sfSAMLPlugin is a symfony plugin that allow you to interface SAML with sfDoctrineGuardPlugin.
sfSAMLPlugin uses simpleSAMLPhp ( http://simplesamlphp.org/ ) for dealing with the Identity Provider (IdP). With sfSAMLPlugin, you symfony application is a Service Provider (SP).
If you want to install sfSAMLPlugin, follow these steps :
-
get the source there : https://github.com/chtitux/sfSAMLPlugin , decompress it in the plugins/ directory
-
Install sfDoctrineGuardPlugin (just download it and put it in the plugins/ directoy in your symfony application)
-
Download SimpleSAMLphp and decompress it in the
lib/vendor/
directory -
Add these lines in the
config/ProjectConfiguration.php
:<?php class ProjectConfiguration extends sfProjectConfiguration { public function setup() { $this->enablePlugins('sfDoctrinePlugin'); // Add these 4 following lines : $this->enablePlugins('sfDoctrineGuardPlugin'); $this->enablePlugins('sfSAMLPlugin'); // Load simpleSAMLphp require_once dirname(FILE).'/../lib/vendor/simplesamlphp/lib/_autoload.php'; } }
-
In the
apps/frontend/config/settings.yml
, enable at least the modules sfGuardAuth and sfSAMLAuth. You can enable all the modules of sfDoctrineGuardPlugin like that :all: .settings: [...] # Enable modules enabled_modules: [default, sfGuardAuth, sfSAMLAuth, sfGuardGroup, sfGuardUser, sfGuardPermission]
-
In your
lib/vendor/simplesamlphp/config/config.php
Change the config name to "symfony" like that :<?php // ... 'session.phpsession.cookiename' => "symfony",
-
Configure your IdP in
simplesamlphp/metadata/saml20-idp-remote.php
-
simpleSAMLphp must be visible from the web (the user will be redirected to it). You have to add the following line in your Apache config :
Alias /simplesaml /home/data/www/login/lib/vendor/simplesamlphp/www
-
Change the class that extends myUser to
sfGuardSecurityUser
:<?php class myUser extends sfGuardSecurityUser { }
-
You have to create a database and a sfGuardUser table. sfSAMLPlugin add a sfGuardUser in the database
-
You can test it with the default routes :
/saml/login
for login,/saml/logout
for logout -
You can add the default login/logout routes at the end of
apps/frontend/config/settings.yml
.actions: login_module: sfGuardAuth login_action: signin
And it should work !