src/EmployeeApi/Service/SamlService.php line 21

Open in your IDE?
  1. <?php
  3. namespace PaperKite\EmployeeApi\Service;
  5. use Lightbulb\Service\Image\InitialAvatarGenerator;
  6. use Lightbulb\Symfony\Exception\ServiceUnavailableException;
  7. use OneLogin\Saml2\Auth;
  8. use OneLogin\Saml2\Error;
  9. use OneLogin\Saml2\ValidationError;
  10. use PaperKite\Common\Service\DepartmentService;
  11. use PaperKite\EmployeeApi\Entity\EmployeeInterface;
  13. class SamlService
  14. {
  15.     private Auth $samlAuth;
  17.     /**
  18.      * @throws Error
  19.      * @throws ServiceUnavailableException
  20.      */
  21.     public function __construct(
  22.         private EmployeeService $employeeService,
  23.         private DepartmentService $departmentService,
  24.         private InitialAvatarGenerator $initialAvatarGenerator,
  25.         array $samlConfig,
  26.         string $certificatePath,
  27.     ) {
  28.         if (false === file_exists($certificatePath)) {
  29.             throw new ServiceUnavailableException('Misconfigured server.');
  30.         }
  31.         $samlConfig['idp']['x509cert'] = file_get_contents($certificatePath);
  32.         $this->samlAuth = new Auth($samlConfig);
  33.     }
  35.     /**
  36.      * @throws Error
  37.      */
  38.     public function getSsoLoginUrl($returnUrl null): ?string
  39.     {
  40.         // Try Windows Integrated Authentication by default
  41.         // This will work for domain-joined machines with proper browser configuration
  42.         $parameters = [
  43.             'AuthnContextClassRef' => 'urn:federation:authentication:windows',
  44.         ];
  46.         // Don't use passive mode - let ADFS handle the authentication flow
  47.         // ADFS will automatically fall back to forms authentication if Windows auth fails
  48.         return $this->samlAuth->login($returnUrl$parametersfalsefalsetrue);
  49.     }
  51.     /**
  52.      * @throws Error
  53.      */
  54.     public function getSsoLogoutUrl($returnUrl null): ?string
  55.     {
  56.         return $this->samlAuth->logout($returnUrl, [], nullnulltrue);
  57.     }
  59.     /**
  60.      * @throws ServiceUnavailableException
  61.      * @throws ValidationError
  62.      * @throws Error
  63.      */
  64.     public function handleSamlToken(): EmployeeInterface
  65.     {
  66.         $this->samlAuth->processResponse();
  68.         /* @noinspection PhpUnreachableStatementInspection */
  69.         if ($this->samlAuth->isAuthenticated()) {
  70.             $userUniqueId $this->samlAuth->getNameId();
  72.             // Check for user in db
  73.             $storedEmployee null;
  74.             $employee $this->employeeService->findEmployeeByUserName($this->samlAuth->getNameId());
  75.             if (null === $employee) {
  76.                 $employee $this->employeeService->createEmployeeEntity(
  77.                     $userUniqueId,
  78.                     ['ROLE_USER'],
  79.                     $userUniqueId,
  80.                 );
  81.             } else {
  82.                 $storedEmployee = clone $employee;
  83.             }
  85.             // Handle department
  86.             $department null;
  87.             if (false === empty($this->getSamlAttributeValues('Department')[0])) {
  88.                 $department $this->departmentService->getByExternalIdCreateIfNotExist($this->getSamlAttributeValues('Department')[0]);
  89.             }
  91.             // Handle avatar url
  92.             $avatarImageUrl false === empty($employee->getAvatarImageUrl())
  93.                 ? $employee->getAvatarImageUrl()
  94.                 : $this->initialAvatarGenerator->generateAsBase64Url($userUniqueId);
  96.             // Set the new values to the entity
  97.             $employee
  98.                 ->setDepartment($department)
  99.                 ->setAvatarImageUrl($avatarImageUrl)
  100.                 ->setPhone($this->getSamlAttributeValues('Telephone-Number')[0])
  101.                 ->setPassword('thisFieldWillNotBeUsedForAuthentication')
  102.                 ->setFirstName($this->getSamlAttributeValues('givenname')[0])
  103.                 ->setLastName($this->getSamlAttributeValues('surname')[0])
  104.                 ->setEmail($this->getSamlAttributeValues('emailaddress')[0])
  105.                 ->setDeletedAt(null)
  106.                 ->setRoles($this->retrieveRolesFromLdapEmployee());
  108.             $otherTelephone $this->getSamlAttributeValues('otherTelephone');
  109.             if (false === empty($otherTelephone) && false === empty($otherTelephone[0])) {
  110.                 $employee->setDepartmentPhone($otherTelephone[0]);
  111.             }
  113.             // Only persist when there was a change
  114.             if (null === $storedEmployee || true === $storedEmployee->hasDifferences($employee)) {
  115.                 $this->employeeService->storeEmployeeEntity($employee);
  116.             }
  118.             return $employee;
  119.         } else {
  120.             throw new ServiceUnavailableException('SSO Login issue');
  121.         }
  122.     }
  124.     private function getSamlAttributeValues(string $key): array
  125.     {
  126.         foreach ($this->samlAuth->getAttributes() as $attributeKey => $values) {
  127.             if (true === str_contains($attributeKey$key)) {
  128.                 return $values;
  129.             }
  130.         }
  132.         return [];
  133.     }
  135.     private function retrieveRolesFromLdapEmployee(): array
  136.     {
  137.         $roles = ['ROLE_USER'];
  138.         foreach ($this->getSamlAttributeValues('Group') as $ldapRole) {
  139.             switch ($ldapRole) {
  140.                 case 'PPL_super_admin':
  141.                     $roles[] = 'ROLE_SUPER_ADMIN';
  142.                     break;
  144.                 case 'PPL_admin':
  145.                     $roles[] = 'ROLE_CMCM_ADMIN';
  146.                     break;
  148.                 case 'PPL_department_manager':
  149.                     $roles[] = 'ROLE_DEPARTMENT_MANAGER';
  150.                     break;
  152.                 case 'PPL_marketing':
  153.                     $roles[] = 'ROLE_ADMIN_MARKETING';
  154.                     break;
  156.                 case 'PPL_support_messages':
  157.                     $roles[] = 'ROLE_ADMIN_SUPPORT';
  158.                     break;
  160.                 case 'PPL_employee':
  161.                     $roles[] = 'ROLE_EMPLOYEE';
  162.                     break;
  163.             }
  164.         }
  166.         return $roles;
  167.     }
  169.     public function ssoLogout(): ?string
  170.     {
  171.         return $this->samlAuth->logout(null, [], nullnulltrue);
  172.     }
  173. }