Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

Symfony 3 bundle for shibboleth authentication

License

NotificationsYou must be signed in to change notification settings

sygefor/ShibbolethBundle

 
 

Repository files navigation

This bundle adds a shibboleth authentication provider for your Symfony2 project.

Requirements

Installation

ShibbolethBundle is composer-friendly.

1. Add ShibbolethBundle in your composer.json

"require":{        ..."sygefor/shibboleth-bundle":"dev-master"...},"repositories":[{"type":"vcs","url":"git@github.com:sygefor/ShibbolethBundle.git"}],

Now tell composer to download the bundle by running the command:

    php composer.phar update kuleuven/shibboleth-bundle

Composer will install the bundle to your project's vendor/kuleuven directory..

2. Enable the bundle

Instantiate the bundle in your kernel:

// app/AppKernel.php<?php// ...publicfunctionregisterBundles()    {$bundles =array(// ...newKULeuven\ShibbolethBundle\ShibbolethBundle(),        );    }

Configuration

1. Enable lazy shibboleth autentication in Apache

Add following lines to the .htaccess file in your projects web folder

# web/.htaccessAuthType shibbolethShibRequireSessionOffShibUseHeadersOnrequire shibboleth

2. Setup authentication firewall

# app/config/security.ymlsecurity:firewalls:secured_area:pattern:    ^/securedshibboleth: ~logout:path:/secured/logouttarget:/success_handler:security.logout.handler.shibboleth

3. Shibboleth configuration

Possible configuration parameters are:

# app/config/config.ymlshibboleth:handler_path: /Shibboleth.ssosecured_handler: truesession_initiator_path: /Loginusername_attribute: uiduse_headers: true

The above listed configuration values are the default values. To use the defaults, simply use the following line in your config:

# app/config/config.ymlshibboleth: ~

Available Shibboleth attributes

By default, the bundle exposes several Shibboleth attributes through the user token,ShibbolethUserToken. The token provides specific accessors for most of the attributes, as well as the generic accessorsgetAttribute,getArrayAttribute andhasAttributeValue. Each attribute is internally identified by an alias, which serves as argument to the aforementioned methods. The following table lists the Shibboleth attributes available (when provided) through the user token:

AttributeAlias
Shib-Person-uiduid
Shib-Person-commonNamecn
Shib-Person-surnamesn
Shib-Person-givenNamegivenName
Shib-Person-mailmail
Shib-Person-ouou
Shib-Person-telephoneNumbertelephoneNumber
Shib-Person-facsimileTelephoneNumberfacsimileTelephoneNumber
Shib-Person-mobilemobile
Shib-Person-postalAddresspostalAddress
Shib-EP-UnscopedAffiliationaffiliation
Shib-EP-ScopedaffiliationscopedAffiliation
Shib-EP-OrgunitDNorgUnitDN
Shib-EP-OrgDNorgDN
Shib-logoutURLlogoutURL
Shib-Identity-ProvideridentityProvider
Shib-Origin-SiteoriginSite
Shib-Authentication-InstantauthenticationInstant
Shib-KUL-employeeTypeemployeeType
Shib-KUL-studentTypestudentType
Shib-KUL-primouNumberprimouNumber
Shib-KUL-ouNumberouNumber
Shib-KUL-dipldipl
Shib-KUL-oplopl
Shib-KUL-campuscampus
Shib-logoutURLlogoutURL

If for some reason you want to pass additional attributes (for example custom attributes) or overwrite existing, you can configure them this way:

# app/config/config.ymlshibboleth:# ...attribute_definitions:foo:# the attribute aliasheader: shib-acme-foo# the attribute namebar:header: shib-acme-barmultivalue: true# attribute contains multiple values (default is false, i.e. attribute is scalar)identityProvider:header:REDIRECT_Shib-Identity-Provider# Change the existing attributeserver:REDIRECT_Shib_Identity_Provider# Change the name of the variable with use_header option off

The key containing the configuration of each attribute will be its alias. That means the value(s) of theshib-acme-foo andshib-acme-bar attributes can be retrieved with:

$foo =$token->getAttribute('foo');$bars =$token->getArrayAttribute('bar');// returns an array containing the multiple values

User Provider

This bundle doesn't include any User Provider, but you can implement your own.

If you store users in a database, they can be created on the fly when a users logs on for the first time on your application. Your UserProvider needs to implement theKULeuven\ShibbolethBundle\Security\ShibbolethUserProviderInterface interface.

Example

This example uses Propel ORM to store users.

<?phpnamespaceYourProjectNamespace\Security;useYourProjectNamespace\Model\User;useYourProjectNamespace\Model\UserQuery;useKULeuven\ShibbolethBundle\Security\ShibbolethUserProviderInterface;useKULeuven\ShibbolethBundle\Security\ShibbolethUserToken;useSymfony\Component\Security\Core\Authentication\Token\TokenInterface;useSymfony\Component\Security\Core\User\UserProviderInterface;useSymfony\Component\Security\Core\User\UserInterface;useSymfony\Component\Security\Core\Exception\UsernameNotFoundException;useSymfony\Component\Security\Core\Exception\UnsupportedUserException;class UserProviderimplements ShibbolethUserProviderInterface{publicfunctionloadUserByUsername($username){$user = UserQuery::create()->findOneByUsername($username);if($user){return$user;}else{thrownewUsernameNotFoundException("User".$username." not found.");}}publicfunctioncreateUser(ShibbolethUserToken$token){// Create user object using shibboleth attributes stored in the token.//$user =newUser();$user->setUid($token->getUsername());$user->setSurname($token->getSurname());$user->setGivenName($token->getGivenName());$user->setMail($token->getMail());// If you like, you can also add default roles to the user based on shibboleth attributes. E.g.:if ($token->isStudent())$user->addRole('ROLE_STUDENT');elseif ($token->isStaff())$user->addRole('ROLE_STAFF');else$user->addRole('ROLE_GUEST');$user->save();return$user;}publicfunctionrefreshUser(UserInterface$user){if (!$userinstanceof User) {thrownewUnsupportedUserException(sprintf('Instances of "%s" are not supported.',get_class($user)));}return$this->loadUserByUsername($user->getUsername());}publicfunctionsupportsClass($class){return$class ==='YourProjectNamespace\Model\User';}}

About

Symfony 3 bundle for shibboleth authentication

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • PHP99.5%
  • HTML0.5%
[8]ページ先頭
©2009-2025 Movatter.jp