SAML as an Authentication Provider
- Xibo for Android
- DSDevices DSCS9X/95 Set-up Guide
- Install a White Label or a different Player version on DSDevices
- CEC Screen Power on/off with DSDevices
- Hardware Recommendations
- Philips Signage SoC Monitors
- Sony Bravia SoC
- Managing Storage on the Android Device
- Player Settings
- Players without an Internet Connection
- Remote Administration with SS Helper
- Restart Rooted Device with a Shell Command
- Running Xibo for Android
- Resolving Common Issues
- Error shown when I try to licence my Player?
- Player not updating from the CMS?
- I can see my Licence entry but the Player appears unlicensed?
- Error message - Player is missing dependencies
- My scheduled Layouts are not working?
- Layout won't play? Splash screen plays?
- Watchdog error message
- Troubleshooting for Administrators
- Audit Trail
- Log Information
- Player Logs
- Getting the Player Status
- Request Player Status via CMS - Logged in Players only
- Request Player Status directly from a Device
- Can I use the Xibo name / logo?
- Can I run a Xibo Player on Raspberry Pi?
- How can I increase the upload file size limit?
- How do Players communicate with the CMS?
- How many displays can Xibo support?
- How do I reset the Xibo_admin account password?
- Power On/Off for Players
- Testing with Xibo
- Why do I need a Default Layout?
- Xibo for Android FAQ's
- Autoplaying Embedded Youtube Videos
- Closing to Home screen
- Displaying Images
- Embedded TV
- External SD card not listed when running Banana-Pi
- Helper Command to change Time zone
- HTML5 Video
- Memory Notifications
- Menu not accessible
- SSL Support
- Using Portrait Displays
- Video wont play properly
On this page
SAML as an Authentication Provider
The CMS can be configured to use SAML as its authentication provider.
SAML integration is enabled via the settings.php file in the CMS installation.
If Docker has been used settings.php will not be accessible, however, it is possible to create a settings-custom.php file in the /custom mount point. The below Configuration can be added to that file instead.
The purpose of the integration is to configure a SAML enabled IdP (identity provider) for authentication with the Xibo CMS.
A User already authenticated with the IdP will automatically be logged into the CMS. If the User does not exist they will optionally be created with a set of default credentials.
Configuration
SAML integration is configured in the settings.php file of the CMS installation. This file can be found in your /web folder.
There are two sections to adjust, the $authentication middleware and the $samlSettings configuration array.
The authentication middleware should be changed to SAMLAuthentication , shown below:
$authentication = new \Xibo\Middleware\SAMLAuthentication();
The SAML settings array contains all the necessary information for the CMS to connect and use a SAML enabled IdP. The configuration is split into 4 main sections:
-
idp: options for the identity provider (these are used by the CMS to identify and communicate with the identity provider). The values for these settings can be found in the IdP. -
sp: options for the service provider (these are sent by the CMS to the identity provider so that the IdP can communicate back to the CMS). The CMS URL for the target installation should be used in these settings. -
security: options to enable security as required by the IdP. -
workflow: CMS specific options to determine how to map the data from the IdP to data in Xibo. This section is used to determine the mapping between the IdP and the CMS. If single logout is disabled selecting ‘log out’ in the CMS won’t have any effect as the User will be immediately logged in again on the next request.
Just-in-time provisioning (JIT)
Just-in-time provisioning can be enabled in the workflow section. With JIT provisioning, enabled Users that visit the CMS, who do not currently have an account, are automatically created.
If the intention is to use JIT then it is required to define what information should be used to create the User in the CMS.
If the IdP does not provide any attributes, it is important to exclude the mapping property of the workflow settings.
Example settings
$samlSettings = array (
'workflow' => array(
// Enable/Disable Just-In-Time provisioning
'jit' => true,
// Attribute to identify the user
// if set to nameId then the NameID from SAML will be taken and used as the
// username in Xibo.
'field_to_identify' => 'UserName', // Alternatives: UserID, UserName, email
// Default libraryQuota assigned to the created user by JIT
'libraryQuota' => 1000,
// Initial User Group
'group' => 'Users',
// Home Page
'homePage' => 'icondashboard.view',
// Enable/Disable Single Logout
'slo' => true,
// Attribute mapping between XIBO-CMS and the IdP
'mapping' => array (
'UserID' => '',
'usertypeid' => '',
'UserName' => 'uid',
'email' => 'mail',
'ref1' => '',
'ref2' => '',
'ref3' => '',
'ref4' => '',
'ref5' => ''
)
),
// Configure the IdP and SP
'strict' => false,
'debug' => true,
'idp' => array (
'entityId' => 'https://idp.example.com/simplesaml/saml2/idp/metadata.php',
'singleSignOnService' => array (
'url' => 'http://idp.example.com/simplesaml/saml2/idp/SSOService.php',
),
'singleLogoutService' => array (
'url' => 'http://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php',
),
'x509cert' => 'MIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m',
),
'sp' => array (
'entityId' => 'http://xibo-cms.example.com/saml/metadata',
'assertionConsumerService' => array (
'url' => 'http://xibo-cms.example.com/saml/acs',
),
'singleLogoutService' => array (
'url' => 'http://xibo-cms.example.com/saml/sls',
),
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress',
'x509cert' => '',
'privateKey' > '',
),
'security' => array (
'nameIdEncrypted' => false,
'authnRequestsSigned' => false,
'logoutRequestSigned' => false,
'logoutResponseSigned' => false,
'signMetadata' => false,
'wantMessagesSigned' => false,
'wantAssertionsSigned' => false,
'wantAssertionsEncrypted' => false,
'wantNameIdEncrypted' => false,
)
);
homePage => icondashboard.view needs to be replaced if you are using a CMS earlier than v3:
- Earlier than v3 - replace
icondashboard.viewwithicondashboard - Earlier than v2.0.3 - replace
icondashboard.viewwithdashboard
Further explanation of the SAML specific settings can be found at GitHub - onelogin/php-saml: Simple SAML toolkit for PHP.
