korotovsky / sso-sp-bundle
Single-sign-on bundle for Symfony2. Service Provider part.
Installs: 15 931
Dependents: 0
Suggesters: 0
Security: 0
Stars: 33
Watchers: 6
Forks: 18
Open Issues: 11
Type:symfony-bundle
Requires
- php: >=5.5
- ext-openssl: *
- doctrine/orm: ~2.3
- korotovsky/sso-library: ~0.3.0
- symfony/symfony: ~2.8|~3.0
Requires (Dev)
- phpunit/phpunit: >=4.4
- symfony/phpunit-bridge: >=2.2
README
Disclaimer
I am by no means a security expert. I'm not bad at it either, but I cannot vouch for the security of this bundle. You can use this in production if you want, but please do so at your own risk. That said, if you'd like to contribute to make this bundle better/safer, you can always create an issue or send a pull request.
Description
This bundle provides an easy way to integrate a single-sign-on in your website. It uses an existing ('main') firewall for the actual authentication, and redirects all configured SSO-routes to authenticate via a one-time-password.
Installation
Installation is a quick 5 steps process:
- Download SingleSignOnServiceProviderBundle using composer
- Enable the bundle
- Configure SingleSignOnServiceProviderBundle
- Enable the route to validate OTP
- Modify security settings
Step 1: Download SingleSignOnServiceProviderBundle using composer
Tell composer to require the package:
composer require korotovsky/sso-sp-bundle
Composer will install the bundle to your project's vendor/korotovsky
directory.
Step 2: Enable the bundle
<?php // app/AppKernel.php public function registerBundles() { $bundles = [ // ... new Krtv\Bundle\SingleSignOnServiceProviderBundle\KrtvSingleSignOnServiceProviderBundle(), ]; } ?>
Step 3: Configure SingleSignOnServiceProviderBundle
Add the following settings to your config.yml.
# app/config/config.yml krtv_single_sign_on_service_provider: host: idp.example.com host_scheme: http login_path: /sso/login/ # Configuration for OTP managers otp_manager: name: http managers: http: provider: guzzle # Active provider for HTTP OTP manager providers: # Available HTTP providers service: # the service must implement Krtv\SingleSignOn\Manager\Http\Provider\ProviderInterface id: krtv_single_sign_on_service_provider.security.authentication.otp_manager.http.provider.guzzle guzzle: # in case you don't have a guzzle client, you must create one client: acme_bundle.guzzle_service # the route that was created in the IdP bundle resource: http://idp.example.com/internal/v1/sso otp_parameter: _otp secret_parameter: secret
Step 4: Enable route to validate OTP
# app/config/routing.yml otp: # this needs to be the same as the check_path, specified later on in security.yml path: /otp/validate/
Step 5: Modify security settings
# app/config/security.yml security: firewalls: main: pattern: ^/ sso: require_previous_session: false provider: main check_path: /otp/validate/ # Same as in app/config/routing.yml sso_scheme: http # Required sso_host: idp.example.com # Required sso_otp_scheme: http # Optional sso_otp_host: consumer1.com # Optional sso_failure_path: /login # Can also be as an absolute path to service provider sso_path: /sso/login/ # SSO endpoint on IdP. sso_service_extra: null # Default service extra parameters. Optional. sso_service_extra_parameter: service_extra # Parameter name. Optional sso_login_required: 1 # Optional sso_login_required_parameter: login_required # Optional sso_service: consumer1 # Consumer name logout: invalidate_session: true path: /logout target: http://idp.example.com/sso/logout?service=consumer1
Public API of this bundle
This bundle registers several services into service container. This services will help you customize SSO flow in the you application:
- sso_service_provider.otp_manager – Manager for working with OTP-tokens. Checking and receiving.
- sso_service_provider.uri_signer -Service for signing URLs, if you need to redirect users to /sso/login yourself.