For one of our customers I need to write a custom authsource module. I allready set up SimpleSAMLphp as an Idp using various authsources like LDAP, SQLauth, etc. All of those authsources have in common that they use a login form and authenticate against the sspmod_core_Auth_UserPassBase class. This means that there will be a login form for username and password etc.
The special case right here is the following:
The SAML installation (IdP) is inside the companies network. If a user (inside of that network/authenticated via AD) visits a host that is inside that network, the username will be automatically injected in its browser and is available via $_SERVER['PHP_AUTH_USER'] and we have the guarantee, that the user is allready "validated".
This means we do not have to "authenticate" the user any more. We do not have to show a login form and just need to mark that user as authenticated.
Now I am a little stuck, because for my understanding it would be a little bit "overdosed" to write an own authsource that extends the default UserPassBase class. I would have to handle empty passwords and automatically forward/post from login form etc.
I guess there is a better way to handle that. The flow would be pretty simple:
SP redirects to IdP. The IdP "login page" reads PHP_AUTH_USER (no output like a login form), authenticates the user (without any further check) and redirects as expected if user was detected correctly. If the PHP_AUTH_USER could not be found in any way, the user will be redirected to some kind of error page.
Any ideas how to solve that the correct way? I guess I will have to write my own completely new authsource class that extends the base SimpleSAML_Auth_Source class? Maybe someone has an example for that situation before I am going to reinvent the wheel!?
Take a look at the exampleAuth:Static authsource. It auto-logs you in as a specific user
'example-static' => array(
'exampleauth:Static',
'uid' => array('testuser'),
'eduPersonAffiliation' => array('member', 'employee'),
'cn' => array('Test User'),
),
You could create your own module like it, but instead of loading attributes from the authsource config, load them based on the username. and do something like
public function authenticate(&$state) {
$user = $_SERVER['PHP_AUTH_USER'];
if ($user) {
$attributes = loadAttributesForUser($user);
$state['Attributes'] = $attributes;
} else {
throw new Exception('No user found');
}
}