Giters

Torbikini / phpbb-saml2

SSO SAML2 Authentication Module for phpBB

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

phpbb-saml2 (SSO)

A custom authentication module for phpBB v3.2 that supports Single sign-on (SSO):

  • Federated user authentication with SAML2
  • Automatic user profile creation on phpBB
  • Automatic management of user group-memberships on phpBB

The authentication module wraps SimpleSamlPhP in a phpBB authentication module and integrates with the phpBB user and group management system, so that a profile is automatically created for new users, and new users are made members of relevant groups in phpBB based on attributes in their SAML2 token.

The module is quite rudimentary, as it was developed in a very short timeframe for a one-off project with somewhat specific requirements. It has, however, been used on a medium traffic production phpBB site for the past year and a half without any issues to date.

Limitations

This module is merely the plumbing between SimpleSamlPhP and phpBB. It does not deal the configuration of SimpleSamlPhP, and it requires some knowledge of phpBB to install and enable the authentication module.

SimpleSamlPhP is a very mature framework that is successfully used in large production environments with thousands of simultaneous users, and multiple logins (issued tokens) per second. It does require some knowledge about things like certificates, SSL, and SAML2 federation to configure it, but their website provides a great starting point for howtos.

I highly recommend that a basic SimpleSamlPhP is successfully tested with the identity provider before the module is enabled in phpBB. Different identity providers have different default settings, and it can take some tweaking of configurations for SimpleSamlPhP to make it work.

I have successfully tested with module with several different identity providers including SimpleSamlPhP itself, Safewhere*Identify, and Microsoft AD FS2.0.

Installation

You have to put the SimpleSamlPhP in your phpBB directory. And this module in the phpBB directory. Like so:

phpbb3
    ext
        noud
            saml2
                auth
                    provider
                config
                    services.yml
    simplesaml
        attributemap
        bin
        cert
        config
        etc..

After configuring SimpleSamlPhP, enable the extension and choise authentication method SAML2. And after this delete your phpBB cache.

If you for instance use Apache with a vhost setup, do not forget to add the SimpleSamlPhP SetEnv and Alias, like so:

<VirtualHost *:80>
  ServerName phpbb3.localhost
  DocumentRoot /var/www/phpbb3
  Options Indexes FollowSymLinks

  SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/phpbb3/simplesaml/config

  Alias /simplesaml /var/www/phpbb3/simplesaml/www

  <Directory "/var/www/phpbb3/">
    AllowOverride All
    <IfVersion < 2.4>
      Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
  </Directory>

</VirtualHost>

The SimpleSamlPhP IDP authsources.php can for instance be configured like below for testing:

    'example-userpass' => array(
        'exampleauth:UserPass',
        'student:studentpass' => array(
            'uid' => array('student'),
            'eduPersonAffiliation' => array('registeredusers'),
        ),
        'admin:admin' => array(
            'uid' => array('admin'),
            'eduPersonAffiliation' => array('administrators'),
        ),
    ),
Source

This extension can be fetched from https://github.com/noud/phpbb-saml2.

About

SSO SAML2 Authentication Module for phpBB

License:GNU General Public License v2.0

Languages

Language:PHP 100.0%