Single Sign On Service Provider

Disclaimer

I am by no means a security expert. I'm not bad at it either, but I cannot vouch for the security of this bundle. You can use this in production if you want, but please do so at your own risk. That said, if you'd like to contribute to make this bundle better/safer, you can always create an issue or send a pull request.

Description

This bundle provides an easy way to integrate a single-sign-on in your website. It uses an existing ('main') firewall for the actual authentication, and redirects all configured SSO-routes to authenticate via a one-time-password.

Installation

Install using composer:

php composer.phar require "korotovsky/sso-sp-bundle"

Enable the bundle in the kernel:

// app/AppKernel.php
$bundles[] = new \Krtv\Bundle\SingleSignOnServiceProviderBundle\SingleSignOnServiceProviderBundle();

Configuration

Enable route to validate OTP:

# app/config/routing.yml
otp:
    # this needs to be the same as the check_path, specified later on in security.yml
    path: /otp/validate/

Modify security settings:

# app/config/security.yml
    firewalls:
        main:
            pattern: ^/
            sso:
                require_previous_session: false
                provider:                 main
                check_path:               /otp/validate/     # Same as in app/config/routing.yml

                sso_scheme:               http               # Required
                sso_host:                 idp.example.com    # Required

                sso_otp_scheme:           http               # Optional
                sso_otp_host:             consumer1.com      # Optional

                sso_failure_path:         /login             # Can also be as an absolute path to service provider
                sso_path:                 /sso/login/        # SSO endpoint on IdP.

                sso_service_extra:           null            # Default service extra parameters. Optional.
                sso_service_extra_parameter: service_extra   # Parameter name. Optional

                sso_login_required:           1              # Optional
                sso_login_required_parameter: login_required # Optional

                sso_service:                  consumer1      # Consumer name

            logout:
                invalidate_session: true
                path:               /logout
                target:             http://idp.example.com/sso/logout?service=consumer1

Configure SingleSignOnServiceProvider bundle:

# app/config/config.yml
krtv_single_sign_on_service_provider:
    host:                 idp.example.com
    host_scheme:          http

    login_path:           /sso/login/

    # Configuration for OTP managers
    otp_manager:
        name:       http
        managers:
            http:
                provider:    service # Active provider for HTTP OTP manager
                providers:           # Available HTTP providers
                    service:
                        id: acme_bundle.your_own_fetch_service.id

                    guzzle:
                        client:   acme_bundle.guzzle_service.id
                        resource: http://idp.example.com/internal/v1/sso

    otp_parameter:        _otp
    secret_parameter:     secret

If you use service as a provider to fetch/invalidate OTP tokens, your service must implement the Krtv\SingleSignOn\Manager\Http\Provider\ProviderInterface interface.

That's it for Service Provider.