This is an authentication module for simpleSAMLphp to alter the login flow of SimpleSAMLPHP-linked applications at Code Enigma.

This is done by integrating with LinOTP2, and injecting a specific flag in the request that allows to skip 2-Factor Authentication when desired.

At the moment, the logic allows to skip 2FA for normal users in the CE's LDAP, while enforcing 2FA for users considered "Group Administrators" or "Superusers".

  $request['sspmod_linotp2_Auth_Process_OTP'] = [
    'skip_check' => TRUE,
  ];

If you installed SimpleSAMLphp using composer, you may simply add this to your root composer.json file:

    "repositories": [
        {
            "url": "git@github.com:codeenigma/ce2fa.git",
            "type": "git"
        }
    ],

Then run composer require codeenigma/simplesamlphp-module-ce2fa dev-master.

Edit the desired SimpleSAMLPHP Entity ID metadata, in saml20-sp-remote.php, and add the following settings array as instructed by SimpleSAML:

    'class' => 'ce2fa:TwoFactorSkipProcessingFilter',
    'proc_filter.enabled' => TRUE,
    'ldap.hostname' => 'ldaps://your-ldap-endpoint',
    'ldap.enable_tls' => TRUE,
    'ldap.debug' => FALSE,
    'ldap.timeout' => 0,
    'ldap.port' => 636,
    'ldap.referrals' => TRUE,
    'ldap.username' => NULL, // dn to perform the search of user groups.
    'ldap.password' => NULL,

'proc_filter.enabled': Set to FALSE if you want to leave the configuration in place but disable the filter temporarily.

'ldap.username': Not really needed for the moment.

'ldap.password': Not really needed for the moment.

Run composer install inside the module repository.

From within the repository root, execute phpunit against the tests folder:

./vendor/bin/phpunit tests/

SimpleSAMLphp before 1.15 used to perform some assert() calls that are deprecated and make phpunit fail. For such reason, ~1.15-dev version of SimpleSAMLphp is required as a dev dependency. Executing tests with older versions could make them fail.