Skip to content
SAML2 Authentication Module for phpBB
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
auth/provider
config
.gitignore
README.md
composer.json
license.txt

README.md

phpbb-saml2 (SSO)

A custom authentication module for phpBB v3.2 that supports Single sign-on (SSO):

  • Federated user authentication with SAML2
  • Automatic user profile creation on phpBB
  • Automatic management of user group-memberships on phpBB

The authentication module wraps SimpleSamlPhP in a phpBB authentication module and integrates with the phpBB user and group management system, so that a profile is automatically created for new users, and new users are made members of relevant groups in phpBB based on attributes in their SAML2 token.

The module is quite rudimentary, as it was developed in a very short timeframe for a one-off project with somewhat specific requirements. It has, however, been used on a medium traffic production phpBB site for the past year and a half without any issues to date.

Limitations

This module is merely the plumbing between SimpleSamlPhP and phpBB. It does not deal the configuration of SimpleSamlPhP, and it requires some knowledge of phpBB to install and enable the authentication module.

SimpleSamlPhP is a very mature framework that is successfully used in large production environments with thousands of simultaneous users, and multiple logins (issued tokens) per second. It does require some knowledge about things like certificates, SSL, and SAML2 federation to configure it, but their website provides a great starting point for howtos.

I highly recommend that a basic SimpleSamlPhP is successfully tested with the identity provider before the module is enabled in phpBB. Different identity providers have different default settings, and it can take some tweaking of configurations for SimpleSamlPhP to make it work.

I have successfully tested with module with several different identity providers including SimpleSamlPhP itself, Safewhere*Identify, and Microsoft AD FS2.0.

Installation

You have to put the SimpleSamlPhP in your phpBB directory. And this module in the phpBB directory. Like so:

phpbb3
    ext
        noud
            saml2
                auth
                    provider
                config
                    services.yml
    simplesaml
        attributemap
        bin
        cert
        config
        etc..

After configuring SimpleSamlPhP, enable the extension and choise authentication method SAML2. And after this delete your phpBB cache.

If you for instance use Apache with a vhost setup, do not forget to add the SimpleSamlPhP SetEnv and Alias, like so:

<VirtualHost *:80>
  ServerName phpbb3.localhost
  DocumentRoot /var/www/phpbb3
  Options Indexes FollowSymLinks

  SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/phpbb3/simplesaml/config

  Alias /simplesaml /var/www/phpbb3/simplesaml/www

  <Directory "/var/www/phpbb3/">
    AllowOverride All
    <IfVersion < 2.4>
      Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
  </Directory>

</VirtualHost>

The SimpleSamlPhP IDP authsources.php can for instance be configured like below for testing:

    'example-userpass' => array(
        'exampleauth:UserPass',
        'student:studentpass' => array(
            'uid' => array('student'),
            'eduPersonAffiliation' => array('registeredusers'),
        ),
        'admin:admin' => array(
            'uid' => array('admin'),
            'eduPersonAffiliation' => array('administrators'),
        ),
    ),
Source

This extension can be fetched from https://github.com/noud/phpbb-saml2.

You can’t perform that action at this time.