Skip to content

baukezwaan/silverstripe-saml

 
 

SilverStripe SAML module

Build Status Scrutinizer Code Quality codecov

NOTE: Module is unstable and untested

Introduction

This SilverStripe module provides single sign-on authentication integration with a SAML provider.

This component can also be used alongside the default SilverStripe authentication scheme.

Requirements

  • PHP 5.6+ with extensions: openssl, dom, and mcrypt
  • SilverStripe 4.0+
  • Active Directory Federation Services 2.0 or greater (ADFS)
  • HTTPS endpoint on SilverStripe site
  • HTTPS endpoint on ADFS

This module has prevoiously been tested on the following configurations, but is now untested:

  • Windows Server 2008 R2 with ADFS 2.0
  • Windows Server 2012 R2 with ADFS 3.0

Note: For LDAP only Active Directory integration, please see silverstripe-ldap.

Overview

(Image) Typical authentication and authorisation flow for this module

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties. The single most important requirement that SAML addresses is web browser single sign-on (SSO).

With this module, SilverStripe site is able to act as a SAML Service Provider (SP) entity, and thus allows users to perform a single sign-on against a centralised user directory (an Identity Provider - IdP).

The intended counterparty for this module is the Active Directory Federation Services (ADFS). ADFS is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.

ADFS uses a claims-based access control authorization model to maintain application security and implement federated identity. We rely on this mechanism for authentication, and for automated synchronisation of some basic personal details into SilverStripe.

SAML doesn't allow you to store additional user attributes. If this is desired, you can optionally install the silverstripe-ldap module and run alongside to synchronise custom user attributes from an Active Directory server.

Security

With appropriate configuration, this module provides a secure means of authentication and authorisation.

For secure communication over the internet during the SAML authentication process, users must communicate with SilverStripe and ADFS using HTTPS. Similarly, for AD authentication to be secure users must access the SilverStripe site using HTTPS.

SilverStripe trusts ADFS responses based on pre-shared x509 certificates. These certificates are exchanged between the Identity Provider (ADFS) and the Service Provider (SilverStripe site) during the initial configuration phase.

AD user synchronisation and authentication is hidden behind the backend (server to server communication), but must still use encrypted LDAP communication to prevent eavesdropping (either StartTLS or SSL - this is configurable). If the webserver and the AD server are hosted in different locations, a VPN could also be used to further encapsulate the traffic going over the public internet.

In-depth guides

Changelog

Please see the GitHub releases for changes.

About

SAML authentication support module for SilverStripe

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PHP 100.0%