Search by 
mrmaniak / seat-identity-provider
Turn SeAT into an enterprise identity provider for 3rd party services.
Maintainers
Package info
github.com/MrManiak/seat-identity-provider
Type:seat-plugin
pkg:composer/mrmaniak/seat-identity-provider
dev-main
2026-02-01 20:01 UTC
Requires
- php: ^8.1
- ext-json: *
- eveseat/api: ^5.0
- eveseat/eveapi: ^5.0
- eveseat/services: ^5.0
- eveseat/web: ^5.0
- league/oauth2-server: ^9.3
- nyholm/psr7: ^1.8
- robrichards/xmlseclibs: ^3.1
- steverhoades/oauth2-openid-connect-server: ^3.0
- symfony/psr-http-message-bridge: ^6.0|^7.0
Requires (Dev)
- phpunit/phpunit: ^10.0|^11.0
This package is auto-updated.
Last update: 2026-03-01 20:13:31 UTC
README
An Identity Provider plugin for SeAT that allows you to use your SeAT installation as an enterprise identity provider for third-party services. Supports both SAML 2.0 and OpenID Connect (OIDC) protocols.
Features
SAML 2.0
- SAML 2.0 SSO - Single Sign-On using SAML 2.0 protocol
- SAML 2.0 SLO - Single Logout support
- Multiple Applications - Configure multiple Service Providers
- Automatic Certificate Generation - RSA 2048-bit X.509 certificates generated per application
- Metadata Import - Fetch and parse SP metadata from URL
- IdP Metadata Export - Download IdP metadata XML for SP configuration
- Signed Assertions - All SAML responses signed with RSA-SHA256
OpenID Connect
- Authorization Code Flow - Standard OIDC authorization code grant
- Refresh Tokens - Long-lived sessions with refresh token support
- Discovery Endpoint - Auto-configuration via
/.well-known/openid-configuration - JWKS Endpoint - Public key distribution for token validation
- UserInfo Endpoint - Standard claims endpoint
- Custom Scopes - EVE Online and SeAT-specific claims
- Key Management - Generate and rotate signing keys via UI
Requirements
- SeAT 5.x
- PHP 8.1+
- OpenSSL extension
Installation
Via Composer
composer require mrmaniak/seat-identity-provider
Manual Installation
- Clone or download this repository to
packages/mrmaniak/seat-identity-provider - Add the following to your
composer.json:
{
"repositories": [
{
"type": "path",
"url": "packages/mrmaniak/seat-identity-provider"
}
]
}
- Run:
composer require mrmaniak/seat-identity-provider
- Publish and run migrations:
php artisan migrate
SAML 2.0
SAML Attributes
The following attributes are included in SAML assertions:
| Attribute | Description |
|---|---|
user_id |
SeAT user ID |
email |
Generated email in format seatuser.{user_id}@{seat_domain} |
name |
User's main character name |
squads |
Multi-valued attribute containing all squad names the user belongs to |
character_id |
EVE Online character ID of the user's main character |
corporation_id |
EVE Online corporation ID of the user's main character |
is_admin |
Whether the user is a SeAT administrator |
Creating a SAML Application
- Navigate to Identity Provider > SAML Applications in SeAT
- Click Create Application
- Fill in the application details:
- Application Name: A friendly name for the application
- Entity ID: The SP's unique identifier (from SP metadata)
- ACS URL: Assertion Consumer Service URL (from SP metadata)
- SLO URL: Single Logout URL (optional)
- Name ID Format: Choose the appropriate format for the SP
- SP Certificate: The SP's X.509 certificate for signature verification (optional)
Alternatively, enter the SP's Metadata URL and click Fetch to auto-populate fields.
Configuring the Service Provider
- From the application edit page, click Download IdP Metadata
- Import the metadata XML into your Service Provider
- Or manually configure using:
- IdP Entity ID:
https://your-seat-url/saml/idp - SSO URL:
https://your-seat-url/saml/{application_id}/sso - SLO URL:
https://your-seat-url/saml/{application_id}/slo - Certificate: Download from IdP metadata
- IdP Entity ID:
SAML Endpoints
| Endpoint | Method | Description |
|---|---|---|
/saml/{application}/sso |
GET, POST | Single Sign-On endpoint |
/saml/{application}/slo |
GET, POST | Single Logout endpoint |
/seat-identity-provider/saml/applications/{application}/metadata |
GET | IdP metadata download |
OpenID Connect
OIDC Scopes and Claims
Standard Scopes
| Scope | Claims |
|---|---|
openid |
sub (required) |
profile |
name, preferred_username, updated_at |
email |
email, email_verified |
Custom SeAT/EVE Scopes
| Scope | Claims | Description |
|---|---|---|
seat:user |
is_admin |
SeAT administrator status |
seat:character |
character_id, character_name |
EVE main character info |
seat:corporation |
corporation_id, alliance_id |
EVE corporation/alliance info |
seat:squads |
squads |
Array of SeAT squad names |
Creating an OIDC Application
- Navigate to Identity Provider > OIDC Applications in SeAT
- Click Create Application
- Fill in the application details:
- Application Name: A friendly name for the application
- Description: Optional description
- Redirect URIs: One or more authorized callback URLs (one per line)
- Allowed Scopes: Select which scopes this application can request
- Save the application and copy the Client Secret - it will only be shown once
Configuring the OIDC Client
Use the discovery endpoint for auto-configuration:
https://your-seat-url/.well-known/openid-configuration
Or manually configure using:
| Setting | Value |
|---|---|
| Issuer | https://your-seat-url |
| Authorization Endpoint | https://your-seat-url/oauth2/authorize |
| Token Endpoint | https://your-seat-url/oauth2/token |
| UserInfo Endpoint | https://your-seat-url/oidc/userinfo |
| JWKS URI | https://your-seat-url/oidc/jwks |
OIDC Endpoints
| Endpoint | Method | Description |
|---|---|---|
/.well-known/openid-configuration |
GET | Discovery document |
/oauth2/authorize |
GET | Authorization endpoint |
/oauth2/token |
POST | Token endpoint |
/oidc/userinfo |
GET | UserInfo endpoint (requires Bearer token) |
/oidc/jwks |
GET | JSON Web Key Set |
Key Management
OIDC tokens are signed with RSA-256 keys. To manage signing keys:
- Navigate to Identity Provider > OIDC Keys
- View all keypairs with their status (active/inactive)
- Generate New Key - Creates an inactive keypair
- Activate - Make a keypair the active signing key
- Delete - Remove inactive keypairs
Note: Rotating keys will invalidate tokens signed with the previous key. Clients should fetch the JWKS periodically to handle key rotation.
Permissions
| Permission | Description |
|---|---|
seat-identity-provider.view |
View applications and keys |
seat-identity-provider.security |
Create, edit, delete applications and manage keys |
Security Considerations
SAML
- All SAML assertions are signed using RSA-SHA256
- Each SAML application has its own unique X.509 certificate
- SP metadata fetch includes SSRF mitigations:
- HTTPS-only URLs
- Private IP range blocking
- 3-second timeout
- Optional signature verification for incoming AuthnRequests
OIDC
- All ID tokens signed with RS256 (RSA-SHA256)
- Access tokens validated on each request
- Tokens are revoked when user is deleted or deactivated
- Client secrets are hashed (bcrypt) in the database
- Supports
client_secret_basicandclient_secret_postauthentication
License
This project is licensed under the GPL-3.0-or-later license.