Skip to content

notakey/simplesamlphp-module-autoauth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits

lib/Auth/Source

lib/Auth/Source

 
 

www

www

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

composer.json

composer.json

 
 

default-disable

default-disable

 
 

Repository files navigation

AutoAuth module

Allows to automatically select authentication source by specifying source IP address range or matching user agents. Attempt is to improve AD FS intranet / extranet definition and avoid showing HDR every time user authenticates, as errors in HRD selection can be hard to overcome for users.

autoauth:AutoAuth : Authenticate the user against a list of authentication sources.

autoauth:AutoAuth

To create a autoauth authentication source, open config/authsources.php in a text editor, and add an entry for the authentication source:

'example-auto' => array(
    'autoauth:AutoAuth',

    /*
     * The available authentication sources.
     * They must be defined in this authsources.php file.
     */
    'sources' => array(
        'example-saml' => array(
            "preauth-source" => "ad-ldap",
            "preauth-duration" =>  "P1Y"
        ),
        'example-admin' => array(
            'subnets' => array('127.0.0.0/24', '10.0.1.0/24'),
        ),
        'example-boo' => array(
            'subnets' => array('192.168.0.0/16'),
        ),
    ),
    'default' => 'example-saml'
),

'example-saml' => array(
    'saml:SP',
    'entityId' => 'my-entity-id',
    'idp' => 'my-idp',
),

'example-admin' => array(
    'core:AdminPassword',
),

'example-boo' => array(
    'core:AdminPassword',
),

The optional config of preauth-source in any auth source option definition enables additional user verification once per token duration. The attributes for user ID must match in both auth sources and must be configured with preauth-uid, defaults to uid. Option preauth-duration sets validity interval for issued token.

Token currently is a cookie derived from private key on server side and validated on any new authentication flow. If server key changes, all client devices will be re-authenticated.

Notakey Authentication appliance

If running in NAA environment configure using cli:

# Configure module authentication sources
# autoselect can be any name for this virtual auth source
ntk cfg set :sso.auth.autoselect '{
        "module": "autoauth:AutoAuth",
        "sources": {
            "adfs-wia": {
                "subnets": ["172.17.0.0/24", "192.168.2.0/24"]
            },
            "notakey": {
                "subnets": ["20.0.0.0/24", "202.168.2.0/24"],
                -- another source defined in :sso.auth
                "preauth-source": "ad-ldap",
                -- store session token for one year
                "preauth-duration": "P1Y",
                "preauth-user-attr": "uid",
                "preauth-set-attr": "notakey:preauth-uid"

            }
        },
        "default": "notakey",
        "ipsource": "HTTP_X_REAL_IP"
    }' --json-input

# Enable module
ntk cfg set :sso.modules '[..., "autoauth"]' --json-input

# Switch to this source for your IdP
ntk cfg set :sso.\"saml-idp\".\"<IdP ID>\".auth "autoselect"

About

A SimpleSAMLphp module for automatic auth source selection based on source IP or User Agent header

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages