SAML based SSO with Laravel

Question

I'm implementing SAML based SSO for one of the php web application. I'm using google as IDP. I've used Laravel 5 - Saml2 plugin and configured as per the steps given into it's documentation. I also added this app in google admin console as SAML app using the steps given here and configured entityId and acs url in saml2_settings.php. However I'm not able to configure the x509cert certificates. When I hit login url, user is being redirected to google for authentication however when I enters credentials it does not comes back to application and giving following error:

403. That’s an error.

Error: app_not_configured_for_user

Service is not configured for this user.

Following is my saml2_settings file:

'sp' => array(

    // Specifies constraints on the name identifier to be used to
    // represent the requested subject.
    // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

    // Usually x509cert and privateKey of the SP are provided by files placed at
    // the certs folder. But we can also provide them with the following parameters
    'x509cert' => 'I ADDED x509certs here which I downloaded from google',
    'privateKey' => '',

    //LARAVEL - You don't need to change anything else on the sp
    // Identifier of the SP entity  (must be a URI)
    'entityId' => 'snipeit', //LARAVEL: This would be set to saml_metadata route
    // Specifies info about where and how the <AuthnResponse> message MUST be
    // returned to the requester, in this case our SP.
    'assertionConsumerService' => array(
        // URL Location where the <Response> from the IdP will be returned
        'url' => 'http://dev.sb.com/snipeit/public/account/profile', //LARAVEL: This would be set to saml_acs route
        //SAML protocol binding to be used when returning the <Response>
        //message.  Onelogin Toolkit supports for this endpoint the
        //HTTP-Redirect binding only
        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
    ),
    // Specifies info about where and how the <Logout Response> message MUST be
    // returned to the requester, in this case our SP.
    'singleLogoutService' => array(
        // URL Location where the <Response> from the IdP will be returned
        'url' => '', //LARAVEL: This would be set to saml_sls route
        // SAML protocol binding to be used when returning the <Response>
        // message.  Onelogin Toolkit supports for this endpoint the
        // HTTP-Redirect binding only
        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
    ),
),

// Identity Provider Data that we want connect with our SP
'idp' => array(
    // Identifier of the IdP entity  (must be a URI)
    'entityId' => '',
    // SSO endpoint info of the IdP. (Authentication Request protocol)
    'singleSignOnService' => array(
        // URL Target of the IdP where the SP will send the Authentication Request Message
        'url' => $idp_host,
        // SAML protocol binding to be used when returning the <Response>
        // message.  Onelogin Toolkit supports for this endpoint the
        // HTTP-POST binding only
        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
    ),
    // SLO endpoint info of the IdP.
    'singleLogoutService' => array(
        // URL Location of the IdP where the SP will send the SLO Request
        'url' => $idp_host . '/saml2/idp/SingleLogoutService.php',
        // SAML protocol binding to be used when returning the <Response>
        // message.  Onelogin Toolkit supports for this endpoint the
        // HTTP-Redirect binding only
        'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
    ),
    // Public x509 certificate of the IdP
    'x509cert' => 'SAME CERTIFICATES I ADDED HERE AS WELL',        /*
     *  Instead of use the whole x509cert you can use a fingerprint
     *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
     */
    // 'certFingerprint' => '',
),

Can someone please help me.

Answer 1

'sp' => array(

'x509cert' => 'I ADDED x509certs here which I downloaded from google',
'privateKey' => '',

You are using Google as IdP so, why are you using google public cert on the sp section?

If you plan to sign the SAML messages sent by the SP, then you need to place there your own cert/private key. You can generate self-signed certificates with this tool: https://www.samltool.com/self_signed_certs.php

If you have doubts about some settings fields, review the documentation of the Lavarel SAML plugin, but also review the documentation of php-saml, the SAML toolkit that the plugin uses.

In order to debug what is happening, I also recommend you to use a browser extension to record your SAML Messages, use for example SAML Tracer and review the Status of the responses that will inform you about a possible error.