Xibo SAML Service Provider

Implement SAML as a Service Provider such that Xibo can be configured to connect to an IdentityProvider for authentication.

The user will be automatically logged into the Xibo CMS via SAML and have a user record created for them for normal assigning of permissions, etc.

The SAML configuration will be managed via a configuration file kept on the web server. A possible extension would be to provide a UI for configuration of the module.

Library Options

Library for adding SAML support

SimpleSAMLphp is a PHP application that deals with authentication.

Integration

Replace WebAuthentication middleware with middleware written to authenticate via SAML.

settings.php can be provided an $authentication variable containing a instance of Slim\Middleware which will be used as an alternative to the Xibo WebAuthentication middleware. Post installation the settings file will contain the necessary variable names, commented out.

// Additional Middleware
// $middleware = [];
// $authentication = ;

Were we implementing the standard authentication, the variable would look like:

$authentication = new \Xibo\Middleware\WebAuthentication();

It is also possible to provide additional middleware which will be added to the outermost layer of the middleware stack. This is done using the $middleware = [] array.

Authentication Middleware

Xibo authentication middleware is responsible for adding two hooks to the framework:

  • slim.before.dispatch
  • slim.after.dispatch

The goal of the middleware is to prevent public access to any pages accept the public routes defined in $app->publicRoutes.

slim.before.dispatch

The before dispatch hook is responsible for:

  1. Determining if the requested route requires a login - most routes do require login in Xibo.
  2. If the route does require login and the user is not logged in - redirecting the user to the login page
  3. If the route does require login and the user is logged in - replace the $app->user object with a fully loaded \Xibo\Entity\User object.

slim.after.dispatch

The after dispatch hook is responsible for updating the users status as the application is closing. The standard Xibo web authentication updates the users last accessed date, etc by “touching” the user:

$user = $app->user;
/* @var \Xibo\Entity\User $user */

if (!$app->public && $user->hasIdentity()) {
    $user->touch();
}

Sessions

Xibo uses a database store for its sessions - the session is configured with each request and is an instance of \Xibo\Helper\Session. Sessions expire according to the session.gc_maxlifetime php configuration directive.

Sessions are stored in the application instance as a singleton and can be accessed via $app->session.

2 Likes