Dynamic configuration

[VincentClair]

Hello,

I succeeded in installing the bundle in our application and make it work with ADFS.

Now, we would like to enhance our features:

• First, we would like to make the bundle optional in our application, so the user could activate the SSO dynamically as needed, customize the configuration and test the results, etc. Actually, the bundle needs the parameters to be set and well set in file. As exemple, if i set the contact support email to null, it doesn't work. But, the real need is to load all parameters from a dynamic file or even better, from the database (i have actually the same need for native symfony ldap component).
• Second, the configuration of the IdP/SP could not be so easy (for neophyte like me - it was a pain to found the could conf between IdP and SP so logout could work on ADFS). It will be interesting to import a IdP metadata, to know what parameters are allowed for IdP...

Maybe there is other idea to make the installation / process / bundle more flexible and fluid. Do you plan some similare improvements ?

By the while, the bundle is really great and it makes already our development easier. Thanks

[hslavich]

Hi Vincent, Thank you for your feedback, I really appreciate it.

• Symfony bundles can't be activated dynamically due to those are loaded at AppKernel creation. Maybe there is a way to enable/disable security firewalls dynamically.
• Dynamic config is an interesting feature that I could develop. I think that I can add something like 'config provider' as a symfony service, where you can define you own logic in order to load those parameters.
• Most of the bundle configuration are related to php-saml config and most of them are optionals, so you shouldn't have problems leaving them blank.
• SAML setup could be hard, I often use some utilities from simpleSAMLphp that can parse the exposed SP metadata (example.app/saml/metadata). I'm not sure if this bundle should provide more help here.

Thanks

[s-a-y]

+1 for dynamic configuration

[01e9]

+1

We have Clients that use our service and they need to configure (optionally) their IdP and a "Login with SAML" will appear on their subdomain. There is no central IdP, the config must be loaded depending on current subdomain.

~If you know a bundle that has this feature, please share.~

[01e9]

LightSaml bundle did the job for me.

[VincentClair]

Thank you for the link, i will give it a try !

[articque]

In my application, the admin can choose to activate or not SSO. When he activates it, i change dynamically yml files in config folder and load Bundle in AppKernel.

I have 3 yml files for sso config.

• sso_security.yml
• sso_config.yml
• sso_routing.yml

These 3 files are empty if sso is not activated and filled by code when sso is activated. These 3 files are always included by this way :

in routing.yml

import:
    resource: sso_routing.yml

in config.yml

imports:
  ...
    - { resource: sso_config.yml }
    - { resource: sso_security.yml }

When sso is activated the contents are :

in sso_routing.yml

hslavich_saml_sp:
    resource: '@HslavichOneloginSamlBundle/Resources/config/routing.yml'

in sso_config.yml

hslavich_onelogin_saml:
    idp:
        entityId: '...'
        singleSignOnService:
            .....
    sp:
        entityId: '...'
        assertionConsumerService:
            ....
    security:
        nameIdEncrypted: false
        ....

in sso_security.yml

security:
    firewalls:
        main:
            saml:
                username_attribute: username
                check_path: /saml/acs
                login_path: /saml/login
                failure_path: /login
                always_use_default_target_path: false
                user_factory: sso_user_factory
                persist_user: true
            logout:
                path: /saml/logout

To load dynamically Bundle in AppKernel.php, il read parameters.yml :

public function registerBundles()
{
  $paramYml = Yaml::parse(file_get_contents($this->getRootDir().'/config/parameters.yml'));
  $bundles = array( .... );
  if($paramYml['parameters']['sso_enabled'])
    $bundles[] = new Hslavich\OneloginSamlBundle\HslavichOneloginSamlBundle();
}

As you can see, i change the parameter "sso_enabled" in parameters.yml when the admin activates or not the sso.