New Login plugin for SAML SSO authentication

[mattab]

The goal of this issue is to create a new Authentication plugin for Piwik that will let users login via the SAML 2.0 framework for SSO auth.

SAML Framework

• Here is a general view of the SAML 2.0 framework: http://en.wikipedia.org/wiki/SAML_2.0
• Our Identity Provider is based on CA’s SiteMinder http://www.ca.com/us/securecenter/ca-single-sign-on.aspx (Now called Single Sign On) but only supports HTTP Redirect Binding
• http://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Binding
• You may be able to use some of the code from this GitHub project even though it is built to use CAS or SAML 1.1 https://github.com/fnp/piwik-CASLogin
• Otherwise other users have had a lot of success with simpleSAMLphp https://simplesamlphp.org/
• To make this simple we do not have a requirement to autoprovision users we will be adding them by hand with a fake password but will authenticate the through our Identity Provider.

  Functional Requirements

Here are the requirements for the new Authentication Plugin:

1. Login process needs to be extended to support both existing internal authentication mechanisms as well as SAML authentication via Client's IDP.
2. Login Page and related modules should provide a clear link to initiate SAML authentication.
3. SAML Authentication attempts should be logged and clearly identifiable.
4. SAML Authentication should provide verbose logging for debugging purposes.
5. SAML configurations should be defined in a single location accessible only to administrators.
6. SAML encryption keys must be stored in a secure area and only accessible to administrators and protected from exposure.
7. SAML Authentication will only allow access if a corresponding user exists and is active in the local authentication database.
8. Logout terminates active sessions for the application only.

Recommended deliverables:

1. High-level design document with sequence diagrams on SAML/Launchpad integration
2. Well written code with test scripts as per specification/requirements
3. Readme file explains the instructions on deployment.

Note: there is this plugin that does CAS Login in Piwik: https://github.com/fnp/piwik-CASLogin

[huan086]

Any progress on this? If no, I will be hiring people to develop this

[mattab]

SAML plugin has been re-created from scratch and is now available on the Marketplace!

Learn more here: http://plugins.piwik.org/LoginSaml

and in our SAML User Guides: https://piwik.org/docs/login-saml/ and the Login SAML Faqs: https://piwik.org/faq/login-saml/

If you need help we can provide some support for SAML, learn more here: https://piwik.org/support/login-saml/

[sgiehl]

As mentioned by @mattab, this plugin has been released. Closing this issue now.