### Installing SAML SP Plugin via Composer (Bash) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/installation.md This command installs the SAML SSO Service Provider plugin using Composer. It should be executed from the root directory of your Craft CMS project. This is the recommended method for a straightforward installation, pulling the necessary dependencies and integrating the plugin into your project. ```bash composer require flipboxfactory/saml-sp ``` -------------------------------- ### Recommended SAML SP Plugin Configurations (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/quick-start.md This snippet illustrates recommended configurations for the `config/saml-sp.php` file. It shows how to disable the requirement for signed SAML responses, which is often necessary when integrating with Azure AD, and how to set the `entityId` using an environment variable for flexibility and security. ```PHP // config/saml-sp.php return [ 'requireResponseToBeSigned' => false, 'entityId' => getenv('SAML_SP_ENTITY_ID'), // Recommended to match the Entity ID of "My Provider" ]; ``` -------------------------------- ### Installing SAML SP Plugin with Composer (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/README.md This command installs the SAML SSO Service Provider plugin for Craft CMS using Composer, a dependency manager for PHP. It adds the `flipboxfactory/saml-sp` package to your project's dependencies. ```Bash composer require flipboxfactory/saml-sp ``` -------------------------------- ### Configuring Login Path in Craft CMS (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/quick-start.md This snippet demonstrates how to set the `loginPath` within the `config/general.php` file for Craft CMS. This path should correspond to the 'Login Path' value configured in the SAML SP Plugin's IdP settings within the Craft control panel, ensuring proper redirection for SAML-initiated logins. ```PHP // config/general.php return [ // ... other configurations 'loginPath' => 'saml/login', // Example value, set this to match your IdP's configured login path // ... ]; ``` -------------------------------- ### Configuring Explicit Multi-Environment SSO Login Paths in Craft CMS (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/login.md This example shows how to explicitly define SSO login paths for different environments (e.g., production, dev) in Craft CMS. It allows specifying a unique Identity Provider (IDP) UID for each environment, which is recommended for multi-IDP setups to ensure the correct provider is used. ```PHP [ 'loginPath' => '/sso/login/request/', ], 'dev' => [ 'loginPath' => '/sso/login/request/', ], ]; ``` -------------------------------- ### Assigning User to Group After Login (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/events.md This snippet shows how to use the `EVENT_AFTER_RESPONSE_TO_USER` event to modify user groups after a successful SAML login and user synchronization. It includes an example of checking for admin status and assigning a user to a specific group, ensuring existing groups are preserved if desired. ```PHP Event::on( \flipbox\saml\sp\services\Login::class, \flipbox\saml\sp\services\Login::EVENT_AFTER_RESPONSE_TO_USER, function (\flipbox\saml\sp\events\UserLogin $event) { /** @var \craft\elements\User $user */ $user = $event->user; // Get existing groups $groups = []; foreach ($user->getGroups() as $group) { $groups[$group->id] = $group; } // Note: this is just an example but you can use your own logic here to // add users to groups as needed. // Custom/project logic to check if admin, if not, return (don't continue // and add the user to the groups if (! MyUserHelper::isAdminUser($user, $response)){ return; } // Get group by handle $group = \Craft::$app->getUserGroups()->getGroupByHandle('myAdminGroup'); // Add it to the group array $groups[$group->id] = $group; // Get an array of ids $groupIds = array_map( function ($group) { return $group->id; }, $groups ); // Assign them to the user groups // Make sure to set all the groups the user needs to be associated with here. // If you want the users to have their existing groups still associated // re-add them (ie, [ ...existingGroupsIds, ...newGroupsIds]) if (\Craft::$app->getUsers()->assignUserToGroups($user->id, $groupIds)) { /** * Set the groups back on the user just in case it's being used after this. * * There is some odd behavior here but this ensures the groups are set * in the local runtime cache on the user and they are set in the db. */ $user->setGroups($groups); } } ); ``` -------------------------------- ### Running PHPUnit Tests Source: https://github.com/flipboxfactory/saml-sp/blob/master/CONTRIBUTING.md This command executes the PHPUnit test suite for the project. It ensures that all existing tests pass before submitting a pull request, which is a prerequisite for contributions. ```bash ./vendor/bin/phpunit ``` -------------------------------- ### Styling YouTube Video Container - CSS Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/idps/azure-ad.md This CSS snippet defines styles for a responsive YouTube video container, ensuring the embedded video scales correctly while maintaining its aspect ratio. It uses `position: relative`, `overflow: hidden`, and a pseudo-element with `padding-top` to achieve the 16:9 aspect ratio. ```css .youtube-video-container { position: relative; overflow: hidden; width: 100%; } .youtube-video-container::after { display: block; content: ""; padding-top: 56.25%; } .youtube-video-container iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; } ``` -------------------------------- ### Running Unit Tests with Docker Compose (Bash) Source: https://github.com/flipboxfactory/saml-sp/blob/master/README.md This command executes the unit tests for the SAML SP project within a Docker container. The `--rm` flag ensures that the container is removed after the command exits, cleaning up resources. ```Bash $ docker-compose run --rm test ``` -------------------------------- ### Scheduling SAML Metadata Refresh (Shell Script) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/faqs.md This shell script demonstrates a cron job configuration to automatically refresh SAML metadata daily. It uses the `php craft saml-sp/metadata/refresh-with-url ` command and includes a fallback to notify administrators if the refresh fails. ```shell script 0 0 * * * php craft saml-sp/metadata/refresh-with-url || /opt/notify-admins-on-fail.sh ``` -------------------------------- ### Embedding YouTube Video - HTML Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/idps/azure-ad.md This HTML snippet embeds a YouTube video using an ` ``` -------------------------------- ### Configuring SAML SP Security Settings in PHP Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/index.md This snippet shows the essential security configuration for the SAML SP plugin in `config/saml-sp.php`. It sets `requireResponseToBeSigned` and `requireAssertionToBeSigned` to `true` by default, emphasizing that at least one must be true to prevent significant security risks by ensuring the sender's signature is validated. ```php // config/saml-sp.php return [ 'requireResponseToBeSigned' => true, 'requireAssertionToBeSigned' => true ]; ``` -------------------------------- ### Creating a Protected Test Page in Craft CMS (Twig) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/idps/okta.md This Twig snippet illustrates how to create a protected test page in Craft CMS that requires user authentication. It uses the '{% requireLogin %}' tag to enforce login and then displays various attributes of the 'currentUser' object, such as full name, email, username, and creation date, to verify successful SSO. ```twig {% requireLogin %} {{ currentUser.fullName }} {{ currentUser.email }} {{ currentUser.username }} {{ currentUser.dateCreate }} ``` -------------------------------- ### Manually Refreshing SAML Metadata (Shell Script) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/faqs.md This shell script provides the Craft CLI command to manually refresh SAML metadata from a configured URL. It's useful for automating synchronization with Identity Providers that frequently update their metadata and certificates. ```shell script php craft saml-sp/metadata/refresh-with-url ``` -------------------------------- ### Running PHP Code Sniffer for PSR-2 Compliance Source: https://github.com/flipboxfactory/saml-sp/blob/master/CONTRIBUTING.md This command runs PHP Code Sniffer to check for PSR-2 coding standard violations. It's crucial to ensure no violations exist before submitting a pull request, as build failures due to standards issues will prevent acceptance. ```bash make phpcs ``` -------------------------------- ### Generating a Self-Signed Key Pair with OpenSSL (BYOK) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/keychain.md This command generates a new self-signed X.509 certificate and a private key using OpenSSL. It creates a certificate valid for 365 days, uses SHA256 for signing, and outputs the certificate to saml-sp.crt and the private key to saml-sp.pem. This key pair can then be imported into the SAML SP plugin. ```bash openssl req -new -x509 -days 365 -nodes -sha256 -out saml-sp.crt -keyout saml-sp.pem ``` -------------------------------- ### Configuring Simple SSO Login Path in Craft CMS (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/login.md This snippet demonstrates the default and simplest way to configure the SSO login path in Craft CMS when only one Identity Provider (IDP) is present. It sets the `loginPath` within the `config/general.php` file, directing users to a generic SSO login request endpoint. ```PHP '/sso/login/request', ]; ``` -------------------------------- ### Configuring SAML Login Path in Craft CMS (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/idps/okta.md This snippet demonstrates how to configure the 'loginPath' in Craft CMS's 'config/general.php' file. This path is crucial for redirecting users to the Okta Identity Provider (IdP) for authentication, using a unique Okta UID to identify the specific SSO application. ```php '/sso/login/request/f2885601-e655-49ac-a2c5-48e702db6bfa', ... ]; ``` -------------------------------- ### Configuring System-Wide Entity ID in PHP Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/settings.md This PHP snippet demonstrates how to set the system-wide Entity ID for the SAML SP plugin by creating a `config/saml-sp.php` file. This ID uniquely identifies your Craft CMS instance as a Service Provider. The `entityId` key should be set to your desired unique identifier. ```PHP return [ 'entityId' => 'https://my-entity-id', ]; ``` -------------------------------- ### Assigning User to Group Before Assignment (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/events.md This snippet demonstrates how to hook into the `EVENT_BEFORE_USER_GROUP_ASSIGN` event to programmatically assign a user to specific user groups based on custom logic. It allows modification of the `groupToBeAssigned` property before the groups are saved to the user. ```PHP Event::on( \flipbox\saml\sp\services\login\UserGroups::class, \flipbox\saml\sp\services\login\UserGroups::EVENT_BEFORE_USER_GROUP_ASSIGN, function(\flipbox\saml\sp\events\UserGroupAssign $event) { /** @var \craft\elements\User $user */ $user=$event->user; /** @var \craft\models\UserGroup[] $existingGroups */ $existingGroups = $event->existingGroups; /** @var \craft\models\UserGroup[] $groupsFound */ $groupsFound = $event->groupsFoundInAssertions; /** @var \SAML2\Response $response */ $response = $event->response; // do what you need to do! // get a list/array of groups (*this is a fictional service and method*) /** @var \craft\models\UserGroup[] $groups */ $groups = $myService->getGroups($user); // overwrite this property (these will be assigned to the user after event is run) $event->groupToBeAssigned = $groups; } ); ``` -------------------------------- ### Configuring SSO Login Paths with Service Provider UID in Craft CMS (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/login.md This advanced configuration allows specifying both the Identity Provider (IDP) UID and the Service Provider (SP) UID in the login path. This provides more granular control, ensuring that SAML uses a specific Service Provider in environments where multiple SPs might be configured. ```PHP [ 'loginPath' => '/sso/login/request//', ], 'dev' => [ 'loginPath' => '/sso/login/request//', ], ]; ``` -------------------------------- ### Mapping Group Attribute Names in PHP Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/settings.md This PHP configuration snippet illustrates how to define the attribute name that the Identity Provider (IdP) sends for user groups. By setting `groupAttributeNames` to `['groups']` (or your IdP's specific attribute name), the plugin can correctly assign users to groups based on the SAML response. ```PHP return [ // change the value as needed 'groupAttributeNames' => [ 'groups' ] ]; ``` -------------------------------- ### Assigning Default User Groups (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/groups.md This configuration snippet for `config/saml-sp.php` allows automatically assigning users to a predefined set of Craft User Groups upon logging in via SSO. The `defaultGroupAssignments` property accepts an array of Craft User Group IDs. All users authenticating through SSO will be added to these specified groups, regardless of SAML attributes, providing a baseline group assignment. ```php return [ 'defaultGroupAssignments'=>[1,2,4], ]; ``` -------------------------------- ### Modifying Redirect URL After Login (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/events.md This snippet illustrates how to use the `EVENT_BEFORE_RELAYSTATE_REDIRECT` event to alter the redirect URL after a successful SAML login. It allows appending query parameters or completely changing the destination, and provides access to `RelayState` and IdP/SP entity information for logging or conditional logic. ```PHP use flipbox\saml\sp\controllers\LoginController; use flipbox\saml\sp\events\RelayState; use yii\base\Event; Event::on( LoginController::class, LoginController::EVENT_BEFORE_RELAYSTATE_REDIRECT, function(RelayState $event) { // This value will be used to redirect the user $event->redirect = $event->redirect. '?logged-in-via=sso'; \flipbox\saml\sp\Saml::info('Raw RelayState: ' . $event->relayState); \flipbox\saml\sp\Saml::info('User will be redirect to: ' . $event->redirect); // Other fun stuff in this event ... \flipbox\saml\sp\Saml::info('IdP: ' . $event->idp->getEntityId()); \flipbox\saml\sp\Saml::info('SP: ' . $event->sp->getEntityId()); } ); ``` -------------------------------- ### Using Environmental Variable for Entity ID in PHP Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/settings.md This PHP configuration snippet shows how to use an environmental variable, `$ENTITY_ID`, to dynamically set the system-wide Entity ID. Craft CMS's parser will resolve this variable at runtime, allowing for environment-specific configurations without hardcoding values. ```PHP return [ 'entityId' => '$ENTITY_ID', ]; ``` -------------------------------- ### Disabling SAML Response Signature Requirement (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/faqs.md This PHP configuration snippet for `config/saml-sp.php` shows how to disable the requirement for the SAML Response to be signed. While the Assertion signature is still required by default, modifying this setting should be done with caution due to security implications. ```php return [ // assertion is required but not the response 'requireResponseToBeSigned' => false, ]; ``` -------------------------------- ### Generating SAML SP Logout URL in Twig Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/logout.md This snippet demonstrates how to generate a Single Logout (SLO) URL using the `samlSpLogoutUrl` Twig helper function. It requires an IdP entity ID as a parameter and will throw an `InvalidArgumentException` if the IDP entity ID does not match a record in the database. The generated URL points to the `/sso/logout/request` endpoint. ```HTML Logout ``` -------------------------------- ### Mapping SAML Attribute Names for User Groups (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/groups.md This configuration snippet for `config/saml-sp.php` allows overriding the default SAML attribute name (`groups`) used for mapping user groups. By setting `groupAttributeNames`, the plugin will look for the specified attribute (e.g., 'MyUserGroupAttributeName') in the SAML assertion to match against Craft User Group handles. This ensures that users are assigned to groups based on a custom attribute from the Identity Provider. ```php return [ 'groupAttributeNames' => [ 'MyUserGroupAttributeName', ] ]; ``` -------------------------------- ### Disabling Merging of Existing User Groups (PHP) Source: https://github.com/flipboxfactory/saml-sp/blob/master/docs/configure/groups.md This configuration snippet for `config/saml-sp.php` controls whether a user's existing Craft User Groups are merged with groups found in the SAML Response Assertions. Setting `mergeExistingGroups` to `false` means that user groups will be fully managed by SSO/SAML, potentially removing groups if they are not present or if the SAML attribute is empty. The default behavior is to merge groups, so this setting explicitly disables that. ```php return [ 'mergeExistingGroups'=>false, ]; ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.