helsingborg-stad/sso-saml

SAML SSO solution for Wordpress

Maintainers

Details

github.com/helsingborg-stad/saml-sso

Source

Issues

Installs: 50

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 9

Forks: 0

Open Issues: 0

Type:wordpress-plugin

v1.0.2 2020-10-29 07:59 UTC

Requires

MIT cdf3d6f4682db9791a073e6d662c5195de51ce60

  • Joel Bernerman <joel.bernerman.woop@helsingborg.se>

This package is auto-updated.

Last update: 2024-10-29 05:53:53 UTC

README

Contributors Forks Stargazers Issues License

Logo

SAML SSO

SAML SSO plugin for Wordpress
Report Bug ยท Request Feature

Table of Contents

About SAML SSO

SAML SSO login plugin for wordpress. This plugin will add 3 endpoints required for SAML SSO to operate.

/saml/acs
/saml/logout
/saml/metadata

NOTE: Currently only invokable programatically se usage for instructions.

Built With

Getting Started

To get a local copy up and running follow these steps.

Prerequisites

Installation

  1. Clone the repo
git clone https://github.com/helsingborg-stad/saml-sso.git
  1. Install Composer packages
composer install

Configuration

Configuration is done with constants in wp-config.php
PHP-SAML constants is in direct relation to settings the PHP-SAML require.
Check documentation in PHP SAML for more information about these settings.

Example configuration:

// NOTE Never place certificates below the root web folder!
$idpCertificateFile = '/etc/certs/idp-cert.cer';
$spCertificateFile = '/etc/certs/sp-cert.cer';
$spCertificateKeyFile = '/etc/certs/sp-cert.key';

define('SAML_SP_ENITITY_ID', 'https://www.example.com/saml/metadata');
define('SAML_SP_ACS_URL', 'https://www.example.com/saml/acs');
define('SAML_IDP_ENTITY_ID', 'https://www.example.com/adfs/services/trust');
define('SAML_IDP_SSO_URL', 'https://www.example.com/adfs/ls/');
define('SAML_IDP_SLS_URL', 'https://www.example.com/adfs/ls/');

if (file_exists($idpCertificateFile)) {
    define('SAML_IDP_CERTIFICATE', file_get_contents($idpCertificateFile));
}

if (file_exists($spCertificateFile)) {
    define('SAML_SP_CERTIFICATE', file_get_contents($spCertificateFile));
}

if (file_exists($spCertificateKeyFile)) {
    define('SAML_SP_CERTIFICATE_KEY', file_get_contents($spCertificateKeyFile));
}

Required PHP-SAML Constants

The below constants is required to be set in your wp-config.php file.

SAML_SP_ENITITY_ID
SAML_SP_ACS_URL
SAML_SP_CERTIFICATE
SAML_SP_CERTIFICATE_KEY
SAML_IDP_ENTITY_ID
SAML_IDP_SSO_URL
SAML_IDP_SLS_URL

Optional PHP-SAML Constants

Optional constants and their default value to be set in your wp-config.php file.

SAML_STRICT => true
SAML_DEBUG => false
SAML_SP_ACS_BINDING => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
SAML_SP_NAME_ID_FORMAT => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
SAML_IDP_SSO_BINDING => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
SAML_IDP_SLS_BINDING => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
SAML_IDP_CERTIFICATE => null,
SAML_SECURITY_REQUESTED_AUTHN_CONTEXT => false,
SAML_SECURITY_SIGNATURE_ALGORITHM' => 'http://www.w3.org/2001/04/xmlenc#sha256',
SAML_SECURITY_DIGEST_ALGORITHM' => 'http://www.w3.org/2001/04/xmlenc#sha256',
SAML_SECURITY_LOWERCASE_URL_ENCODING => true,

Additional PHP-SAML settings.

Additional PHP-SAML settings can be added with the saml-sso-settings filter.

Other constants

Two constants is present for mapping configuration.
Overwrite this with constants SAML_ATTRIBUTES_MAPPING and SAML_AD_GROUP_ROLE_MAPPING in wp-config-php.

Default values:

SAML_ATTRIBUTES_MAPPING = [
    'username' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname',
    'first-name' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
    'last-name' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
    'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
    'ad-groups' => 'http://schemas.xmlsoap.org/claims/Group',
];

SAML_MAP_TO_AD_GROUP = true;

SAML_AD_GROUP_ROLE_MAPPING = [
    'Domain Users' => 'subscriber',
    'Domain Admins' => 'administrator'
];

Usage

When configured and plugin is activated, the code below can be used to trigger a SAML SSO login.

if (class_exists('\SAMLSSO\Client')) {
    $client = new \SAMLSSO\Client();
    // Supply where to redirect after login.
    $client->authenticate('https://www.example.com/redirect');
}

Roadmap

See the open issues for a list of proposed features (and known issues).

Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

License

Distributed under the MIT License.

Acknowledgements