- Can this bundle be used directly in Laravel, or is it strictly for Symfony?
- This bundle is designed for Symfony, not Laravel. Laravel developers would need to integrate it via a Symfony microkernel or explore Laravel-specific SAML packages like *spomky-labs/laravel-saml2* for native compatibility.
- What Laravel versions does this bundle support?
- This bundle does not natively support Laravel. It targets Symfony 5.4 LTS, so Laravel integration would require a bridge (e.g., Symfony’s HTTP kernel) or a Laravel-compatible fork. Check the Symfony version compatibility first.
- How do I configure Azure AD app registration for this bundle?
- Register your app in Azure AD with the **Reply URL** set to your SP’s ACS endpoint (e.g., `https://your-app.com/saml/acs`). Ensure the **Sign-on URL** matches your base URL. The bundle auto-generates Azure-specific metadata (entityId, SSO URL) from `azure_app_id` and `base_url`.
- What if I need to support non-Azure IdPs like Okta or ADFS?
- This bundle is hardcoded for Azure AD, so multi-IdP support isn’t natively available. You’d need to fork the bundle or use a generic SAML package like *onelogin/php-saml* directly, which supports multiple IdPs but requires manual configuration.
- How do I handle certificate rotation for Azure AD’s x509cert?
- Azure AD’s x509cert can be rotated via the Azure Portal under your app’s **Certificates & secrets**. For automation, integrate with **Azure Key Vault** or **HashiCorp Vault** to fetch the latest cert dynamically in your Symfony config. Avoid hardcoding certificates in production.
- Is the debug:saml command useful for production troubleshooting?
- The `debug:saml` command validates SP settings (e.g., entityId, ACS URL) and is helpful for debugging during setup. However, in production, enable Symfony’s profiler or log SAML errors to `var/log/dev.log` for deeper inspection. Avoid running debug commands in live environments.
- Can I customize SAML claims or attributes beyond Azure AD defaults?
- The bundle uses Azure AD’s default claims (e.g., `name`, `email`). For custom claims (e.g., `groups`, `extensionAttributes`), extend the bundle by overriding the `AttributeMapper` or use the underlying `onelogin/php-saml` library’s `getAttributes()` method in a custom event listener.
- What are the risks of using onelogin/php-saml v3.x as a dependency?
- The bundle relies on `onelogin/php-saml` (v3.x), which may have unpatched CVEs or lack support for newer SAML features. Monitor the library’s [GitHub security advisories](https://github.com/onelogin/php-saml/security/advisories) and consider forking or upgrading to v4.x if available.
- How do I secure SAML in production (e.g., strict mode, HTTPS)?
- Enable `strict: true` in the config to enforce SAML protocol compliance. Ensure all URLs use HTTPS and validate Azure AD’s certificate chain. For high-security environments, enable `security.nameIdEncrypted: true` and sign authn requests (`authnRequestsSigned: true`).
- What’s the upgrade path if I need to move to Symfony 6.x or 7.x?
- This bundle targets Symfony 5.4 LTS, so upgrading to newer Symfony versions may require a fork or compatibility layer. Check the [Symfony upgrade guide](https://symfony.com/doc/current/setup/upgrade.html) and consider contributing to the bundle’s roadmap for future versions.