A custom authentication module for phpBB v3.2 that supports Single sign-on (SSO):
- Federated user authentication with SAML2
- Automatic user profile creation on phpBB
- Automatic management of user group-memberships on phpBB
The authentication module wraps SimpleSamlPhP in a phpBB authentication module and integrates with the phpBB user and group management system, so that a profile is automatically created for new users, and new users are made members of relevant groups in phpBB based on attributes in their SAML2 token.
The module is quite rudimentary, as it was developed in a very short timeframe for a one-off project with somewhat specific requirements. It has, however, been used on a medium traffic production phpBB site for the past year and a half without any issues to date.
This module is merely the plumbing between SimpleSamlPhP and phpBB. It does not deal the configuration of SimpleSamlPhP, and it requires some knowledge of phpBB to install and enable the authentication module.
SimpleSamlPhP is a very mature framework that is successfully used in large production environments with thousands of simultaneous users, and multiple logins (issued tokens) per second. It does require some knowledge about things like certificates, SSL, and SAML2 federation to configure it, but their website provides a great starting point for howtos.
I highly recommend that a basic SimpleSamlPhP is successfully tested with the identity provider before the module is enabled in phpBB. Different identity providers have different default settings, and it can take some tweaking of configurations for SimpleSamlPhP to make it work.
phpbb3 ext noud saml2 auth provider config services.yml simplesaml attributemap bin cert config etc..
If you for instance use Apache with a vhost setup, do not forget to add the SimpleSamlPhP SetEnv and Alias, like so:
<VirtualHost *:80> ServerName phpbb3.localhost DocumentRoot /var/www/phpbb3 Options Indexes FollowSymLinks SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/phpbb3/simplesaml/config Alias /simplesaml /var/www/phpbb3/simplesaml/www <Directory "/var/www/phpbb3/"> AllowOverride All <IfVersion < 2.4> Allow from all </IfVersion> <IfVersion >= 2.4> Require all granted </IfVersion> </Directory> </VirtualHost>
The SimpleSamlPhP IDP authsources.php can for instance be configured like below for testing:
'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('student'), 'eduPersonAffiliation' => array('registeredusers'), ), 'admin:admin' => array( 'uid' => array('admin'), 'eduPersonAffiliation' => array('administrators'), ), ),
This extension can be fetched from https://github.com/noud/phpbb-saml2.