Beartropy SAML2

Environment IDP Configuration

Configure an Identity Provider using only environment variables, without storing it in the database. This is ideal for simple deployments, CI/CD pipelines, and single-IDP scenarios.

When to Use Environment Configuration

Single IDP deployments - When you only need one Identity Provider
CI/CD pipelines - Configuration via environment variables is easier to automate
Containerized environments - Docker, Kubernetes with secrets or config maps
Serverless deployments - No database migration required for IDP configuration
Development/testing - Quick setup without touching the database

Configuration Steps

1. Set IDP Source

Set the idp_source to env in your configuration file:

1// config/beartropy-saml2.php
2'idp_source' => env('SAML2_IDP_SOURCE', 'env'),

2. Configure Required Environment Variables

Add the required IDP settings to your .env file:

1# IDP Source - set to 'env' for environment-only configuration
2SAML2_IDP_SOURCE=env
3 
4# IDP Configuration (Required)
5SAML2_IDP_KEY=azure
6SAML2_IDP_NAME="Azure Active Directory"
7SAML2_IDP_ENTITY_ID=https://sts.windows.net/{tenant-id}/
8SAML2_IDP_SSO_URL=https://login.microsoftonline.com/{tenant-id}/saml2
9SAML2_IDP_CERT="MIICpDCCAYwCCQ..."

3. Optional Settings

Optional settings for Single Logout:

1# Optional IDP Settings
2SAML2_IDP_SLO_URL=https://login.microsoftonline.com/{tenant-id}/saml2

Environment Variables Reference

Variable	Required	Description
SAML2_IDP_SOURCE	✓	Set to `env` or `both`
SAML2_IDP_KEY	✓	Unique identifier (slug) for the IDP
SAML2_IDP_NAME	✓	Human-readable IDP name
SAML2_IDP_ENTITY_ID	✓	IDP Entity ID (from IDP metadata)
SAML2_IDP_SSO_URL	✓	Single Sign-On URL
SAML2_IDP_CERT	✓	IDP x509 certificate for signature verification
SAML2_IDP_SLO_URL	—	Single Logout URL (optional)

Configuration File Reference

The environment variables are read by the default_idp section in the configuration:

1// config/beartropy-saml2.php
2'default_idp' => [
3    'key' => env('SAML2_IDP_KEY', 'default'),
4    'name' => env('SAML2_IDP_NAME', 'Default IDP'),
5    'entityId' => env('SAML2_IDP_ENTITY_ID'),
6    'ssoUrl' => env('SAML2_IDP_SSO_URL'),
7    'sloUrl' => env('SAML2_IDP_SLO_URL'),
8    'x509cert' => env('SAML2_IDP_CERT'),
9],

Using "both" Mode

The both mode checks environment variables first, then falls back to database IDPs. This is useful for local development scenarios.

1# Use 'both' to allow env IDP + database IDPs
2SAML2_IDP_SOURCE=both
3 
4# The env IDP will be checked first, then database IDPs
5SAML2_IDP_KEY=local-dev
6SAML2_IDP_NAME="Local Development IDP"
7SAML2_IDP_ENTITY_ID=https://dev-idp.example.com
8SAML2_IDP_SSO_URL=https://dev-idp.example.com/sso
9SAML2_IDP_CERT="MIICpDCCAYwCCQ..."

Login Integration

1{{-- With IDP key --}}
2<a href="{{ route('saml2.login', ['idp' => 'azure']) }}">
3    Login with Azure AD
4</a>
5 
6{{-- Without IDP key (uses first available) --}}
7<a href="{{ route('saml2.login') }}">
8    Login with SSO
9</a>

Provider Examples

Azure Active Directory

Complete Azure AD configuration:

 1# Azure AD Configuration
 2SAML2_IDP_SOURCE=env
 3SAML2_IDP_KEY=azure
 4SAML2_IDP_NAME="Azure Active Directory"
 5SAML2_IDP_ENTITY_ID=https://sts.windows.net/YOUR_TENANT_ID/
 6SAML2_IDP_SSO_URL=https://login.microsoftonline.com/YOUR_TENANT_ID/saml2
 7SAML2_IDP_SLO_URL=https://login.microsoftonline.com/YOUR_TENANT_ID/saml2
 8SAML2_IDP_CERT="-----BEGIN CERTIFICATE-----
 9YOUR_CERTIFICATE_CONTENT_HERE
10-----END CERTIFICATE-----"

Okta

Complete Okta configuration:

 1# Okta Configuration
 2SAML2_IDP_SOURCE=env
 3SAML2_IDP_KEY=okta
 4SAML2_IDP_NAME="Okta SSO"
 5SAML2_IDP_ENTITY_ID=http://www.okta.com/YOUR_APP_ID
 6SAML2_IDP_SSO_URL=https://YOUR_ORG.okta.com/app/YOUR_APP/YOUR_APP_ID/sso/saml
 7SAML2_IDP_SLO_URL=https://YOUR_ORG.okta.com/app/YOUR_APP/YOUR_APP_ID/slo/saml
 8SAML2_IDP_CERT="-----BEGIN CERTIFICATE-----
 9YOUR_CERTIFICATE_CONTENT_HERE
10-----END CERTIFICATE-----"

Comparison: Environment vs Database

Feature	Environment	Database
Number of IDPs	Single IDP only	Unlimited IDPs
Admin Panel	Not needed	Full UI management
Attribute Mapping	Global mapping only	Per-IDP custom mapping
Metadata Refresh	Manual via env vars	Automatic via URL
CI/CD Friendly	✓ Yes	Requires seeding
No Database Required	✓ Yes	Requires migrations

Tip: For most production environments with multiple IDPs or dynamic IDP management, use database mode. Use env mode for simple single-IDP deployments or containerized environments.

Current version: 0.2.6

Beartropy SAML2

When to Use Environment Configuration

Configuration Steps

1. Set IDP Source

2. Configure Required Environment Variables

3. Optional Settings

Environment Variables Reference

Configuration File Reference

Using "both" Mode

Login Integration

Provider Examples

Azure Active Directory

Okta

Comparison: Environment vs Database

Available Packages

SAML2

UI Kit

Tables

Alert System

Starter Kit

Settings

Charts

Permissions