Difference between revisions of "SimpleSAMLphp integration"

From Wiki @ Karl Jones dot com
Jump to: navigation, search
(Created page with "'''SimpleSAMLphp integration''' is the integration of SimpleSAMLphp with some other system. == simpleSAMLphp modules == Source: * https://simplesamlphp.org/docs/s...")
 
Line 11: Line 11:
 
== Third-party modules ==
 
== Third-party modules ==
  
 +
<div id="content">
 +
<h1>Third-party modules</h1>
  
 +
<p>SimpleSAMLphp contains an Extension API, allowing third-party modules to extend some parts of SimpleSAMLphp. Some of the
 +
most important extension points of SimpleSAMLphp include:</p>
 +
 +
<ul>
 +
<li><strong>Authentication Modules</strong> allow you to implement your own authentication method, such as PKI-based, using a
 +
proprietary user data source, or any other kind of authentication mechanism.</li>
 +
<li><strong>Authentication Processing Filters</strong> allow any kind of processing right after authentication has taken place.</li>
 +
<li><strong>Themes</strong> allow you to customize the look of any page served by SimpleSAMLphp. You can change only the CSS, headers,
 +
footers, or you can modify the look of any particular page.</li>
 +
<li><strong>Modules</strong> allow you to extend SimpleSAMLphp with any new identity protocols, pages, registry systems or anything
 +
you'd like.</li>
 +
</ul>
 +
 +
<p>SimpleSAMLphp comes with a number of modules, authentication modules and processing filters that you may use, or use as
 +
a base for customizing SimpleSAMLphp to fit your specific needs. It also provides:</p>
 +
 +
<ul>
 +
<li>an abstract data store API, allowing alternative ways of storing data</li>
 +
<li>an abstraction layer of metadata handling, allowing alternative implementations of metadata consumption</li>
 +
<li>multiple session handlers, which you can use the session handling built-in to PHP or use memcache</li>
 +
<li>multiple handlers for logging. You can choose between syslog and a normal file logger</li>
 +
</ul>
 +
 +
<p>Apart from the modules that ship by default with SimpleSAMLphp, there's plenty of modules that third-party developers
 +
make available for you to cover specific features. Here we provide a (non-exhaustive) list of modules available:</p>
 +
 +
<h3>How to install third-party modules</h3>
 +
 +
<p>SimpleSAMLphp makes use of <a href="https://getcomposer.org/">Composer</a> to manage dependencies and third-party modules. Those
 +
modules that have been properly configured can be easily installed with composer. Just execute the following command:</p>
 +
 +
<pre><code>composer.phar require vendor/simplesamlphp-module-mymodule version
 +
</code></pre>
 +
 +
<p>where <code>vendor</code> is the name of the vendor of the module, <code>mymodule</code> is the name of the module itself and <code>version</code> is the
 +
version of the module you want to install, for example, 1.0.</p>
 +
 +
<p>Please note that if you don't have console access to your web server, you will need to deploy the module somewhere else
 +
and then copy the files to your server.</p>
 +
 +
<h4>A-Select</h4>
 +
 +
<p>This module allows you to use A-Select (or any service that understands the A-Select 1.5 protocol) to authenticate users
 +
in SimpleSAMLphp.</p>
 +
 +
<p>See the <a href="https://non-gnu.uvt.nl/simplesamlphp-aselect/">website</a> for more information on how to download and install it.</p>
 +
 +
<h4>Attribute Authority</h4>
 +
 +
<p>This module provides back-end SAML Attribute Authority functionality.</p>
 +
 +
<ul>
 +
<li>Package name: <code>NIIF/simplesamlphp-module-aa</code></li>
 +
<li>Repository: <a href="https://github.com/NIIF/simplesamlphp-module-aa">NIIF/simplesamlphp-module-aa</a></li>
 +
</ul>
 +
 +
<h4>Attribute Aggregator</h4>
 +
 +
<p>The Attribute Aggregator module is implemented as an
 +
<a href="http://www.famine.vm/docs/stable/simplesamlphp-authproc">Authentication Processing Filter</a>. It can be configured in the
 +
SP's <code>config.php</code> file.</p>
 +
 +
<p>It is recommended to run the Attribute Aggregator module at the SP and configure the filter to run after the federated
 +
identity, usually <em>eduPersonPrincipalName</em>, is resolved.</p>
 +
 +
<ul>
 +
<li>Package name: <code>NIIF/simplesamlphp-module-attributeaggregator</code></li>
 +
<li>Repository: <a href="https://github.com/NIIF/simplesamlphp-module-attributeaggregator">NIIF/simplesamlphp-module-atributeaggregator</a></li>
 +
</ul>
 +
 +
<h4>Autotest</h4>
 +
 +
<p>This module provides an interface to do automatic testing of authentication sources.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-autotest</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-autotest">simplesamlphp/simplesamlphp-module-autotest</a></li>
 +
</ul>
 +
 +
<h4>Consent Simple Admin</h4>
 +
 +
<p>A SimpleSAMLphp module implementing a very simple user interface for managing consent.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-consentsimpleadmin</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-consentsimpleadmin">simplesamlphp/simplesamlphp-module-consentsimpleadmin</a></li>
 +
</ul>
 +
 +
<h4>DiscoJuice</h4>
 +
 +
<p>A SimpleSAMLphp module to provide a very flexible User Interface implementing an IdP Discovery Service. See the
 +
<a href="http://discojuice.org">web page</a> for more information.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-discojuice</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-discojuice">simplesamlphp/simplesamlphp-module-discojuice</a></li>
 +
</ul>
 +
 +
<h4>InfoCard</h4>
 +
 +
<p>This is a SimpleSAMLphp module that works with Information Cards technologies and provides some basic functionalities:</p>
 +
 +
<ul>
 +
<li><p><strong>RP</strong>: acting as a Relying Party, you can accept user authentication through InfoCards consuming tokens sent by an
 +
STS.</p></li>
 +
<li><p><strong>STS</strong>: acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user
 +
password and self issued credentials are supported.</p></li>
 +
<li><p><strong>InfoCard Generator</strong>: your users could request their InfoCard filling a form with their username and password.</p></li>
 +
<li><p>Package name: <code>simplesamlphp/simplesamlphp-module-infocard</code></p></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-infocard">simplesamlphp/simplesamlphp-module-infocard</a></li>
 +
</ul>
 +
 +
<h4>Kerberos</h4>
 +
 +
<p>Kerberos 5 authentication module for SimpleSAMLphp.</p>
 +
 +
<ul>
 +
<li>Package name: <code>ualberta-iapps/simplesamlphp-module-kerberos</code></li>
 +
<li>Repository: <a href="https://github.com/ualberta-iapps/simplesamlphp-module-kerberos">ualberta-iapps/simplesamlphp-module-kerberos</a></li>
 +
</ul>
 +
 +
<h4>Logpeek</h4>
 +
 +
<p>This module provides a web API that you can use to search for all to lines in the logs corresponding to a specific
 +
session identifier.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-logpeek</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-logpeek">simplesamlphp/simplesamlphp-module-logpeek</a></li>
 +
</ul>
 +
 +
<h4>Metadata aggregator</h4>
 +
 +
<p>This module aggregates a set of SAML entities into SAML 2.0 metadata documents. The resulting metadata documents contain
 +
an EntitiesDescriptor element with the multiple entities configured as sources inside. Multiple aggregates can be
 +
configured at the same time.</p>
 +
 +
<p>Please note that <strong>this module has been deprecated</strong> in favour of the more recent
 +
<a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator2">Aggregator2 module</a>.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-aggregator</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator">simplesamlphp/simplesamlphp-module-aggregator</a></li>
 +
</ul>
 +
 +
<h4>Metadata aggregator 2</h4>
 +
 +
<p>This is a module for metadata aggregation. It is designed to preserve most of the common metadata items, and it also
 +
attempts to preserve unknown elements. It parses and rebuilds metadata sources, so small differences between them and
 +
the generated metadata may occur.</p>
 +
 +
<p>Please note that this aggregator works only with XML metadata, and does its work independently of other parts of
 +
SimpleSAMLphp, such as the <em>metarefresh</em> module.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-aggregator2</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator2">simplesamlphp/simplesamlphp-module-aggregator2</a></li>
 +
</ul>
 +
 +
<h4>Metaedit</h4>
 +
 +
<p>This module allows you to do very basic editing of metadata (AssertionConsumerService, SingleLogoutService, name and
 +
description, as well as manually registering metadata for service providers.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-metaedit</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-metaedit">simplesamlphp/simplesamlphp-module-metaedit</a></li>
 +
</ul>
 +
 +
<h4>Modinfo</h4>
 +
 +
<p>A very straightforward module for SimpleSAMLphp that displays the list of modules and their status in the web interface.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-modinfo</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-modinfo">simplesamlphp/simplesamlphp-module-modinfo</a></li>
 +
</ul>
 +
 +
<h4>OAuth2</h4>
 +
 +
<p>A module adding support for <a href="http://oauth.net/2/">the OAuth2 protocol</a>.</p>
 +
 +
<ul>
 +
<li>Package name: <code>sgomez/simplesamlphp-module-oauth2</code></li>
 +
<li>Repository: <a href="https://github.com/sgomez/simplesamlphp-module-oauth2">sgomez/simplesamlphp-module-oauth2</a></li>
 +
</ul>
 +
 +
<h4>OpenID Consumer</h4>
 +
 +
<p>A module adding support for the OpenID protocol as a Consumer.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-openid</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-openid">simplesamlphp/simplesamlphp-module-openid</a></li>
 +
</ul>
 +
 +
<h4>OpenID Provider</h4>
 +
 +
<p>A module adding support for the OpenID protocol as an Identity Provider.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-openidprovider</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-openidprovider">simplesamlphp/simplesamlphp-module-openidprovider</a></li>
 +
</ul>
 +
 +
<h4>PAPI</h4>
 +
 +
<p>This authentication module makes use of an external library, <a href="https://forja.rediris.es/projects/phppoa/"><em>phpPoA</em></a>, in
 +
order to authenticate users by means of the PAPI protocol. It can therefore be used to bridge between protocols,
 +
behaving like a PAPI <em>Point of Access</em> or as a <em>Service Provider</em>.</p>
 +
 +
<ul>
 +
<li>Package name: <code>rediris-es/simplesamlphp-module-papi</code></li>
 +
<li>Repository: <a href="https://github.com/rediris-es/simplesamlphp-module-papi">rediris-es/simplesamlphp-module-papi</a></li>
 +
</ul>
 +
 +
<h4>SAML 2.0 Debugger</h4>
 +
 +
<p>This module allows you to debug SAML 2.0 messages by decoding or encoding them according to the binding they are using,
 +
supporting both the HTTP-Redirect and HTTP-POST bindings.</p>
 +
 +
<ul>
 +
<li>Package name: <code>simplesamlphp/simplesamlphp-module-saml2debug</code></li>
 +
<li>Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-saml2debug">simplesamlphp/simplesamlphp-module-saml2debug</a></li>
 +
</ul>
 +
 +
<h4>Selfregister</h4>
 +
 +
<p>A module that allows registration of users accounts. The original version was developed by UNINETT and supported LDAP as
 +
a backend. This fork adds support for SQL databases as the back-end.</p>
 +
 +
<ul>
 +
<li>Package name: <code>geant/simplesamlphp-module-selfregister</code></li>
 +
<li>Repository: <a href="https://github.com/TERENA/simplesamlphp-module-selfregister">geant/simplesamlphp-module-selfregister</a></li>
 +
</ul>
 +
 +
<h4>VOOT Groups</h4>
 +
 +
<p>A module to fetch group memberships from an API service protected with OAuth 2.0 using the VOOT protocol and add them
 +
to the list of attributes received from the identity provider.</p>
 +
 +
<ul>
 +
<li>Package name: <code>openconextapps/simplesamlphp-module-vootgroups</code></li>
 +
<li>Repository: <a href="https://github.com/OpenConextApps/ssp-voot-groups">OpenConextApps/ssp-voot-groups</a></li>
 +
</ul>
 +
 +
<h2>Extending SimpleSAMLphp</h2>
 +
 +
<p>If you plan to extend SimpleSAMLphp with some functionality, we advise you to follow these recommendations:</p>
 +
 +
<ol>
 +
<li><p>Check the existing functionalities and modules. The feature you want to implement may already exist.</p></li>
 +
<li><p>Try to code with the <a href="http://www.php-fig.org/psr/psr-2/">PHP PSR-2 guidelines</a> in mind.</p></li>
 +
<li><p>Make sure your module is <a href="https://github.com/simplesamlphp/composer-module-installer">installable through composer</a>.</p></li>
 +
<li><p>Let us know about your module so we can reference it in this web site, so that our users can easily find it.</p></li>
 +
</ol>
 +
 +
</div>
  
 
Source:
 
Source:

Revision as of 06:18, 14 October 2015

SimpleSAMLphp integration is the integration of SimpleSAMLphp with some other system.

simpleSAMLphp modules

Source:

Third-party modules

Third-party modules

SimpleSAMLphp contains an Extension API, allowing third-party modules to extend some parts of SimpleSAMLphp. Some of the most important extension points of SimpleSAMLphp include:

  • Authentication Modules allow you to implement your own authentication method, such as PKI-based, using a proprietary user data source, or any other kind of authentication mechanism.
  • Authentication Processing Filters allow any kind of processing right after authentication has taken place.
  • Themes allow you to customize the look of any page served by SimpleSAMLphp. You can change only the CSS, headers, footers, or you can modify the look of any particular page.
  • Modules allow you to extend SimpleSAMLphp with any new identity protocols, pages, registry systems or anything you'd like.

SimpleSAMLphp comes with a number of modules, authentication modules and processing filters that you may use, or use as a base for customizing SimpleSAMLphp to fit your specific needs. It also provides:

  • an abstract data store API, allowing alternative ways of storing data
  • an abstraction layer of metadata handling, allowing alternative implementations of metadata consumption
  • multiple session handlers, which you can use the session handling built-in to PHP or use memcache
  • multiple handlers for logging. You can choose between syslog and a normal file logger

Apart from the modules that ship by default with SimpleSAMLphp, there's plenty of modules that third-party developers make available for you to cover specific features. Here we provide a (non-exhaustive) list of modules available:

How to install third-party modules

SimpleSAMLphp makes use of <a href="https://getcomposer.org/">Composer</a> to manage dependencies and third-party modules. Those modules that have been properly configured can be easily installed with composer. Just execute the following command:

<code>composer.phar require vendor/simplesamlphp-module-mymodule version
</code>

where vendor is the name of the vendor of the module, mymodule is the name of the module itself and version is the version of the module you want to install, for example, 1.0.

Please note that if you don't have console access to your web server, you will need to deploy the module somewhere else and then copy the files to your server.

A-Select

This module allows you to use A-Select (or any service that understands the A-Select 1.5 protocol) to authenticate users in SimpleSAMLphp.

See the <a href="https://non-gnu.uvt.nl/simplesamlphp-aselect/">website</a> for more information on how to download and install it.

Attribute Authority

This module provides back-end SAML Attribute Authority functionality.

Attribute Aggregator

The Attribute Aggregator module is implemented as an <a href="http://www.famine.vm/docs/stable/simplesamlphp-authproc">Authentication Processing Filter</a>. It can be configured in the SP's config.php file.

It is recommended to run the Attribute Aggregator module at the SP and configure the filter to run after the federated identity, usually eduPersonPrincipalName, is resolved.

Autotest

This module provides an interface to do automatic testing of authentication sources.

Consent Simple Admin

A SimpleSAMLphp module implementing a very simple user interface for managing consent.

DiscoJuice

A SimpleSAMLphp module to provide a very flexible User Interface implementing an IdP Discovery Service. See the <a href="http://discojuice.org">web page</a> for more information.

InfoCard

This is a SimpleSAMLphp module that works with Information Cards technologies and provides some basic functionalities:

  • RP: acting as a Relying Party, you can accept user authentication through InfoCards consuming tokens sent by an STS.

  • STS: acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user password and self issued credentials are supported.

  • InfoCard Generator: your users could request their InfoCard filling a form with their username and password.

  • Package name: simplesamlphp/simplesamlphp-module-infocard

  • Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-infocard">simplesamlphp/simplesamlphp-module-infocard</a>

Kerberos

Kerberos 5 authentication module for SimpleSAMLphp.

Logpeek

This module provides a web API that you can use to search for all to lines in the logs corresponding to a specific session identifier.

Metadata aggregator

This module aggregates a set of SAML entities into SAML 2.0 metadata documents. The resulting metadata documents contain an EntitiesDescriptor element with the multiple entities configured as sources inside. Multiple aggregates can be configured at the same time.

Please note that this module has been deprecated in favour of the more recent <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator2">Aggregator2 module</a>.

Metadata aggregator 2

This is a module for metadata aggregation. It is designed to preserve most of the common metadata items, and it also attempts to preserve unknown elements. It parses and rebuilds metadata sources, so small differences between them and the generated metadata may occur.

Please note that this aggregator works only with XML metadata, and does its work independently of other parts of SimpleSAMLphp, such as the metarefresh module.

Metaedit

This module allows you to do very basic editing of metadata (AssertionConsumerService, SingleLogoutService, name and description, as well as manually registering metadata for service providers.

Modinfo

A very straightforward module for SimpleSAMLphp that displays the list of modules and their status in the web interface.

OAuth2

A module adding support for <a href="http://oauth.net/2/">the OAuth2 protocol</a>.

OpenID Consumer

A module adding support for the OpenID protocol as a Consumer.

OpenID Provider

A module adding support for the OpenID protocol as an Identity Provider.

PAPI

This authentication module makes use of an external library, <a href="https://forja.rediris.es/projects/phppoa/">phpPoA</a>, in order to authenticate users by means of the PAPI protocol. It can therefore be used to bridge between protocols, behaving like a PAPI Point of Access or as a Service Provider.

SAML 2.0 Debugger

This module allows you to debug SAML 2.0 messages by decoding or encoding them according to the binding they are using, supporting both the HTTP-Redirect and HTTP-POST bindings.

Selfregister

A module that allows registration of users accounts. The original version was developed by UNINETT and supported LDAP as a backend. This fork adds support for SQL databases as the back-end.

VOOT Groups

A module to fetch group memberships from an API service protected with OAuth 2.0 using the VOOT protocol and add them to the list of attributes received from the identity provider.

Extending SimpleSAMLphp

If you plan to extend SimpleSAMLphp with some functionality, we advise you to follow these recommendations:

  1. Check the existing functionalities and modules. The feature you want to implement may already exist.

  2. Try to code with the <a href="http://www.php-fig.org/psr/psr-2/">PHP PSR-2 guidelines</a> in mind.

  3. Make sure your module is <a href="https://github.com/simplesamlphp/composer-module-installer">installable through composer</a>.

  4. Let us know about your module so we can reference it in this web site, so that our users can easily find it.

Source:

See also