (with a single
# AssertionConsumerService)
$metadata['mdm.test.com'] = array(
    'AssertionConsumerService' => [
        'https://localhost:8080/api/v1/fleet/mdm/sso/callback',
    ],
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
    'simplesaml.nameidattribute' => 'email',
);

# Used for testing when sso_settings.entity_id ("sso.test.com") is different than
# server_settings.server_url (usually "https://localhost:8080").
$metadata['sso.test.com'] = array(
    'AssertionConsumerService' => [
        'https://localhost:8080/api/v1/fleet/sso/callback',
    ],
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
    'simplesaml.nameidattribute' => 'email',
);

# Used for testing when entity_id is not set, so that it matches the hostname (localhost).
$metadata['localhost'] = array(
    'AssertionConsumerService' => [
        'https://localhost:8080/api/v1/fleet/sso/callback',
    ],
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',
    'simplesaml.nameidattribute' => 'email',
);
gate DEP enrollment behind SSO when configured (#11309) #10739 Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com> 2023-04-27 12:43:20 +00:00			`<?php`

			`$metadata['https://localhost:8080'] = array(`
			`'AssertionConsumerService' => [`
			`'https://localhost:8080/api/v1/fleet/sso/callback',`
			`],`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',`
			`'simplesaml.nameidattribute' => 'email',`
			`);`

Replace home-made SAML implementation with https://github.com/crewjam/saml (#28486) For https://github.com/fleetdm/confidential/issues/9931. [Here](https://github.com/fleetdm/fleet/blob/ec3e8edbdc3f1b4220ada22c8290dbf0237ce1ba/docs/Contributing/Testing-and-local-development.md?plain=1#L339)'s how to test SAML locally with SimpleSAML. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Improved SSO and SAML integration with enhanced session management using secure cookies. * Added support for IdP-initiated login flows. * Introduced new tests covering SSO login flows, metadata handling, and error scenarios. * Bug Fixes * Enhanced validation and error handling for invalid or tampered SAML responses. * Fixed session cookie handling during SSO and Apple MDM SSO flows. * Refactor * Replaced custom SAML implementation with the crewjam/saml library for improved reliability. * Simplified SAML metadata parsing and session store management. * Streamlined SSO authorization request and response processing. * Removed deprecated fields and redundant code related to SSO. * Documentation * Updated testing and local development docs with clearer instructions for SSO and IdP-initiated login. * Chores * Upgraded dependencies including crewjam/saml and related packages. * Cleaned up tests and configuration by removing deprecated fields and unused imports. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-07 18:13:46 +00:00			`# Used in integration tests and to validate SSO flows that use a`
use the configured EntityID for audience validation on MDM SSO (#16144) for #16139 this fixes a copy/paste error that caused the MDM SSO flow to validate audiences using the global config EntityID since we also consider an audience valid if you set EntityID to be: - the same in both (case for local dev) - your Fleet URL or the full path to the SSO API endpoint (QA) we didn't notice this until now. 2024-01-22 17:30:45 +00:00			`# separate application for MDM SSO (with a single`
			`# AssertionConsumerService)`
			`$metadata['mdm.test.com'] = array(`
			`'AssertionConsumerService' => [`
			`'https://localhost:8080/api/v1/fleet/mdm/sso/callback',`
			`],`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',`
			`'simplesaml.nameidattribute' => 'email',`
			`);`
Replace home-made SAML implementation with https://github.com/crewjam/saml (#28486) For https://github.com/fleetdm/confidential/issues/9931. [Here](https://github.com/fleetdm/fleet/blob/ec3e8edbdc3f1b4220ada22c8290dbf0237ce1ba/docs/Contributing/Testing-and-local-development.md?plain=1#L339)'s how to test SAML locally with SimpleSAML. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Improved SSO and SAML integration with enhanced session management using secure cookies. * Added support for IdP-initiated login flows. * Introduced new tests covering SSO login flows, metadata handling, and error scenarios. * Bug Fixes * Enhanced validation and error handling for invalid or tampered SAML responses. * Fixed session cookie handling during SSO and Apple MDM SSO flows. * Refactor * Replaced custom SAML implementation with the crewjam/saml library for improved reliability. * Simplified SAML metadata parsing and session store management. * Streamlined SSO authorization request and response processing. * Removed deprecated fields and redundant code related to SSO. * Documentation * Updated testing and local development docs with clearer instructions for SSO and IdP-initiated login. * Chores * Upgraded dependencies including crewjam/saml and related packages. * Cleaned up tests and configuration by removing deprecated fields and unused imports. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-07 18:13:46 +00:00
			`# Used for testing when sso_settings.entity_id ("sso.test.com") is different than`
			`# server_settings.server_url (usually "https://localhost:8080").`
			`$metadata['sso.test.com'] = array(`
			`'AssertionConsumerService' => [`
			`'https://localhost:8080/api/v1/fleet/sso/callback',`
			`],`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',`
			`'simplesaml.nameidattribute' => 'email',`
			`);`

			`# Used for testing when entity_id is not set, so that it matches the hostname (localhost).`
			`$metadata['localhost'] = array(`
			`'AssertionConsumerService' => [`
			`'https://localhost:8080/api/v1/fleet/sso/callback',`
			`],`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddres',`
			`'simplesaml.nameidattribute' => 'email',`
			`);`