Symfony app that serves static Twig routes gated by SSO SAML 2.0?

Question

I have a static website where its pages may only be accessed if a user has authenticated via SAML2 SSO. Specifically, these pages are written with Twig, and the content is stored in JSON files which are fed in as variables to the Twig templates.

I was wondering if there was a simple way to leverage a PHP framework like Symfony to do this. Ideally, there would also be no database layer. Once a user has authenticated some cookie should be set that just permits them to cruise around as needed.

My background is with Drupal so that's why I'm looking in the direction of Symfony.

I do realize this question is kinda broad, so if there is a more appropriate place to inquire about this then please vote to close and point me in the right direction.

Answer 1

I've completed this functionality, posting my solution in the event this is useful to someone else down the line...

For a Symfony 5 project, I used https://github.com/hslavich/OneloginSamlBundle . Fill in config/packages/hslavich_onelogin_saml.yaml per the package's README.md, and according to how your SP and IdP are configured. One pro tip, the baseurl configuration value should be set to the application domain with /saml concatenated on to it (eg http://myapp.com/saml ), there is a bug which strips off everything between the last path value ( acs in /saml/acs ) and the domain.

Update config/packages/security.yaml to look something like:

security:
    enable_authenticator_manager: true
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        saml_provider:
            saml:
                user_class: App\Security\User
                default_roles:
                    - ROLE_USER
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            id: App\Security\UserProvider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        app:
            saml:
                provider: saml_provider
                # Match SAML attribute 'uid' with username.
                # Uses getNameId() method by default.
                username_attribute: eduPersonTargetedID
                # Use the attribute's friendlyName instead of the name
                check_path: saml_acs
                login_path: saml_login
            logout:
                path: saml_logout
        main:
            lazy: true
            provider: app_user_provider

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#the-firewall

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/saml/login, roles: PUBLIC_ACCESS }
        - { path: ^/saml/metadata, roles: PUBLIC_ACCESS }
        - { path: ^/, roles: ROLE_USER }

The net result is /saml/login and /saml/metadata are publicly available, while all other routes require the ROLE_USER role. Upon a successful authentication with the IdP, the user is redirected back and is granted a session, and can then access all routes within the site.