madmatt / silverstripe-shibboleth
Adds Shibboleth single-sign-on support to SilverStripe
- Homepage:
- https://github.com/madmatt/silverstripe-shibboleth.git
- Packagist:
- https://packagist.org/packages/madmatt/silverstripe-shibboleth
- Repository:
- https://github.com/madmatt/silverstripe-shibboleth
- Authors:
Matt Peel
Readme
silverstripe-shibboleth
Extends the silverstripe-activedirectory module for SilverStripe 3 to provide Shibboleth specific bindings, and allow the silverstripe-activedirectory module to be used with a Shibboleth-backed identity provider (IdP).
See the silverstripe-activedirectory developer documentation for the majority of information on how to configure this module. Additional features specific to Shibboleth are noted below.
Custom configuration
Implementing your own custom SAMLConfiguration
This module defines a sub-class of SAMLConfiguration for the SAMLConfService. If you want to extend it, make sure you extend ShibSAMLConfiguration.
Specifying a custom attribute as the NameID
Some Shibboleth implementations will always present a transient NameID, meaning that it can't be used to identify the same user every time. If this is the case, check with the IdP vendor first - the best option is to have the NameID returned in a persistent format (see Shibboleth Name Identifiers documentation).
However, if changing this isn't possible, you can optionally specify an attribute that is returned in the SAML response to use instead as the 'NameID' (e.g. the unique value used to lookup a user).
Do this by adding the following to your YML configuration:
# The below will use the eduPersonPrincipalName attribute to determine the NameID
# See a full list of oid -> 'friendly name' mappings here: https://incommon.org/community-practices-and-standards/object-identifier-registrations/
SAMLConfiguration:
nameid_override_attribute: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"Specifying a custom SilverStripe field to compare the NameID to
By default, the Shibboleth module does not change how the NameID is compared to how the base module works (e.g. it will store the NameID in the GUID column, and lookup existing members using that field). However, you can override this by providing a value for the shib_unique_identifier_field config variable.
This may be useful in a situation where you are migrating from the old SilverStripe auth_external module, using the Apache mod_shib module (which populates $_SERVER['REMOTE_USER'] by default).
SAMLConfiguration:
shib_unique_identifier_field: EmailModule rating breakdown
Module rating system helping users find modules that are well supported. For more on how the rating system works visit Module standards
Score not correct? Let us know there is a problem
Versions
Requires
- php: >=7.1
- silverstripe/framework: ^3.7
- silverstripe/activedirectory: ^3
- silverstripe/saml: ^2.0
Requires
- php: >=7.1
- silverstripe/saml: ^2.0
Requires
- php: >=7.1
- silverstripe/framework: ^3.7
- silverstripe/activedirectory: ^3
Requires
- php: >=7.1
- silverstripe/framework: ^3.7
- silverstripe/activedirectory: ^3
Requires
- php: >=7.1
- silverstripe/framework: ^3.7
- silverstripe/activedirectory: ^3