SimpleSAMLphp auth module implementing various security measures before calls to IdP ID Broker backend
This package is auto-updated.
Last update: 2023-01-28 14:31:17 UTC
SimpleSAMLphp auth module implementing custom business logic
To create another database migration file, run the following (replacing
YourMigrationName with whatever you want the migration to be named, using
make migration NAME=YourMigrationName
SilAuth will rate limit failed logins by username and by every untrusted IP address from a login attempt.
If there have been more than 10 failed logins for a given username (or IP address) within the past hour, a captcha will be included in the webpage. The user may or may not have to directly interact with the captcha, though.
If there have been more than 50 failed logins for that username (or IP address) within the past hour, logins for that username (or IP address) will be blocked for up to an hour.
For each login attempt, if it has too many failed logins within the last hour (aka. recent failed logins) for the given username OR for any single untrusted IP address associated with the current request, it will do one of the following:
- If there are fewer than
Authenticator::REQUIRE_CAPTCHA_AFTER_NTH_FAILED_LOGINrecent failures: process the request normally.
- If there are at least that many, but fewer than
Authenticator::BLOCK_AFTER_NTH_FAILED_LOGIN: require the user to pass a captcha.
- If there are more than that: block that login attempt for
(recent failures above the limit)^2seconds after the most recent failed login, with a minimum of 3 (so blocking for 9 seconds).
- Note: the blocking time is capped at an hour, so if no more failures occur, then the user will be unblocked in no more than an hour.
features/login.feature for descriptions of how various situations are
handled. That file not only contains human-readable scenarios, but those are
also actual tests that are run to ensure those descriptions are correct.
BLOCK_AFTER_NTH_FAILED_LOGINis 50, and
REQUIRE_CAPTCHA_AFTER_NTH_FAILED_LOGINis 10, and
- if there have been 4 failed login attempts for
- there have been 10 failed login attempts from
- there have been 3 failed login attempts from
- someone tries to login as
192.168.1.2and their request goes through a proxy at
- they will have to pass a captcha, but they will not yet be blocked.
- However, if all of the above is true, but
- there have now been 55 failed login attempts from
- any request involving that IP address will be blocked for 25 seconds after the most recent of those failed logins.
Since this application enforces rate limits based on the number of recent
failed login attempts by both username and IP address, and since it looks at
both the REMOTE_ADDR and the X-Forwarded-For header for IP addresses, you will
want to list any IP addresses that should NOT be rate limited (such as your
load balancer) in the TRUSTED_IP_ADDRESSES environment variable (see
To check the status of the website, you can access this URL:
https://(your domain name)/module.php/silauth/status.php
To debug the project in your IDE (such as NetBeans), do the following:
- Edit your
local.envfile, insert your IP address as the value for
make start enabledebug.
- Set your IDE to use debugger port 9000 and a Session ID of netbeans-xdebug.
- Click the "Debug Project" button in your IDE.
- Add an entry to your
- Go to http://silauth.local/module.php/core/authenticate.php?as=silauth in your browser.
Xdebug can be enabled by doing the following:
local.env. This should be the IP address of your development machine, i.e. the one that is running your IDE. If you're using Linux as your Docker host, you can use 172.17.0.1 here.
- Map run-debug.sh into the container you wish to debug. For example:
volumes: - ./development/run-debug.sh:/data/run.sh
- Enable debugging in your IDE. See the next section for PhpStorm setup.
In PhpStorm go to: Preferences > PHP > Debug > DBGp Proxy and set the following settings:
- Host: (your IP address or hostname)
- Port: 9000
Set path mappings in: Preferences > PHP > Servers
- Add a server and map the project folder to '/data/vendor/simplesamlphp/simplesamlphp/modules/silauth'
- Map other directories as needed. PhpStorm should prompt when an unrecognized path is encountered.
Then start listening by clicking the "listen" button on the PhpStorm toolbar.