Adam

I have just pushed a commit that cleans up the code a bit. the registered keys are now saved in one field. Again in theory this can support multiple keys... but the bulk of the code is not there as I failed to find a work around to the 2048 truncation. Each key uses like 1040 characters. I could put each key in its own field but that means I have to reconstruct the array and have more complicated JS instead of just concatenating. I am not a huge Processwire module developer so someone with more experience feel free to chime in. I tried adding ->attr('maxlength', 4096) and ->maxlength(4096) and it does increase the maxlength of the field on the HTML side but the processing side is still truncating to 2048 characters even though I cant see where its doing that. the only field that has a hardcoded 2048 limit is the Text field. both hidden/textarea still truncate though even though I cant find the code anywhere that does this. I think it might be a POST request limit?? but surely that would fire a HTTP error instead of getting truncated I feel dumb XD under getUserSettingsInputFields I have to set the maxlength under the if POST section otherwise it will truncate it there. Such a weird design. tripped me up before. but now I can continue trying to do multiple keys ?

Right been trying to get multiple keys working. I have figured out how to do I think? but I am hitting the dumb 2048 length limit on the field. if I add the maxlength attribute it still gets truncated to 2048 characters (possible bug?) So the only way I can do this is a very janky method of multiples fields and having to recreate arrays and stuff. What I need is to save one huge JSON array into a field as a string but I have found no info on increasing the max size on any field via the API. well I can but it seems to be truncated somewhere else ? but looking inside tfa.php I cant see where its being cut down in size. Real downer to be honest. I am going to say that multiple keys is as a result not possible unless someone can enlighten me on how to correctly expand the maxlength on a field without the sanitizer just going hard-headed in and destroying everything. It seems that InputFieldHidden has no sanitizer or maxlength but it still gets truncated so its something deeper. I dont know enough about how ProcessWire handles forms on the admin side to know where to look for where this stupid 2048 limitation is being applied

Yes that would be ideal. I could also just save JSON into a string field to lower the dependencies on other modules. I had not thought about doing this actually Food for thought... I will experiment tomorrow I think. I wanted to get a proof of concept working to start with as I had coded a ton of it then realised the settings get locked out once you enable Tfa and then found out that only the Tfa_code field is sent to the validate function. had to get creative with some session variables to get it working but now it works somewhat I feel like I can improve/expand

I will look at maybe adding support for 2x keys into this module? I might get away with 8x fields being used ? The only way I can imagine it working though is if you enrolled all your keys one after the other on the initial setup. If you can reuse the same challenge for registration then its worth experimenting. Ideally I would have access to a database table and can add infinite amount of keys without fear of having to essentially just cram all this data into text fields. and it would of made a lot of my debugging work easier as a lot of it was trying to wedge it around the ProcessWire hooks/Tfa module. I felt like using the $sql API was a bit too jank though even for my subpar coding skills (not to mention much less secure as I am sure ProcessWire does a ton of validation behind the scenes) as for a Yubikey specific module that shouldn't be too hard. in fact probably easier. but I have not got a compatible YubiKey. I only have a cheap FIDO key and a Yubikey Security key (FIDO/FIDO2 not OTP/OATH/PIV/etc) I have bought a Yubikey 4 cheaply used just to experiment with the OTP idea (not going to spend £50 on a USB dongle for the latest 5th gen) but that has not arrived yet

@netcarverNo worries. I will probably look into making a 2nd module which uses the Yubikey specific OTP methods to get around the localhost/FDQN and SSL requirements (though I cant see why anyone would desire a site that has no domain and no SSL) but also means you can create a backup security key. this U2F module can only address a single security key. I am not sure how I would add support for multiple as each key needs 4x fields and not to mention a lot of challenges back and forth. But a single security key is better than TOTP or other forms of TFA

You have to use either localhost or a FQDN. you also need to use SSL. these are just restrictions on the FIDO/U2F protocols that I should of mentioned on the project page. I should also probably put some better error checking in on the admin panel side. the login page side does have error messages but their vague. This exact error occurs when your not using SSL. the U2F-API JavaScript library does notseem to have any error handling for that scenario. I should add on the ProcessWire side so your not in the blind with the cryptic error message This is really just the 1.0.0 version the first version that works essentially. Just need to iron out any bugs and improve the UX

That is not what I intended. Will fix that ASAP. it should be installable via the ProcessWire admin area just with the class name (once approved) @netcarverthe is a Zip file under the releases tab on GitHub that includes the dependencies that was not included due to my noobness with git (did not know much about submodules to be honest, they just appeared like it as I git cloned the dependencies)

I did not see an option to submit to the Tfa module category @ryan Not sure if you want to manually add it into there?

I am back again with another crazy module that might help someone. This time I am using the native Tfa class to add FIDO/U2F support. this includes Yubikeys ? Sadly I cant seem to find a way to do multiple keys at once. and it seems you can only have one Tfa method at a time so not ideal but it was a fun challenge to code and maybe someone will a use for it Github: https://github.com/adamxp12/Processwire-TfaU2F ProcessWire Modules: https://modules.processwire.com/modules/tfa-u2-f/ The code is not the neatest and has limited comments but if you understand the Tfa class it should be quite easy to break apart. And here is a demo of signing in using the Yubikey as the 2nd factor

Thought I would release a pretty simple module I made that integrates the awesome OneLogin PHP SAML toolkit into ProcessWire so you can use SSO with your ProcessWire website. Mainly developed for my own purposes as I have used SAML plugins with WordPress for many years and now that ProcessWire is my go to CMS I sort of missed the convenience of having SSO between sites and services. This is my first attempt at a ProcessWire module, it's probably not the best in terms of code, but it has been pretty stable in my tests. Here's a little demonstration of the module in action https://www.youtube.com/watch?v=YWcsV6RTh90 GitHub repo and Installation Instructions https://github.com/adamxp12/ProcessWire-SAMLAuth Any feedback would be appreciated. Even though this is quite a niche module.

It's more of an issue with the library I use, it requires the settings to be in a settings.php file and even when I use $this->setFuel it would not be accessible in that settings file for some reason, maybe because of the way it's included through a loader script. But because this is a login system it's probably best if you can't edit it inside ProcessWire, prevents accidental locking yourself out if you know what I mean.

Ended up using the pageNotFound hook like you suggested, works like a charm. Still having some issues with the ProcessWire module config system, but will be easier just to bypass it and have users edit the settings.php file that the SAML library provides. Now just need to clean up the code a bit and my module is complete, which is cool.

Thanks for that, defiantly a step in the right direction. But how would I make that a publicly accessible page, being a callback for login users in it's kind of pointless putting it as an admin page as it then requires you to already be logged in. I would assume that would require making some dummy templates within the module and then making the pages a child of the root or is the an easier way of doing it.

Yeah didn't notice the caps was important, thanks for that. Now got a second issue though Need a php library file to be accessible through a web browser for callbacks. But because the module directory is not web browsable I need to somehow make (processswire URL)\acs somehow load up the acs.php file in my module directory Any ideas on that last one? This is the last hurdle before my module can be released, I know it's sort of a niche module, but if it helps me then I think I should release it once complete.

Have not had a lot of time to work on my module that seems to be never ending. Almost got a fully working module, just got two issues A: ProcessWire complains that the module name is invalid, no matter what it is http://prntscr.com/beg9z6 B: Can't get the config values in a library that I am including, but thats an issue I will probably chase myself. But that whole invalid module name might be causing me issues as installing the module produces a white screen and you have to refresh that to actually install it. So would like to solve that before I try and fix my module config. Below is the top of my .module file, if that helps. class SAMLauth extends WireData implements Module, ConfigurableModule { public static function getModuleInfo() { return array( 'title' => "SAML Auth", 'version' => "1.1.0", 'summary' => "Add SSO through SAML with this handy ProcessWire module", 'author' => "Adam Blunt", 'href' => "http://adamblunt.me/samlpw", 'autoload' => true, 'singular' => true ); }

Just thought I would post an update as I have not worked on this for a few days. I have been trying to get logouts working properly before I make a configuration page and hopefully publish it. SLO (Single Log Out) is working but I can not get it to redirect back to the ProcessWire site, I believe that the might be a bug in the library I am using as I am providing a return URL to it but it just stops at a basic HTML page not on the ProcessWire site. But will keep working on it, so far most of my issues have been with the library, ProcessWire is by far one of the easiest content management systems to make modules for and I have tried most of the free PHP and ASP ones.

I am just about to go to bed so will continue working in the morning. Just thought I would say I have succeeded in getting SAML logins working All i had to do was set the session name in the ProcessWire config and do a bit of work on the user matching and signing in Now when I go to the admin URL when not logged in it will do a SAML login, if the user logging in has a ProcessWire user (matched by email at the moment) then it will log them in. Need to work on log outs though, as when you log out it takes you back to the ProcessWire login page which then of course starts the SSO process again and just lands you right back where you started in the admin panel with a helpful notification saying "logged out" despite being logged into the admin panel :| Will work on that tomorrow, I may release this module if I can polish it up enough need to add configuration pages and such before I will consider that though.

Decided to take a shot at it myself, and got pretty close but being totally new to module development I am a bit lost and confused at the moment I have got to the point where if you go to the login page it will initiate a login with SAML but once you login it will redirect back to the login page but then get stuck in a redirect loop of logging in with SAML and going back to the login page where it will attempt to login again. Basically it seems like it can not see the data that is being set in $_SESSION['samlUserdata'] I will post my code below (feel free to laugh at it) <?php class SAMLlogin extends WireData implements Module { public static function getModuleInfo() { return array( "title" => "SAML Login", "version" => 100, "summary" => "Let users login with a SSO service instead of a local user", "permanent" => false, "singular" => true, "autoload" => true ); } public function init() { $this->addHookBefore('ProcessLogin::renderLoginForm', $this, 'login'); } public function login($event) { session_start(); require_once('c:/wamp/www/pwthemesaml/_toolkit_loader.php'); // Lodad the OneLogin SAML Libary - FOR TESTING $auth = new OneLogin_Saml2_Auth(); if (!isset($_SESSION['samlUserdata'])) { // User not logged in to SAML $auth->login(); // Commence Login } else { echo "Logged In"; // It worked // This is were some login script would go, have not got that far yet } } } I know the include line is incorrect I just set it manually to save time testing and it seems to work for that as it does load correctly. I am using the OneLogin SAML library this time as I was having the same issue with SimpleSAML so tried a different library to see no affect :|

I have been using ProcessWire for quite some time now and so far I have not found a single thing I dislike about it. But I have yet to find a module for ProcessWire that implements SimpleSAMLphp for logging in. I have never made modules for ProcessWire so do not even know where to start, the are quite a few plugins for other CMS's which implements this like the OneLogin plugin for WordPress which I have used on quite a few sites which have a need for SAML logins. But I would like to move some of them sites to ProcessWire but the lack of a SSO module is making it difficult task to move to ProcessWire on them sites. Any help with my sort of complicated situation would be appreciated.