niif/shib-auth-bundle

Shibboleth based (federated SAML) user authentication bundle

The bundle provides the authentication security token to users who authenticate via Shibboleth SP apache implementation., _(*1)

Then you can implement access control as symfony does., _(*2)

You must implement your own user provider, this bundle not working without them., _(*3)

Install

Install the bundle by composer, _(*4)

composer require niif/shib-auth-bundle, _(*5)

Update app/AppKernel.php, _(*6)

$bundles = array(
            ...
            new Niif\ShibAuthBundle\NiifShibAuthBundle(),
            ...
        );

Configure the shibboleth bundle., _(*7)

update your app/config/config.yml, _(*8)

...
niif_shib_auth: ~
# niif_shib_auth:
    # baseURL:           "%shib_auth_base_url%" # optional, have default value:  /Shibboleth.sso/
    # sessionInitiator:  "%shib_auth_session_initiator%" # optional, have default value: Login
    # logoutPath:        "%shib_auth_logout_path%" # optional, have default value: Logout
    # logoutReturnPath:  "%shib_auth_logout_return_path%" # optional, have default value: "/" you should use absolute url, or named symfony route too.
    # usernameAttribute: "%shib_auth_username_attribute%" # optional, have default value: REMOTE_USER
    # moduleAttribute:   "%shib_auth_module_attribute%" # optional, the name of the server variable for ensure shibboleth session exist default: HTTP_SHIB_APPLICATION_ID
...

then add new firewall rule, _(*9)

in app/config/security.yml, _(*10)

    ...
    providers:
        ...
        shibboleth:
            id: shibboleth.user.provider
        ...
    ...
    firewalls:
        ...            
        main:
            guard:
                authenticators:
                    - niif_shib_auth.shib_authenticator
        logout:
                path:   /logout
                target: /
                invalidate_session: true
                success_handler: niif_shib_auth.shib_authenticator
        ...

You should create a simple the logout action in any controller:, _(*11)

```php /** * @Route("/logout") * @Template() * @return \Symfony\Component\HttpFoundation\RedirectResponse */ public function logoutAction() { return $this->redirect($this->generateUrl('logged_out')); }, <sub>(*12)</sub>

# Impersonate
The authenticator support the impersonate feature.

in `app/config/security.yml`

```yaml
    ...
    providers:
        ...
        shibboleth:
            id: shibboleth.user.provider
        in_memory:
            memory: ~
        ...
    ...
    firewalls:
        ...
        switch_user: { provider: in_memory }         
        main:
            guard:
                authenticators:
                    - niif_shib_auth.shib_authenticator
        logout:
                path:   /logout
                target: /
                invalidate_session: true
                success_handler: niif_shib_auth.shib_authenticator
        ...

Simulate shibboleth authentication in development environment

When you develop an application you shoud simulate shibboleth authentication anyhow. You can do it in apache config, after enable headers and env modules:, <sub>(*13)</sub>

        Alias /my_app /home/me/my_app/web
        <Directory /home/me/my_app/web>
           Options Indexes FollowSymLinks
           AllowOverride All
           Require all granted           
           SetEnv Shib-Person-uid myuid
           SetEnv Shib-EduPersonEntitlement urn:oid:whatever
           RequestHeader append Shib-Identity-Provider "fakeIdPId"
           RequestHeader append eppn "myeppn"
        </Directory>