gauss-allianz/shibboleth-guard-bundle

Bundle for Shibboleth SP authentication in symfony using the guard component.

dev-master 2016-10-18 11:57 UTC

This package is auto-updated.

Last update: 2024-11-09 17:24:58 UTC


README

Introduction

Shibboleth is a Single-Sign-On system made for webservices. This bundle provide a Guard authenticator to use this authentication method in Symfony 2.8. Symfony previous Version 2.8 you should see https://github.com/roenschg/ShibbolethBundle.

Installation

This library can be install using composer.

composer require "gauss-allianz/shibboleth-guard-bundle" "dev-master"

How to test locally

Setup a local IdP/SP infrastructure is a very time consuming job. I will describe an easy way to test your functionality on your local system without an software required. But you may consider using the following library: https://packagist.org/packages/mrclay/shibalike

First of all you need to know which information are sent in which way by the Apache2 webserver to the PHP. This might differ by several configurations. You can test which information you get by just putting a script to your webserver like this. (The script must be shibobleth secured area!)

<?php
    print_r(\$\_SERVER);

You can call the script and might need to configure the attribute naming. (see section "configuration"). If the variables use the prefix "HTTP_" then skip the prefix in the configuration and use the option "use_header".

Afterwards you can simulate the enviroment by copy the output from the php script above and putting it into the app/app_dev.php like in the following example.

    $_SERVER['HTTP_mail'] = "name@domain.tld";
    $_SERVER['HTTP_Shib-Application-Id'] = 'TEST';
    $_SERVER['HTTP_sn'] = "Lastname";
    $_SERVER['HTTP_givenName'] = "Firstname";

Configuration

In your config.yml you have to set at least the following parameters:

shibboleth_guard:
    handler_path: /Shibboleth.sso
    session_initiator_path: /Login
    username_attribute: %shibboleth_username_attribute%
    use_headers: true
    logout_target: /
    attribute_definitions:
        mail: { header: mail, server: mail }
        persistent_id: { header: persistent_id, server: persistent_id }

The handler_path is the relative path to the Shibboleth handler url The session_initator_path is used to set the login location The username_attribute Defines the meta attribute that will be used to identify the user (for the user provider) The use_headers optiones specifies in which type the shibboleth daemon set the attributes for the php script The logout_target location for logout With the attribute_definitions you can overwrite several options if they are attribute names are different in your shibboleth configuration than default.