korotovsky / SingleSignOnServiceProviderBundle

Single Sign On bundle for Symfony2 projects. SP part.
MIT License
33 stars 18 forks source link

Single Sign On Service Provider

Build Status Scrutinizer Code Quality Code Coverage SensioLabsInsight

Disclaimer

I am by no means a security expert. I'm not bad at it either, but I cannot vouch for the security of this bundle. You can use this in production if you want, but please do so at your own risk. That said, if you'd like to contribute to make this bundle better/safer, you can always create an issue or send a pull request.

Description

This bundle provides an easy way to integrate a single-sign-on in your website. It uses an existing ('main') firewall for the actual authentication, and redirects all configured SSO-routes to authenticate via a one-time-password.

Installation

Installation is a quick 5 steps process:

  1. Download SingleSignOnServiceProviderBundle using composer
  2. Enable the bundle
  3. Configure SingleSignOnServiceProviderBundle
  4. Enable the route to validate OTP
  5. Modify security settings

Step 1: Download SingleSignOnServiceProviderBundle using composer

Tell composer to require the package:

composer require korotovsky/sso-sp-bundle

Composer will install the bundle to your project's vendor/korotovsky directory.

Step 2: Enable the bundle

<?php
// app/AppKernel.php

public function registerBundles()
{
    $bundles = [
        // ...
        new Krtv\Bundle\SingleSignOnServiceProviderBundle\KrtvSingleSignOnServiceProviderBundle(),
    ];
}
?>

Step 3: Configure SingleSignOnServiceProviderBundle

Add the following settings to your config.yml.

# app/config/config.yml
krtv_single_sign_on_service_provider:
    host:                 idp.example.com
    host_scheme:          http

    login_path:           /sso/login/

    # Configuration for OTP managers
    otp_manager:
        name: http
        managers:
            http:
                provider: guzzle     # Active provider for HTTP OTP manager
                providers:           # Available HTTP providers
                    service:
                        # the service must implement Krtv\SingleSignOn\Manager\Http\Provider\ProviderInterface
                        id: krtv_single_sign_on_service_provider.security.authentication.otp_manager.http.provider.guzzle

                    guzzle:
                        # in case you don't have a guzzle client, you must create one
                        client:   acme_bundle.guzzle_service
                        # the route that was created in the IdP bundle
                        resource: http://idp.example.com/internal/v1/sso

    otp_parameter:        _otp
    secret_parameter:     secret

Step 4: Enable route to validate OTP

# app/config/routing.yml
otp:
    # this needs to be the same as the check_path, specified later on in security.yml
    path: /otp/validate/

Step 5: Modify security settings

# app/config/security.yml
security:
    firewalls:
        main:
            pattern: ^/
            sso:
                require_previous_session: false
                provider:                 main
                check_path:               /otp/validate/     # Same as in app/config/routing.yml

                sso_scheme:               http               # Required
                sso_host:                 idp.example.com    # Required

                sso_otp_scheme:           http               # Optional
                sso_otp_host:             consumer1.com      # Optional

                sso_failure_path:         /login             # Can also be as an absolute path to service provider
                sso_path:                 /sso/login/        # SSO endpoint on IdP.

                sso_service_extra:           null            # Default service extra parameters. Optional.
                sso_service_extra_parameter: service_extra   # Parameter name. Optional

                sso_login_required:           1              # Optional
                sso_login_required_parameter: login_required # Optional

                sso_service:                  consumer1      # Consumer name

            logout:
                invalidate_session: true
                path:               /logout
                target:             http://idp.example.com/sso/logout?service=consumer1

Public API of this bundle

This bundle registers several services into service container. This services will help you customize SSO flow in the you application: