I am by no means a security expert. I'm not bad at it either, but I cannot vouch for the security of this bundle. You can use this in production if you want, but please do so at your own risk. That said, if you'd like to contribute to make this bundle better/safer, you can always create an issue or send a pull request.
This bundle provides an easy way to integrate a single-sign-on in your website. It uses an existing ('main') firewall for the actual authentication, and redirects all configured SSO-routes to authenticate via a one-time-password.
Install using composer:
php composer.phar require "korotovsky/sso-idp-bundle"
Enable the bundle in the kernel:
// app/AppKernel.php
$bundles[] = new \Krtv\Bundle\SingleSignOnIdentityProviderBundle\KrtvSingleSignOnIdentityProviderBundle();Enable sso-routes:
# app/config/routing.yml:
sso:
resource: .
type: ssoThe bundle relies on an existing firewall to provide the actual authentication. To do this, you have to configure the single-sign-on login path to be behind that firewall, and make sure you need to be authenticated to access that route.
# app/config/config.yml:
krtv_single_sign_on_identity_provider:
host: idp.example.com
host_scheme: http
login_path: /sso/login/
logout_path: /sso/logout
services:
- consumer1
- consumer2
otp_parameter: _otp
secret_parameter: secret
services:
acme_bundle.sso.consumer1:
class: Krtv\Bundle\SingleSignOnIdentityProviderBundle\Tests\Application\ServiceProviders\ServiceProvider1
tags:
- { name: sso.service_provider, service: consumer1 }
acme_bundle.sso.consumer2:
class: Krtv\Bundle\SingleSignOnIdentityProviderBundle\Tests\Application\ServiceProviders\ServiceProvider2
tags:
- { name: sso.service_provider, service: consumer2 }Feel free to modify ServiceProviders\* classes. They contain your own specific logic for each connected service.
# app/config/security.yml
security:
access_control:
- { path: ^/sso/login$, roles: [ROLE_USER, IS_AUTHENTICATED_FULLY] }That's it for Identity Provider. Now you can continue configure ServiceProvider part