Compatibility with SSO modules

[brynwhyman]

Overview

At this stage the compatibility of this module with common SSO modules is unclear.

Raising this issue to do some testing and record the results.

SSO modules in scope (CMS4 compatibility only):

• https://github.com/silverstripe/silverstripe-ldap
• https://github.com/silverstripe/silverstripe-saml

ACs

• [ ] Testing occurs on a projects using the modules above
• [ ] Test scenarios are defined upfront, with exploratory testing also likely
• [ ] Test findings are recorded in the issue
• [ ] Suggested next steps are recorded in issue. I.e there's major issues that warrant a note in the readme, or there are issues that could be resolved...

Notes

• We're assuming we can get support in obtaining test environments as these would be difficult to set up
• We've done something similar for the MFA or login-forms module, to give you an idea of how that went, check those repos out.

[emteknetnz]

Slack convo about how to potentially test SAML https://silverstripeltd.slack.com/archives/CLXKD9X51/p1623799823207500

[michalkleiner]

Link to an internal convo probably not that useful for public eyes.

[brynwhyman]

Are you interested in SSO compatibility and would like to help confirm compatibility @michalkleiner ?

Here's the snippet:

Looking at the Developer Docs in the module readme, my gut feel is that it would likely work okay. SAML has two modes: either ‘protect entire site (via middleware)’ or ‘login via Security/login’. In both cases, once we get a response from the SAML identity provider we log the member in using the standard IdentityStore system, and then it all just falls back on using PHP session data to re-authenticate users on subsequent requests. So best guess is that it should work just the same as when using email/password logins

[GuySartorelli]

This has been in core for ages now and nobody has complained, so I'm going to say it's probably all working as it should.