Processwire Visitor Authentication

[michelangelo]

Hello guys,
there are many topics on authentication of the superuser or APIs, but I couldn't find what I need:

Can a visitor of the website be asked to authenticate? Just to see the website, without any permissions or back-end access? Is this possible with SAML?

[BillH]

You'll find nearly the same question (if I understand you correctly) and useful answers to get you started (I've just added one!) here:

For SAML, you might want to start with this module: https://processwire.com/modules/saml-auth/. And there's a post about it:

 

[michelangelo]

Hello @BillH, thank you for your comments and directions! I must have missed it by not searching for the right terms...
I will just describe my thought process so you can tell me if I am correct:

0. Setup Page Protector and SAML Authentication Modules
1. Setup the Page Protector to stop the visitor from accessing any content
2. Redirect the user to an IDP where they will log in
3. ProcessWire recognises that and it opens the website...

[BillH]

I've never used the SAML module (or SAML), and I don't know exactly what you're trying to achieve (the level of security you need and so on), so I can't say whether your proposed method is suitable.

However, do you really need to use SAML for some reason? If not, it's likely that it will be easier if you use PW's user authentication. It's not difficult to work with and is properly secure.

 

[michelangelo]

I am building a project where students will be able to access a website only if they authenticate with their student accounts. That's why we opted for this option.

[BillH]

The Page Protector module makes setting up access to front-end pages easy, and it allows editors (rather than developers) to control access to particular pages – although my guess is this is a feature you won't need.

However, the module is not necessary for controlling access, and preventing access to pages for users who aren't logged in is quite straightforward without it (see the links in the post I suggested earlier).

I don't know if there'd be any issues integrating the module with SAML.

So, it'd be worth considering whether your project would be easier either using or not using Page Protector.

 

 

[michelangelo]

I managed to set up the SAML module until a certain point and now I get an error from the IDP:

AADSTS750161: Allowed SAML authentication request's NameIDPolicy formats are: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

Just wondering if anybody has a tip of how to fix it? I am not sure in the module settings where I can change these formats...

EDIT: It was an actual attribute in settings.php... I just missed it...