Single Sign On Service Provider
Disclaimer
I am by no means a security expert. I'm not bad at it either, but I cannot vouch for the security of this bundle. You can use this in production if you want, but please do so at your own risk. That said, if you'd like to contribute to make this bundle better/safer, you can always create an issue or send a pull request.
Description
This bundle provides an easy way to integrate a single-sign-on in your website. It uses an existing ('main') firewall for the actual authentication, and redirects all configured SSO-routes to authenticate via a one-time-password.
Installation
Installation is a quick 5 steps process:
- Download SingleSignOnServiceProviderBundle using composer
- Enable the bundle
- Configure SingleSignOnServiceProviderBundle
- Enable the route to validate OTP
- Modify security settings
Step 1: Download SingleSignOnServiceProviderBundle using composer
Tell composer to require the package:
composer require korotovsky/sso-sp-bundle
Composer will install the bundle to your project's vendor/korotovsky
directory.
Step 2: Enable the bundle
<?php
// app/AppKernel.php
public function registerBundles()
{
$bundles = [
// ...
new Krtv\Bundle\SingleSignOnServiceProviderBundle\KrtvSingleSignOnServiceProviderBundle(),
];
}
?>
Step 3: Configure SingleSignOnServiceProviderBundle
Add the following settings to your config.yml.
# app/config/config.yml
krtv_single_sign_on_service_provider:
host: idp.example.com
host_scheme: http
login_path: /sso/login/
# Configuration for OTP managers
otp_manager:
name: http
managers:
http:
provider: guzzle # Active provider for HTTP OTP manager
providers: # Available HTTP providers
service:
# the service must implement Krtv\SingleSignOn\Manager\Http\Provider\ProviderInterface
id: krtv_single_sign_on_service_provider.security.authentication.otp_manager.http.provider.guzzle
guzzle:
# in case you don't have a guzzle client, you must create one
client: acme_bundle.guzzle_service
# the route that was created in the IdP bundle
resource: http://idp.example.com/internal/v1/sso
otp_parameter: _otp
secret_parameter: secret
Step 4: Enable route to validate OTP
# app/config/routing.yml
otp:
# this needs to be the same as the check_path, specified later on in security.yml
path: /otp/validate/
Step 5: Modify security settings
# app/config/security.yml
security:
firewalls:
main:
pattern: ^/
sso:
require_previous_session: false
provider: main
check_path: /otp/validate/ # Same as in app/config/routing.yml
sso_scheme: http # Required
sso_host: idp.example.com # Required
sso_otp_scheme: http # Optional
sso_otp_host: consumer1.com # Optional
sso_failure_path: /login # Can also be as an absolute path to service provider
sso_path: /sso/login/ # SSO endpoint on IdP.
sso_service_extra: null # Default service extra parameters. Optional.
sso_service_extra_parameter: service_extra # Parameter name. Optional
sso_login_required: 1 # Optional
sso_login_required_parameter: login_required # Optional
sso_service: consumer1 # Consumer name
logout:
invalidate_session: true
path: /logout
target: http://idp.example.com/sso/logout?service=consumer1
Public API of this bundle
This bundle registers several services into service container. This services will help you customize SSO flow in the you application:
- sso_service_provider.otp_manager – Manager for working with OTP-tokens. Checking and receiving.
- sso_service_provider.uri_signer -Service for signing URLs, if you need to redirect users to /sso/login yourself.