Single Sign On Service Provider

, _(*1)

Disclaimer

I am by no means a security expert. I'm not bad at it either, but I cannot vouch for the security of this bundle. You can use this in production if you want, but please do so at your own risk. That said, if you'd like to contribute to make this bundle better/safer, you can always create an issue or send a pull request., _(*2)

Description

This bundle provides an easy way to integrate a single-sign-on in your website. It uses an existing ('main') firewall for the actual authentication, and redirects all configured SSO-routes to authenticate via a one-time-password., _(*3)

Installation

Installation is a quick 5 steps process:, _(*4)

Download SingleSignOnServiceProviderBundle using composer
Enable the bundle
Configure SingleSignOnServiceProviderBundle
Enable the route to validate OTP
Modify security settings

Step 1: Download SingleSignOnServiceProviderBundle using composer

Tell composer to require the package:, _(*5)

``` bash composer require korotovsky/sso-sp-bundle, _(*6)


Composer will install the bundle to your project's `vendor/korotovsky` directory.

### Step 2: Enable the bundle

``` php

Step 3: Configure SingleSignOnServiceProviderBundle

Add the following settings to your config.yml., _(*7)

``` yaml, _(*8)

app/config/config.yml

krtv_single_sign_on_service_provider: host: idp.example.com host_scheme: http, _(*9)

login_path:           /sso/login/

# Configuration for OTP managers
otp_manager:
    name: http
    managers:
        http:
            provider: guzzle     # Active provider for HTTP OTP manager
            providers:           # Available HTTP providers
                service:
                    # the service must implement Krtv\SingleSignOn\Manager\Http\Provider\ProviderInterface
                    id: krtv_single_sign_on_service_provider.security.authentication.otp_manager.http.provider.guzzle

                guzzle:
                    # in case you don't have a guzzle client, you must create one
                    client:   acme_bundle.guzzle_service
                    # the route that was created in the IdP bundle
                    resource: http://idp.example.com/internal/v1/sso

otp_parameter:        _otp
secret_parameter:     secret


### Step 4: Enable route to validate OTP

``` yaml
# app/config/routing.yml
otp:
    # this needs to be the same as the check_path, specified later on in security.yml
    path: /otp/validate/

Step 5: Modify security settings

``` yaml, _(*10)

app/config/security.yml

security: firewalls: main: pattern: ^/ sso: require_previous_session: false provider: main check_path: /otp/validate/ # Same as in app/config/routing.yml, _(*11)

            sso_scheme:               http               # Required
            sso_host:                 idp.example.com    # Required

            sso_otp_scheme:           http               # Optional
            sso_otp_host:             consumer1.com      # Optional

            sso_failure_path:         /login             # Can also be as an absolute path to service provider
            sso_path:                 /sso/login/        # SSO endpoint on IdP.

            sso_service_extra:           null            # Default service extra parameters. Optional.
            sso_service_extra_parameter: service_extra   # Parameter name. Optional

            sso_login_required:           1              # Optional
            sso_login_required_parameter: login_required # Optional

            sso_service:                  consumer1      # Consumer name

        logout:
            invalidate_session: true
            path:               /logout
            target:             http://idp.example.com/sso/logout?service=consumer1

```, _(*12)

Public API of this bundle

This bundle registers several services into service container. This services will help you customize SSO flow in the you application:, _(*13)

sso_service_provider.otp_manager – Manager for working with OTP-tokens. Checking and receiving.
sso_service_provider.uri_signer -Service for signing URLs, if you need to redirect users to /sso/login yourself.