Single Sign On Authentication in Symfony 3

Here will be explained what I have encountered while solving a real scenario where central point of authentication was on Symfony 3.4, couple of projects Symfony 3.4, and couple of projects in Symfony 2.3,2.7,2.8.

Article is inspired with korotovsky solution of SSO, available on this link:
https://www.korotovsky.io/2015/08/16/a-quick-way-to-build-single-sign-on-authentication-in-symfony2/

Original SSO implementation needed some improvments delisted below, and some bugfixes solved, all available on github links:
https://github.com/mmilojevic/SingleSignOnIdentityProviderBundle
https://github.com/mmilojevic/SingleSignOnServiceProviderBundle

For IDP (Identity Provider) use branch 0.3.X for SPs (Service Provider) on Symfony version 3 use branch 0.3.X, for SPs on symfony version 2 use 0.2.X branch. Example of setting in composer.json for SP on symfony version 3 is below. The idea is to define repo where composer will first look at for the package.

 
    "repositories": [
        {
            "type": "git",
            "url": "https://github.com/mmilojevic/SingleSignOnServiceProviderBundle",
            "reference": "2b09d97d520697e56b0385d6d44f21949c7c1dfa"
        }
    ],
    "require": {
...
        "korotovsky/sso-library": "0.3.0",
        "korotovsky/sso-sp-bundle": "0.3.x-dev",
... 
    }

 

1. First improvement was when we are authenticated on IDP and SP1, but not on SP2. When user hits public route of SP2, SSO authentication is not triggered and user sees the public page of SP2 as not logged in user. This is solved with ajax call from first SP to secured route of other SPs. So user is automatically authenticated on all SPs. This setting requires additional setup on http server to enable CORS. One simple example for nginx would be:

add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Credentials true;

This enables CORS generally to all domains, but this should be changed to check IP, ORIGIN or something more so CORS would be enabled only to your domains.

 

2. There is always a situation when SP1 is most important project and other ones SP2, SP3… are not so much important, in original implementation if we log out from SP1 we in SSO loop trigger log out from SP2 and the rest of SPs, but if SP2 has some critical error it will return response code 404, or if host is unknown response code 0, so sso/logout will break and we cant log out from SP1. These situations are now handled in LogoutManager so logout is not triggered on SPs that return response codes 404 or 0 and logout on IDP and rest ISPs will be successful.

 

3. On IDP is central login form with registration link, that registration link can lead to IDP registration page that is common for all SPs, but in situations where we want registration page of SP from which user came to IDP we must extend Service provider for registration url getter and then extract proper registration page of SP in IDP login route. Example is at github page.

 

Leave a Reply