Add initial Azure MFA files to the project

The project is based on the GSSP example project but references
to that project have been removed and renamed to Azure MFA.

Will probably need lots of fine tuning.

See: https://github.com/OpenConext/Stepup-gssp-example

.env.ci

@@ -15,7 +15,7 @@
 
 ###> symfony/framework-bundle ###
 APP_ENV=dev
-APP_SECRET=45aa9def36d107b2a081bbfb7faf828b
+APP_SECRET=12aa3def45d5678b9876aabb5faf4321
 #TRUSTED_PROXIES=127.0.0.1,127.0.0.2
 #TRUSTED_HOSTS='^localhost|example\.com$'
 ###< symfony/framework-bundle ###

.travis.yml

@@ -4,7 +4,7 @@ dist: trusty
 
 addons:
   hosts:
-    - gssp.stepup.example.com
+    - azure-mfa.stepup.example.com
   apt:
     packages:
       - cmake
@@ -19,7 +19,7 @@ cache:
 
 before_script:
   # configure ssl
-  - sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certs/gssp.key -out /etc/ssl/certs/gssp.crt -subj "/C=NL/ST=Netherlands/L=Amsterdam/O=TEST/CN=gssp.stepup.example.com"
+  - sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certs/azure-mfa.key -out /etc/ssl/certs/azure-mfa.crt -subj "/C=NL/ST=Netherlands/L=Amsterdam/O=TEST/CN=azure-mfa.stepup.example.com"
 
   - sudo apt-get update
   - sudo apt-get install apache2 libapache2-mod-fastcgi
@@ -54,8 +54,8 @@ before_script:
   - ps aux | grep php-fpm
   - netstat -an | grep :9000
   # Test if the website is actually running
-  - curl --insecure https://gssp.stepup.example.com
-  - curl --insecure https://gssp.stepup.example.com/fonts/FontAwesome.otf
+  - curl --insecure https://azure-mfa.stepup.example.com
+  - curl --insecure https://azure-mfa.stepup.example.com/fonts/FontAwesome.otf
 
 script:
   - composer test

CHANGELOG.md

@@ -1,11 +1,2 @@
-# 1.3.0
-Better request ID logging
-
-# 1.2.0 
-Update saml library
-
-# 1.1.0
-Remove phantomjs and use goutte instead for webtest
-
-# 1.0.0  
+# 0.0.1  
 Initial release

README.md

@@ -1,38 +1,31 @@
-Stepup-gssp-example
+Stepup-Azure-MFA
 ===================
 
 <a href="#">
-    <img src="https://travis-ci.org/OpenConext/Stepup-gssp-bundle.svg?branch=master" alt="build:">
+    <img src="https://travis-ci.org/OpenConext/Stepup-Azure-MFA.svg?branch=master" alt="build:">
 </a></br>
 
-Example Generic SAML Stepup Provider.
-
-This repository can be used for reference material or 
-as a base project setup for new IdP SecondFactor application.
-
-The SAML logic for receiving authentication request (AuthnRequest) and sending authentication response back is
-placed inside the Symfony bundle [stepup-gssp-bundle](https://github.com/OpenConext/Stepup-gssp-bundle). The state of the
-application is stored inside PHP sessions, each new request will invalidate the current session state.
+GSSP for Microsoft Azure MFA (Multi-factor authentication)
 
 Locale user preference
 ----------------------
 
 The default locale is based on the user agent. When the user switches its locale the selected preference is stored inside a
-browser cookie (stepup_locale). The cookie is set on naked domain of the requested domain (for gssp.stepup.example.com this is example.com).
+browser cookie (stepup_locale). The cookie is set on naked domain of the requested domain (for azure-mfa.stepup.example.com this is example.com).
 
 Authentication and registration flows
 -------------------------------------
 
 The application provides internal (SpBundle) and a remote service provider. Instructions for this are given 
-on the homepage of this example project [Homepage](https://gssp.stepup.example.com/app_dev.php/).
+on the homepage of this example project [Homepage](https://azure-mfa.stepup.example.com/app_dev.php/).
 
 ![flow](docs/flow.png)
 <!---
 regenerate docs/flow.png with `plantum1 README.md` or with http://www.plantuml.com/plantuml
 @startuml docs/flow
 actor User
 participant "Service provider" as SP
-box "Stepup GSSP example"
+box "Stepup Azure MFA"
 participant "GSSP Bundle" as IdP
 participant "SecondFactor implementation" as App
 end box
@@ -48,37 +41,6 @@ SP -> User: User registered/Authenticated
 @enduml
 --->
 
-
-How to create your own Stepup Provider
-======================================
-
-There are two ways to approach this. 
-
-Copy this GSSP example repository
----------------------------------
-
-One of the benefits of using this repository is that it contains many pre-configured tools:
-
-* Metrics & test tooling [testing.md](./docs/testing.md)
-* Development environment provisioned by Vagrant 
-* Pre-configured travis.yml for CI integration
-* Default SurfContext styling [frontend_tooling.md](./docs/frontend_tooling.md)
-
-1) Clone and checkout this repository
-2) Change the project configuration variables:
-    * composer.json name and description
-    * this readme.md file
-    * Replace 'gssp.stepup.example.com' in all files with your own hostename
-3) Install the copied project. (See [Development environment](#) section of this README.md file)
-4) Implement your authentication & registration logic in DefaultController::registrationAction and DefaultController::authenticateAction. 
-5) Feel free to rename and change this example clone for your needs.
-
-Install from a clean or exiting symfony project
-------------------------------------
-
-1) [Install Symfony](http://symfony.com/doc/current/setup.html) 
-2) Follow the instructions from the [GSSP bundle](https://github.com/OpenConext/Stepup-gssp-bundle)
-
 Development environment
 ======================
 
@@ -122,7 +84,7 @@ If everything goes as intended, you can develop in the virtual machine.
 
 If everything goes as planned you can go to:
 
-[https://gssp.stepup.example.com](https://gssp.stepup.example.com/app_dev.php)
+[https://azure-mfa.stepup.example.com](https://azure-mfa.stepup.example.com/app_dev.php)
 
 Debugging
 -------------------

behat.yml

@@ -8,7 +8,7 @@ default:
                 bootstrap: tests/Features/bootstrap/bootstrap.php
                 class: App\Kernel
         Behat\MinkExtension:
-            base_url: https://gssp.stepup.example.com
+            base_url: https://azure-mfa.stepup.example.com
             default_session: 'symfony2'
             goutte:
                guzzle_parameters:

composer.json

@@ -1,7 +1,7 @@
 {
-  "name": "surfnet/stepup-gssp-example",
+  "name": "surfnet/stepup-Azure-MFA",
   "license": "Apache-2.0",
-  "description": "Example Generic SAML Stepup Provider.",
+  "description": "GSSP for Microsoft Azure Multi-factor authentication",
   "type": "project",
   "minimum-stability": "stable",
   "prefer-stable": true,
@@ -89,7 +89,10 @@
     ],
     "phpunit": "vendor/bin/phpunit",
     "behat": "vendor/bin/behat  --config behat.yml --tags '~@remote'",
-    "security-tests": "vendor/bin/security-checker security:check",
+    "security-tests": [
+      "vendor/bin/security-checker security:check",
+      "yarn audit"
+    ],
     "coverage": [
       "@phpunit-coverage",
       "mkdir -p coverage/reports",

config/packages/dev/surfnet_saml.yaml

@@ -20,6 +20,6 @@ surfnet_saml:
       - entity_id: "%saml_remote_sp_entity_id%"
         certificate_file: "%saml_remote_sp_certificate%"
         assertion_consumer_service_url: "%saml_remote_sp_acs%"
-      - entity_id: https://gssp.stepup.example.com/saml/metadata
+      - entity_id: https://azure-mfa.stepup.example.com/saml/metadata
         certificate_file: "%saml_idp_publickey%"
-        assertion_consumer_service_url: https://gssp.stepup.example.com/demo/sp/acs
+        assertion_consumer_service_url: https://azure-mfa.stepup.example.com/demo/sp/acs

docs/testing.md

@@ -70,6 +70,7 @@ vulnerabilities as part of every CI build. If any of the dependencies contains a
 fail.
 
 Tools: SensioLabs Security Checker
+       Yarn audit
 
 You can run these tools manually with composer:
 

homestead/Homestead.yaml

@@ -13,8 +13,8 @@ folders:
         to: /home/vagrant/code
 sites:
     -
-        map: gssp.stepup.example.com
+        map: azure-mfa.stepup.example.com
         to: /home/vagrant/code/public
         type: symfony4
-name: gsspexample
-hostname: gsspexample
+name: azure-mfa
+hostname: azure-mfa

homestead/php.ini

@@ -1,4 +1,4 @@
 xdebug.remote_autostart = 1
-xdebug.remote_host = 192.168.77.1
+xdebug.remote_host = 192.168.77.2
 xdebug.remote_connect_back = 0
 xdebug.coverage_enable=1

templates/base.html.twig

@@ -37,14 +37,6 @@
             <li class="title">
                 <span>{{ 'page.title'|trans }}</span>
             </li>
-            <li class="border-left">
-                <a href="https://github.com/OpenConext/Stepup-Gateway/blob/develop/docs/GSSP.md"
-                   target="_blank">{{ 'page.header.stepup-gateway-gssp'|trans }}</a>
-            </li>
-            <li class="border-left">
-                <a href="https://github.com/OpenConext/Stepup-gssp-bundle"
-                   target="_blank">{{ 'page.header.stepup-gssp-bundle'|trans }}</a>
-            </li>
             <li class="push-right">
                 <ul class="language-selector">
                     {% for lang in ['en', 'nl_NL'] %}
@@ -59,7 +51,7 @@
 </div>
 <div class="navigation-container">
     <div class="navigation">
-        {% for route in ['homepage', 'app_identity_registration', 'app_identity_authentication', 'gssp_saml_sso', 'gssp_saml_sso_return', 'gssp_saml_metadata'] %}
+        {% for route in ['homepage', 'app_identity_registration', 'app_identity_authentication', 'gssp_saml_metadata'] %}
             {% set translatekey = "page.navigation.route." ~ route %}
             <a href="{{ path(route) }}" {% if current_route == route %} class='active'{% endif %}>{{ translatekey|trans }}</a>
         {% endfor %}
@@ -69,38 +61,6 @@
     </div>
 </div>
 <div class="page-container">
-
-    {% if current_route == 'app_identity_registration' %}
-        <div class='alert'>
-            <div><i class="fa fa-info-circle" aria-hidden="true"></i>{{ 'page.route.description.documentation_purpose'|trans }}</div>
-            <pre>{{ 'page.route.description.app_identity_registration'|trans }}</pre>
-        </div>
-    {% endif %}
-    {% if current_route == 'app_identity_authentication' %}
-        <div class='alert'>
-            <div><i class="fa fa-info-circle" aria-hidden="true"></i>{{ 'page.route.description.documentation_purpose'|trans }}</div>
-            <pre>{{ 'page.route.description.app_identity_authentication'|trans }}</pre>
-        </div>
-    {% endif %}
-    {% if current_route == 'gssp_saml_sso' %}
-        <div class='alert'>
-            <div><i class="fa fa-info-circle" aria-hidden="true"></i>{{ 'page.route.description.documentation_purpose'|trans }}</div>
-            <pre>{{ 'page.route.description.gssp_saml_sso'|trans }}</pre>
-        </div>
-    {% endif %}
-    {% if current_route == 'gssp_saml_sso_return' %}
-        <div class='alert'>
-            <div><i class="fa fa-info-circle" aria-hidden="true"></i>{{ 'page.route.description.documentation_purpose'|trans }}</div>
-            <pre>{{ 'page.route.description.gssp_saml_sso_return'|trans }}</pre>
-        </div>
-    {% endif %}
-    {% if current_route == 'sp_demo' %}
-        <div class='alert'>
-            <i class="fa fa-info-circle" aria-hidden="true"></i>
-            <pre style="display: inline">{{ 'page.route.description.sp_demo'|trans }}</pre>
-        </div>
-    {% endif %}
-
     {% block body_container %}
         <h1>{% block page_heading %}{% endblock %}</h1>
         <div class="card">
@@ -110,8 +70,6 @@
 </div>
 <div class="footer">
     <div class="footer-inner">
-        <span><a href="https://wiki.surfnet.nl/display/conextsupport/Terms+of+Service+%28NL%29"
-                 target="_blank">{{ 'page.footer.terms'|trans }}</a></span>
         <span><a href="mailto:help@surfconext.nl"
                  target="_blank">help@surfconext.nl</a></span></div>
 </div>

templates/default/index.html.twig

@@ -7,7 +7,6 @@
         <p class="intro">{{ 'page.index.body.intro'|trans }}</p>
         <br>
 
-        <p>{{ 'page.index.body.sdk_discription'|trans({'%idp-entity-id%': url('gssp_saml_metadata', {})}) }}</p>
 
         {% if app.environment == 'dev' %}
 

tests/Features/Context/WebContext.php

@@ -101,7 +101,7 @@ public function resetGoutteDriver()
     public function callIdentityProviderSSOActionWithAuthnRequest()
     {
         $this->minkContext->visit('https://pieter.aai.surfnet.nl/simplesamlphp/sp.php?sp=default-sp');
-        $this->minkContext->selectOption('idp', 'https://gssp.stepup.example.com/saml/metadata');
+        $this->minkContext->selectOption('idp', 'https://azure-mfa.stepup.example.com/saml/metadata');
         $this->minkContext->pressButton('Login');
     }
 
@@ -112,7 +112,7 @@ public function getIdentityProvider()
     {
         /** @var RequestStack $stack */
         $stack = $this->kernel->getContainer()->get('request_stack');
-        $stack->push(Request::create('https://gssp.stepup.example.com'));
+        $stack->push(Request::create('https://azure-mfa.stepup.example.com'));
         $ip = $this->kernel->getContainer()->get('surfnet_saml.hosted.identity_provider');
         $stack->pop();
 

tests/Features/authentication.feature

@@ -5,7 +5,7 @@ Feature: When an user needs to authenticate
   @remote
   Scenario: When an user needs to register for a new token
     Given I am on "https://pieter.aai.surfnet.nl/simplesamlphp/sp.php?sp=default-sp"
-    And I select "https://gssp.stepup.example.com/saml/metadata" from "idp"
+    And I select "https://azure-mfa.stepup.example.com/saml/metadata" from "idp"
     And I fill in "subject" with "test-name-id-1234"
     When I press "Login"
     Then I should see "Authenticate"
@@ -14,5 +14,5 @@ Feature: When an user needs to authenticate
     When I press "Authenticate user"
     Then I press "Submit"
     And I should see "You are logged in to SP:default-sp"
-    And I should see "IdP EnitytID:https://gssp.stepup.example.com/saml/metadata"
+    And I should see "IdP EnitytID:https://azure-mfa.stepup.example.com/saml/metadata"
     And I should see "test-name-id-1234"

tests/Features/metadata.feature

@@ -11,4 +11,4 @@ Feature: Metadata endpoint
   Scenario: Metadata must include a SingleSignOnService
     When I go to "/saml/metadata"
     Then the response should be in XML
-    And the XML attribute "Location" on element "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService" should be equal to "https://gssp.stepup.example.com/saml/sso"
+    And the XML attribute "Location" on element "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService" should be equal to "https://azure-mfa.stepup.example.com/saml/sso"

tests/Features/registration.feature

@@ -6,16 +6,16 @@ Feature: When an user needs to register for a new token
   @remote
   Scenario: When an user needs to register for a new token
     Given I am on "https://pieter.aai.surfnet.nl/simplesamlphp/sp.php?sp=default-sp"
-    And I select "https://gssp.stepup.example.com/saml/metadata" from "idp"
+    And I select "https://azure-mfa.stepup.example.com/saml/metadata" from "idp"
     When I press "Login"
     Then I should see "Registration"
-    And I should be on "https://gssp.stepup.example.com/registration"
+    And I should be on "https://azure-mfa.stepup.example.com/registration"
 
     Given I fill in "Subject NameID" with "test-name-id-1234"
     When I press "Register user"
     Then I press "Submit"
     And I should see "You are logged in to SP:default-sp"
-    And I should see "IdP EnitytID:https://gssp.stepup.example.com/saml/metadata"
+    And I should see "IdP EnitytID:https://azure-mfa.stepup.example.com/saml/metadata"
     And I should see "test-name-id-1234"
 
   Scenario: When the user is redirected from an unknown service provider he should see an error page

tests/Features/sp_authentication.feature

@@ -6,17 +6,17 @@ Feature: When an user needs to authenticate
   Scenario: When an user needs to register for a new token
 
     # The user clicks on authenticate button from the SP
-    Given I am on "https://gssp.stepup.example.com/demo/sp"
+    Given I am on "https://azure-mfa.stepup.example.com/demo/sp"
     Then I should see "Demo service provider"
     And I fill in "Subject NameID" with "test-name-id-1234"
     Given I press "Authenticate user"
 
     # The user clicks on authenticate button from the GSSP IdP
-    Then I should be on "https://gssp.stepup.example.com/authentication"
+    Then I should be on "https://azure-mfa.stepup.example.com/authentication"
     Given I press "Authenticate user"
 
     # The SSO return page
-    Then I should be on "https://gssp.stepup.example.com/saml/sso_return"
+    Then I should be on "https://azure-mfa.stepup.example.com/saml/sso_return"
     Given I press "Submit"
 
     # Returns to the SP

tests/Features/sp_registration.feature

@@ -6,20 +6,20 @@ Feature: When an user needs to register for a new token
 
   Scenario: When an user needs to register for a new token
     # The user request a registration from the service provider
-    Given I am on "https://gssp.stepup.example.com/demo/sp"
+    Given I am on "https://azure-mfa.stepup.example.com/demo/sp"
     Then I should see "Demo service provider"
     When I press "Register user"
 
     # The user register himself at the IdP
     Then I should see "Registration"
-    And I should be on "https://gssp.stepup.example.com/registration"
+    And I should be on "https://azure-mfa.stepup.example.com/registration"
 
     # GSSP assigns a subject name id to the user
     Given I fill in "Subject NameID" with "test-name-id-1234"
     When I press "Register user"
 
     # The SSO return page
-    Then I should be on "https://gssp.stepup.example.com/saml/sso_return"
+    Then I should be on "https://azure-mfa.stepup.example.com/saml/sso_return"
     Given I press "Submit"
 
     # Back at the SP.