Implement SAML as a Service Provider such that Xibo can be configured to connect to an IdentityProvider for authentication.
The user will be automatically logged into the Xibo CMS via SAML and have a user record created for them for normal assigning of permissions, etc.
The SAML configuration will be managed via a configuration file kept on the web server. A possible extension would be to provide a UI for configuration of the module.
Library Options
Library for adding SAML support
SimpleSAMLphp is a PHP application that deals with authentication.
Integration
Replace WebAuthentication
middleware with middleware written to authenticate via SAML.
settings.php
can be provided an $authentication
variable containing a instance of Slim\Middleware
which will be used as an alternative to the Xibo WebAuthentication middleware. Post installation the settings file will contain the necessary variable names, commented out.
// Additional Middleware
// $middleware = [];
// $authentication = ;
Were we implementing the standard authentication, the variable would look like:
$authentication = new \Xibo\Middleware\WebAuthentication();
It is also possible to provide additional middleware which will be added to the outermost layer of the middleware stack. This is done using the $middleware = []
array.
Authentication Middleware
Xibo authentication middleware is responsible for adding two hooks to the framework:
- slim.before.dispatch
- slim.after.dispatch
The goal of the middleware is to prevent public access to any pages accept the public routes defined in $app->publicRoutes
.
slim.before.dispatch
The before dispatch hook is responsible for:
- Determining if the requested route requires a login - most routes do require login in Xibo.
- If the route does require login and the user is not logged in - redirecting the user to the login page
- If the route does require login and the user is logged in - replace the
$app->user
object with a fully loaded\Xibo\Entity\User
object.
slim.after.dispatch
The after dispatch hook is responsible for updating the users status as the application is closing. The standard Xibo web authentication updates the users last accessed date, etc by “touching” the user:
$user = $app->user;
/* @var \Xibo\Entity\User $user */
if (!$app->public && $user->hasIdentity()) {
$user->touch();
}
Sessions
Xibo uses a database store for its sessions - the session is configured with each request and is an instance of \Xibo\Helper\Session
. Sessions expire according to the session.gc_maxlifetime
php configuration directive.
Sessions are stored in the application instance as a singleton and can be accessed via $app->session
.