SAML Login with SimpleSAMLphp

[Adam]

I have been using ProcessWire for quite some time now and so far I have not found a single thing I dislike about it.

But I have yet to find a module for ProcessWire that implements SimpleSAMLphp for logging in.

I have never made modules for ProcessWire so do not even know where to start, the are quite a few plugins for other CMS's which implements this like the OneLogin plugin for WordPress which I have used on quite a few sites which have a need for SAML logins.

But I would like to move some of them sites to ProcessWire but the lack of a SSO module is making it difficult task to move to ProcessWire on them sites.

Any help with my sort of complicated situation would be appreciated.

[Adam]

Decided to take a shot at it myself, and got pretty close but being totally new to module development I am a bit lost and confused at the moment
 
I have got to the point where if you go to the login page it will initiate a login with SAML but once you login it will redirect back to the login page but then get stuck in a redirect loop of logging in with SAML and going back to the login page where it will attempt to login again.
 
Basically it seems like it can not see the data that is being set in $_SESSION['samlUserdata']
 
I will post my code below (feel free to laugh at it)

<?php

class SAMLlogin extends WireData implements Module {

public static function getModuleInfo() {

  return array(
   "title" => "SAML Login",
   "version" => 100,
   "summary" => "Let users login with a SSO service instead of a local user",
   "permanent" => false,
   "singular" => true,
   "autoload" => true
  );
}

public function init() {
  $this->addHookBefore('ProcessLogin::renderLoginForm', $this, 'login');
}

public function login($event) {
  session_start();
  require_once('c:/wamp/www/pwthemesaml/_toolkit_loader.php');   // Lodad the OneLogin SAML Libary - FOR TESTING
  $auth = new OneLogin_Saml2_Auth();

  if (!isset($_SESSION['samlUserdata'])) { // User not logged in to SAML
    $auth->login();   // Commence Login
  } else {
    echo "Logged In"; // It worked 
    // This is were some login script would go, have not got that far yet
  }
  }
}

I know the include line is incorrect I just set it manually to save time testing and it seems to work for that as it does load correctly.

I am using the OneLogin SAML library this time as I was having the same issue with SimpleSAML so tried a different library to see no affect :|

[Adam]

I am just about to go to bed so will continue working in the morning.

Just thought I would say I have succeeded in getting SAML logins working

All i had to do was set the session name in the ProcessWire config and do a bit of work on the user matching and signing in

Now when I go to the admin URL when not logged in it will do a SAML login, if the user logging in has a ProcessWire user (matched by email at the moment) then it will log them in.

Need to work on log outs though, as when you log out it takes you back to the ProcessWire login page which then of course starts the SSO process again and just lands you right back where you started in the admin panel with a helpful notification saying "logged out" despite being logged into the admin panel :|

Will work on that tomorrow, I may release this module if I can polish it up enough need to add configuration pages and such before I will consider that though.

[Adam]

Just thought I would post an update as I have not worked on this for a few days.

I have been trying to get logouts working properly before I make a configuration page and hopefully publish it.

SLO (Single Log Out) is working but I can not get it to redirect back to the ProcessWire site, I believe that the might be a bug in the library I am using as I am providing a return URL to it but it just stops at a basic HTML page not on the ProcessWire site.

But will keep working on it, so far most of my issues have been with the library, ProcessWire is by far one of the easiest content management systems to make modules for and I have tried most of the free PHP and ASP ones.