geant/simplesamlphp-module-selfregister

Allows self registration of user accounts using an SQL database back-end.

Selfregister

This is a SimpleSAMLphp module that allows registration of users accounts. The original version was developed by UNINETT and supported LDAP as a backend. This fork adds support for SQL databases as the back-end., _(*1)

The module needs an sqlauth:SQL authentication source as the place to store user accounts. You can use an existing authsource, just make sure the credentials used allow for writing., _(*2)

People that want to sign up for an account need to fill in their e-mail address, and they get sent a URL with a token to confirm the address. Upon verification the user can then needs choose a username, a password, and values for first and last name. These values are stored in the SQL back-end. To store the password securely it is hashed with a salt, which is saved in a separate database column. This approach allows the database to do the password verification., _(*3)

Enable this module the standard way (i.e. touching the file enable in the module directory, and copy the default configuration file to config/)., _(*4)

MySQL back-end

The default configuration file module_selfregister.php contains all the necessary statements., _(*5)

Database set-up

Create the database, add a user, and assign permissions:, _(*6)

CREATE DATABASE ssp_selfregister;
GRANT ALL on ssp_selfregister.* to 'ssp_user'@'localhost' IDENTIFIED by 'hackme';
FLUSH PRIVILEGES;

Create the table that will hold you users:, _(*7)

CREATE TABLE users (
    `userid` varchar(32) NOT NULL,
    `password` text NOT NULL,
    `salt` blob,
    `firstname` text,
    `lastname` text,
    `created` datetime NOT NULL,
    `email` varchar(255) NOT NULL,
    `updated` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    PRIMARY KEY (`userid`),
    UNIQUE KEY `UE` (`email`)
    )

###authsource set-up

Create the accompanying authsource in config/authsources.php:, _(*8)

'selfregister-mysql' => array(
    'sqlauth:SQL',
        'dsn' => 'mysql:host=localhost;dbname=ssp_selfregister',
        'username' => 'ssp_user',
        'password' => 'hackme',
        'query' => 'SELECT userid, firstname, lastname, email FROM users WHERE userid = :username
                    AND password = SHA2 (
                        CONCAT(
                            (SELECT salt FROM users WHERE userid = :username),
                            :password
                        ),
                        512
                    )',
    ),

PostgreSQL back-end

Database set-up

As the postgres super user, create a new role, and a new database that is owner by the new user:, _(*9)

createuser -D -I -R -S -P ssp_user
createdb -O ssp_user -T template0 ssp_selfregister

In order to use the crypto that is needed to do the password verification, you need to add the pgcrypto extension to the database. As the postgres super user:, _(*10)

psql ssp_selfregister
CREATE EXTENSION pgcrypto;

This in turn might depend on an extra package, for Debian/Ubuntu this is the postgresql-contrib package., _(*11)

authsource set-up

Create the accompanying authsource in config/authsources.php (and remember to update the auth statement in module_selfregister.php_:, _(*12)

'selfregister-pgsql' => array(
        'sqlauth:SQL',
        'dsn' => 'pgsql:host=ip6-localhost;dbname=ssp_selfregister',
        'username' => 'ssp_user',
        'password' => 'hackme',
        'query' => "
                SELECT userid, firstname, lastname, email FROM users WHERE userid = :username
                AND password = encode(
                    digest (CONCAT((SELECT salt FROM users WHERE userid = :username), :password::TEXT), 'sha512'),
                    'hex')",
),

Attribute mapping

Add the follwoing authproc filter to the IdP metadata (metadata/saml20-idp-hosted.php), so that the attributes will have the standard names:, _(*13)

'authproc' => array(

    10 => array(
        'class' => 'core:AttributeMap',
        'userid'    => 'uid',
        'email'     => 'mail',
        'lastname'  => 'sn',
        'firstname' => 'givenName',
    ),