SimpleSamlPHP auth plugin

This is a merge request related to this TIC that I created to add support for SimpleSamlPHP: #4365.

I wasn't sure whether I should edit the original TIC or write everything here, so below is all the information needed to understand the code and set up the test environment. The issue contains more general information. If I did anything wrong, please let me know, and I will fix it.

Files

• StudipAuthSimpleSamlPHP.php - contains the plugin
• logout.php - modified public/logout.php for support of SingleLogout (I just reused code that was used for CAS logout)
• config_defaults.inc.php - configuration examples (same as for other auth plugins)

prerequisites

• SimpleSamlPHP installed on the machine in its default dirrectory (can be changed in plugin code)
  • use other session than php_session as this would interfere with Stud.IP session

Testing enviroment

On this branch I have prepared testing enviroment with mocksaml as an IdP. All you have to do to set it up is start docker-compose.yml (docker-compose up) and Stud.IP with SimpleSamlPHP support will be available at http://localhost:8032. Then you can login with mocksaml IdP by using 'federated login' link.

added 2 commits

• 9df439a1 - Simple saml review
• b2711b29 - Merge branch 'simple-saml-review' into 'SimpleSamlPHP'

Compare with previous version

assigned to @tleilax

@elmar oder @anoack:

Ich bin mir nicht ganz sicher, an welcher Stelle die Authentifizierung nun genau stattfinden sollte - im Konstruktor oder in verifyUsername(). Wir haben da bei den Auth-Plugins einen gewissen Mix und keine klare Linie.

Mag einer von Euch beiden hier nochmal draufgucken?

I will just update test enviroment in few minutes as there is still old version if it is needed by reviewer.

Eigentlich ist es doch überall in verifyUsername().

Wollen wir hier gleich StudipAuthSSO um eine logout() Methode erweitern? In #3624 (closed) wurde das ja auch schon für Shib gefordert.

resolved all threads

resolved all threads

I have updated test enviroment. There is just one weird thing. In SimpleSamlPHP installation by composer inside docker there are missing files in public/assets folder, which breaks SimpleSamlPHP UI. I am not sure if it has something to do with docker or it is error in SimpleSamlPHP package from composer. At the moment I fixed it by just copying assets into docker from outside by dockerfile.

One other thing that I did not thought of is that to use SimpleSamlPHP it is needed to add following lines to apache sites-enabled config:

       SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/studip/composer/simplesamlphp/simplesamlphp/config

       Alias /simplesaml /var/www/studip/composer/simplesamlphp/simplesamlphp/public

       <Directory /var/www/studip/composer/simplesamlphp/simplesamlphp/public>
         Require all granted
       </Directory>

Which was alright when user handled installation of SimpleSamlPHP themselfs. But now that it is installed by composer with Stud.IP it should be mentioned somwhere or handled automatically if it is possible. I am not really sure how should I handle this.

added 1 commit

• 1c0a65f9 - fix - removed reverse proxy url

Compare with previous version

added 1 commit

• 54e14485 - removed ReturnTo

Compare with previous version

I'm a bit confused right now. I wanted to test the plugin against a SAML provider and set the according URL as sp_name in the configuration. But this will only result in the following error:

Houston, we've got a problem.
Typ: SimpleSAML\Error\CriticalConfigurationError
Nachricht: The configuration (config/config.php) is invalid: Missing configuration file
Code: -1
Stack trace:
#$ composer/simplesamlphp/simplesamlphp/src/SimpleSAML/Error/CriticalConfigurationError.php(84)
#0 composer/simplesamlphp/simplesamlphp/src/SimpleSAML/Configuration.php(376): SimpleSAML\Error\CriticalConfigurationError::fromException(Object(SimpleSAML\Error\ConfigurationError))
#1 composer/simplesamlphp/simplesamlphp/src/SimpleSAML/Auth/Simple.php(42): SimpleSAML\Configuration::getInstance()
#2 lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.php(38): SimpleSAML\Auth\Simple->__construct('https://sptest....')
#3 lib/classes/auth_plugins/StudipAuthAbstract.php(125): StudipAuthSimpleSamlPHP->__construct(Array)
#4 lib/phplib/Seminar_Auth.php(269): StudipAuthAbstract::getInstance('simplesamlphp')
#5 lib/phplib/Seminar_Auth.php(126): Seminar_Auth->auth_preauth()
#6 lib/phplib/page_open.php(26): Seminar_Auth->start()
#7 lib/classes/StudipController.php(41): page_open(Array)
#8 lib/classes/AuthenticatedController.php(16): StudipController->before_filter('index', Array)
#9 app/controllers/start.php(24): AuthenticatedController->before_filter('index', Array)
#10 lib/trails/Controller.php(84): StartController->before_filter('index', Array)
#11 lib/classes/StudipController.php(121): Trails\Controller->perform('')
#12 lib/trails/Dispatcher.php(106): StudipController->perform('')
#13 lib/trails/Dispatcher.php(79): Trails\Dispatcher->map_uri_to_response('start')
#14 public/dispatch.php(25): Trails\Dispatcher->dispatch('/start')
#15 {main}

I thought this would provide an auth plugin for the authentication against a SAML IdP in general and not only to a locally installed SimpleSAMLPHP instance.

Can anyone shed some light onto this? I think it would be a little bit too much if we had to configure a whole instance of a system we will actually not use just to use the client functionality.

We talked about this today in the core group video conference and decided that we don't want to include SimpleSAMLPHP in it's entirety in Stud.IP.

So we would suggest the solution you had at first. The SimpleSAMLPHP is located somewhere else on the server and is maintained there. Stud.IP only includes the necessary files directly from that location. The path to the included file(s) should be part of the configuration.

This also means that we can remove SimpleSAMLPHP from composer since we will not need anymore in the core of Stud.IP.

Do you want to implement it this way or should I provide a MR with the changes?

resolved all threads

added 5 commits

• d92f6b11 - Simple saml review
• 3513583c - Merge branch 'simple-saml-review' into 'SimpleSamlPHP'
• fea48a0b - fix - removed reverse proxy url
• f0346766 - removed ReturnTo
• 4f7b2337 - Updated SimpleSamlPHP to work without composer

Compare with previous version

added 61 commits

• 4f7b2337...60484795 - 54 commits from branch studip:main
• b833d9bf - SimpleSamlPHP support
• 45dcbc24 - Simple saml review
• aed1975a - Merge branch 'simple-saml-review' into 'SimpleSamlPHP'
• 18a9ed73 - fix - removed reverse proxy url
• f92d24a5 - removed ReturnTo
• 0d0ef013 - Updated SimpleSamlPHP to work without composer
• d9604c31 - updated plugin to use new logout.php

Compare with previous version

I rebased to main and updated plugin to work with new logout.php that was added in main branch.

added 1 commit

• 3b010a51 - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version