[英]Symfony app that serves static Twig routes gated by SSO SAML 2.0?
I have a static website where its pages may only be accessed if a user has authenticated via SAML2 SSO.我有一个静态网站,只有在用户通过 SAML2 SSO 进行身份验证时才能访问其页面。 Specifically, these pages are written with Twig, and the content is stored in JSON files which are fed in as variables to the Twig templates.具体来说,这些页面是用 Twig 编写的,内容存储在 JSON 文件中,这些文件作为变量提供给 Twig 模板。
I was wondering if there was a simple way to leverage a PHP framework like Symfony to do this.我想知道是否有一种简单的方法可以利用像 Symfony 这样的 PHP 框架来做到这一点。 Ideally, there would also be no database layer.理想情况下,也不会有数据库层。 Once a user has authenticated some cookie should be set that just permits them to cruise around as needed.一旦用户通过身份验证,应该设置一些 cookie,只允许他们根据需要浏览。
My background is with Drupal so that's why I'm looking in the direction of Symfony.我的背景是 Drupal,所以这就是为什么我正在寻找 Symfony 的方向。
I do realize this question is kinda broad, so if there is a more appropriate place to inquire about this then please vote to close and point me in the right direction.我确实意识到这个问题有点广泛,所以如果有更合适的地方来询问这个问题,那么请投票结束并指出我正确的方向。
I've completed this functionality, posting my solution in the event this is useful to someone else down the line...我已经完成了这个功能,如果这对其他人有用,请发布我的解决方案......
For a Symfony 5 project, I used https://github.com/hslavich/OneloginSamlBundle .对于 Symfony 5 项目,我使用了https://github.com/hslavich/OneloginSamlBundle 。 Fill in config/packages/hslavich_onelogin_saml.yaml
per the package's README.md, and according to how your SP and IdP are configured.根据包的 README.md 并根据您的 SP 和 IdP 的配置方式填写config/packages/hslavich_onelogin_saml.yaml
。 One pro tip, the baseurl
configuration value should be set to the application domain with /saml
concatenated on to it (eg http://myapp.com/saml
), there is a bug which strips off everything between the last path value ( acs
in /saml/acs
) and the domain.一个专业提示, baseurl
配置值应该设置为应用程序域,并将/saml
连接到它(例如http://myapp.com/saml
),有一个错误会去除最后一个路径值( acs
在/saml/acs
)和域。
Update config/packages/security.yaml
to look something like:更新config/packages/security.yaml
看起来像这样:
security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
saml_provider:
saml:
user_class: App\Security\User
default_roles:
- ROLE_USER
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
id: App\Security\UserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
app:
saml:
provider: saml_provider
# Match SAML attribute 'uid' with username.
# Uses getNameId() method by default.
username_attribute: eduPersonTargetedID
# Use the attribute's friendlyName instead of the name
check_path: saml_acs
login_path: saml_login
logout:
path: saml_logout
main:
lazy: true
provider: app_user_provider
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/saml/login, roles: PUBLIC_ACCESS }
- { path: ^/saml/metadata, roles: PUBLIC_ACCESS }
- { path: ^/, roles: ROLE_USER }
The net result is /saml/login
and /saml/metadata
are publicly available, while all other routes require the ROLE_USER
role.最终结果是/saml/login
和/saml/metadata
是公开可用的,而所有其他路由都需要ROLE_USER
角色。 Upon a successful authentication with the IdP, the user is redirected back and is granted a session, and can then access all routes within the site.使用 IdP 成功验证后,用户将被重定向回并被授予会话,然后可以访问站点内的所有路由。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.