artisanpack-ui/security-advanced-auth

Enterprise authentication for Laravel — WebAuthn/FIDO2 passwordless auth, SSO (SAML/OIDC/LDAP), social login, biometric auth, and device fingerprinting.

Maintainers

Package info

github.com/ArtisanPack-UI/security-advanced-auth

pkg:composer/artisanpack-ui/security-advanced-auth

Statistics

Installs: 1

Dependents: 1

Suggesters: 0

Stars: 0

Open Issues: 10

Security

Advisories: 0

Aikido package health analysis

1.0.0 2026-05-19 19:17 UTC

Requires

Requires (Dev)

MIT 69069384635f195ac3ec79120f6fa0ba27b28be9

  • Jacob Martella <support.woop@artisanpackui.dev>

securityAuthenticationSSOlaravelsamloidcsocial-loginbiometricFIDO2webauthndevice-fingerprinting

This package is auto-updated.

Last update: 2026-05-19 19:33:07 UTC

README

Enterprise authentication for Laravel: WebAuthn / FIDO2 passwordless auth, SSO (SAML / OIDC / LDAP), social login across 8 providers, biometric authentication, device fingerprinting, and suspicious activity detection.

This package is part of the ArtisanPack UI Security 2.0 split — the enterprise-auth features previously bundled inside artisanpack-ui/security (1.x) live here in 2.0+.

Features

  • WebAuthn / FIDO2 (WebAuthnManager, 577 lines) — registration + authentication options, response verification, credential CRUD. Supports passkeys, security keys, and platform authenticators.
  • SSO (SsoManager, 302 lines) — SAML 2.0, OIDC, LDAP. Configurable per-IdP via SsoConfiguration model. SP metadata endpoint, single sign-on + single logout.
  • Social authentication (SocialAuthManager, 363 lines) — OAuth across 8 shipped providers (Apple, Facebook, GitHub, Google, LinkedIn, Microsoft, plus generic OIDC and OAuth2 abstract bases for custom providers).
  • Biometric authentication (BiometricManager) — pluggable provider model, WebAuthnBiometricProvider ships as the default.
  • Device fingerprinting (DeviceFingerprintService) — generates device fingerprints, tracks known / trusted devices, flags unknown devices.
  • Suspicious activity detection (SuspiciousActivityService) — auth-flow patterns (impossible travel, proxy detection, Tor detection, datacenter IPs, multiple failures, device changes, session hijacking).
  • Livewire components (5) — WebAuthnCredentialsManager, BiometricManager, DeviceManager, SocialAccountsManager, SuspiciousActivityList — all with shipped Blade views in plain HTML + Tailwind.
  • HTTP controllers + routes — bundled controllers and routes file with callback endpoints for social OAuth, SSO (SAML / OIDC), and WebAuthn ceremonies. Configurable prefix + middleware.
  • Eloquent models (7) — DeviceFingerprint, SocialIdentity, SsoConfiguration, SsoIdentity, SuspiciousActivity, UserDevice, WebAuthnCredential.
  • Migrations (7) — full schema for the above.
  • SecurityAdvancedAuth Facade and security_advanced_auth() helper.

Installation

composer require artisanpack-ui/security-advanced-auth
php artisan migrate

The migrations create tables tied to the users table. Run Laravel's default migrations first.

(Optional) Publish the config:

php artisan vendor:publish --tag=security-advanced-auth-config

(Optional) Publish the Livewire views for customization:

php artisan vendor:publish --tag=security-advanced-auth-views

Quick start

Mount the Livewire components

<livewire:webauthn-credentials-manager />
<livewire:biometric-manager />
<livewire:device-manager />
<livewire:social-accounts-manager />
<livewire:suspicious-activity-list />

Wire up a social provider

use ArtisanPackUI\SecurityAdvancedAuth\Authentication\Social\SocialAuthManager;

app( SocialAuthManager::class )->registerProvider( 'google', [
    'client_id'     => env('GOOGLE_CLIENT_ID'),
    'client_secret' => env('GOOGLE_CLIENT_SECRET'),
    'redirect_uri'  => route('security-advanced-auth.social.callback', ['provider' => 'google']),
] );

With the default route prefix (auth), users can hit /auth/social/google/redirect to begin login. The callback at /auth/social/google/callback is wired automatically. The prefix is configurable via artisanpack.security-advanced-auth.routes.prefix; prefer the named routes (security-advanced-auth.social.redirect, .callback) when generating URLs.

Wire up an SSO provider

use ArtisanPackUI\SecurityAdvancedAuth\Models\SsoConfiguration;

SsoConfiguration::create([
    'slug'       => 'corp-saml',
    'name'       => 'Corporate SAML',
    'type'       => 'saml',
    'config'     => [/* IdP-specific config */],
    'is_enabled' => true,
]);

With the default route prefix (auth), the login URL is /auth/sso/corp-saml/login and SAML metadata is at /auth/sso/corp-saml/metadata. Prefer the named routes (security-advanced-auth.sso.login, .metadata) when generating URLs — the prefix is configurable via artisanpack.security-advanced-auth.routes.prefix.

WebAuthn registration

The Livewire WebAuthnCredentialsManager component handles the UI side. The host app's JS performs the actual WebAuthn ceremony via navigator.credentials.create() against options served by POST /auth/webauthn/register/options.

Documentation

Requirements

  • PHP 8.2+
  • Laravel 10 / 11 / 12
  • livewire/livewire: ^3.6 | ^4.0 (for the 5 Livewire components)
  • A working users table (run Laravel's default migrations first)
  • Per-provider deps (e.g. SAML toolkit if you use SAML SSO — leave to the consumer to install)

Sibling packages

Package Scope
artisanpack-ui/security-full Meta-package — pulls in the full security suite (all six packages below) in a single require
artisanpack-ui/security Core: input sanitization, escaping, CSP, security headers
artisanpack-ui/security-auth 2FA, password complexity, account lockout, sessions
artisanpack-ui/rbac Roles, permissions, Gate integration
artisanpack-ui/secure-uploads File validation, malware scanning, signed-URL serving
artisanpack-ui/security-analytics Event logging, anomaly detection, SIEM, dashboards
artisanpack-ui/compliance GDPR / CCPA / LGPD compliance tools

License

MIT — see LICENSE.

Contributing

Please read the contributing guidelines before opening an issue or PR.