Xibo Middleware

teejayuu · August 15, 2017, 1:06pm

Hello,

Following http://xibo.org.uk/manual-tempel/en/users_saml.html.

If my Xibo installation is at http://xibo2.hstv.local/xibo, would this line
$authentication = new \Xibo\Middleware\SAMLAuthentication();
become
$authentication = new \Xibo2\xibo\Middleware\SAMLAuthentication();

Also, how would Xibo find the Middleware folder as it is outside the site (sorry for being a bit thick)

Thanks
Tony

Peter · August 15, 2017, 2:46pm

I’m fairly sure it should stay as it is in the manual http://xibo.org.uk/manual-tempel/en/users_saml.html ie
$authentication = new \Xibo\Middleware\SAMLAuthentication();

Now, the parameter that will need more attention ie
$samlSettings array.

While there is an example array in the manual, you will obviously need to configure the workflow, idp and sp to match what you want to achieve. Some additional advanced settings can be found on onelogin github page ie https://github.com/onelogin/php-saml#settings

Once you configure it, then you can test if it works as expected, if you’d encounter any problems, then it would be great if you could catch the response / error that you get, so then we can help you troubleshoot it.

teejayuu · August 15, 2017, 3:17pm

Than Peter, so as my url is http://xibo2.hstvlocal/xibo then my sp array should look like this?

'sp' => array (
     'entityId' => 'http://xibo2.hstv.local/xibo/saml/metadata',
     'assertionConsumerService' => array (
         'url' => 'http://xibo2.hstv.local/xibo/saml/acs',
     ),
     'singleLogoutService' => array (
         'url' => 'http://xibo2.hstv.local/xibo/saml/sls',
     ),
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
     'x509cert' => '',
     'privateKey' > '',
 ),

alex · August 17, 2017, 9:51am

That doesn’t look unreasonable to me, however, I’m fairly sure that for SAML to work you’ll need the CMS accessible over HTTPS with a valid certificate. I may be wrong on that however.

If you already have other systems using SAML within your organisation over http, then this should work for you too. I’ve only ever done it with https endpoints.

teejayuu · August 18, 2017, 12:30pm

Thanks Alex,

I’m just in the process of getting a trusted certificate. Just a question, if you don’t mind - not sure if this is your area of expertise?

In ADFS Claims Rules, I’m not sure what the settings should be for the Transform and Incoming Claim. I currently have:

Incoming claim type: Username
Outgoing claim type: NameID
Outgoing name ID format: Transient Identifier

Not sure where the last one came from…seem to remember it from somewhere, but it doesn’t seem right.

Thanks
Tony