silinternational · briskt · Jul 31, 2024 · Jul 18, 2024 · Jul 19, 2024 · Jul 19, 2024
@@ -1,5 +1,6 @@
-# ssp-base 
-Base image for simpleSAMLphp
+# ssp-base
+
+Base image for SimpleSAMLphp IdP and Hub with custom modules
 
 Docker image: [silintl/ssp-base](https://hub.docker.com/r/silintl/ssp-base/)
 
@@ -9,8 +10,6 @@ must be installed.
 
 [Make](https://www.gnu.org/software/make) is optional but simplifies the build process.
 
-[PHP](https://www.php.net) and [Composer](https://getcomposer.org) are optional, but at a minimum you need COMPOSER_CACHE_DIR set to a local directory for storing the PHP dependency cache. This must be exported in your local development environment, not in the Docker container environment. For example, in your `~/.bashrc`, include `export COMPOSER_CACHE_DIR="$HOME/.composer"` and create an empty directory at `~/.composer`.
-
 ## Configuration
 By default, configuration is read from environment variables. These are documented
 in the `local.env.dist` file. Optionally, you can define configuration in AWS AppConfig.
@@ -35,10 +34,10 @@ will overwrite variables set in the execution environment.
 
 1. `cp local.env.dist local.env` within project root and make adjustments as needed.
 2. `cp local.broker.env.dist local.broker.env` within project root and make adjustments as needed.
-3. Add your github token to the `COMPOSER_AUTH` variable in the `local.env` file.
+3. Add your GitHub [personal access token](https://github.com/settings/tokens?type=beta) to the `COMPOSER_AUTH` variable in the `local.env` file.
 4. Create `localhost` aliases for `ssp-hub.local`, `ssp-idp1.local`, `ssp-idp2.local`, `ssp-idp3.local`, `ssp-sp1.local`, `ssp-sp2.local`, and `ssp-sp3.local`. This is typically done in `/etc/hosts`.  _Example line:  `127.0.0.1  ssp-hub.local ssp-idp1.local ssp-idp2.local ssp-idp3.local ssp-sp1.local ssp-sp2.local ssp-sp3.local`_
-4. `make` or `docker compose up -d` within the project root.
-5. Visit http://ssp-hub.local to see SimpleSAMLphp 
+5. Run `make test` within the project root.
+6. Visit http://ssp-hub.local to see SimpleSAMLphp
 
 _Note:_ there is an unresolved problem that requires a change to BASE_URL_PATH for ssp-idp1.local in docker-compose.yml due to a requirement in silauth that it be a full URL. For automated testing, it must not have a port number, but for manual testing it needs the port number.
 
@@ -93,7 +92,7 @@ docker composer up -d ssp-hub.local
  - Port: 80
  - Debugger: Xdebug
  - Check use path mappings and add map from project root to `/data`
- 
+
 13. Hit `Apply` and `OK`
 14. Click on `Run` and then `Debug 'Debug on Docker'`
 
@@ -164,11 +163,9 @@ Example (in `metadata/saml20-idp-hosted.php`):
 
             // Optional:
             'warnDaysBefore' => 14,
-            'originalUrlParam' => 'originalurl',
-            'dateFormat' => 'm.d.Y', // Use PHP's date syntax.
             'loggerClass' => '\\Sil\\Psr3Adapters\\Psr3SamlLogger',
         ],
-        
+
         // ...
     ],
 
@@ -181,12 +178,13 @@ the user's expiry date, which must be formated as YYYYMMDDHHMMSSZ (e.g.
 `20111011235959Z`). Those two attributes need to be part of the attribute set
 returned when the user successfully authenticates.
 
+The `passwordChangeUrl` parameter contains the URL of the password manager. A
+link to that URL may be presented to the user as a convenience for updating
+their password.
+
 The `warnDaysBefore` parameter should be an integer representing how many days
 before the expiry date the "about to expire" warning will be shown to the user.
 
-The `dateFormat` parameter specifies how you want the date to be formatted,
-using PHP `date()` syntax. See <http://php.net/manual/en/function.date.php>.
-
 The `loggerClass` parameter specifies the name of a PSR-3 compatible class that
 can be autoloaded, to use as the logger within ExpiryDate.
 
@@ -200,46 +198,31 @@ they did on those two modules.
 
 Material Design theme for use with SimpleSAMLphp
 
-#### Installation
-
-```
-composer.phar require silinternational/simplesamlphp-module-material:dev-master
-```
-
 #### Configuration
 
-Update `/simplesamlphp/config/config.php`:
-
-```
-'theme.use' => 'material:material'
-```
-
-This project sets this as the default value in the provided config file.
+No configuration is necessary. The `theme.use` config option is pre-configured to `material:material`.
+Optional configuration is described below.
 
 ##### Google reCAPTCHA
 
-If a site key has been provided in `$this->data['recaptcha.siteKey']`, the
+If a site key has been provided in the `RECAPTCHA_SITE_KEY` environment variable, the
 username/password page may require the user prove his/her humanity.
 
 ##### Branding
 
-Update `/simplesamlphp/config/config.php`:
+Set the `THEME_COLOR_SCHEME` environment variable using one of the following values:
 
 ```
-'theme.color-scheme' => ['indigo-purple'|'blue_grey-teal'|'red-teal'|'orange-light_blue'|'brown-orange'|'teal-blue']
+'indigo-purple', 'blue_grey-teal', 'red-teal', 'orange-light_blue', 'brown-orange', 'teal-blue'
 ```
 
+The default is `indigo-purple`.
+
 The login page looks for `/simplesamlphp/public/logo.png` which is **NOT** provided by default.
 
 ##### Analytics
 
-Update `/simplesamlphp/config/config.php`:
-
-```
-'analytics.trackingId' => 'UA-some-unique-id-for-your-site'
-```
-
-This project provides a convenience by loading this config with whatever is in the environment variable `ANALYTICS_ID`._
+Set the `ANALYTICS_ID` environment variable to contain your Google Analytics 4 tag ID.
 
 ##### Announcements
 
@@ -259,11 +242,12 @@ If provided, an alert will be shown to the user filled with the content of that
 
 #### i18n support
 
-Translations are categorized by page in definition files located in the `dictionaries` directory.
+Translations are in files located in the `modules/material/locales` directory.
 
-Localization is affected by the configuration setting `language.available`. Only language codes found in this property will be utilized.  
-For example, if a translation is provided in Afrikaans for this module, the configuration must be adjusted to make 'af' an available
-language. If that's not done, the translation function will not utilize the translations even if provided.
+Localization is affected by the configuration setting `language.available`. Only language codes found in this property
+will be utilized. For example, if a translation is provided in Afrikaans for this module, the configuration must be
+adjusted to make 'af' an available language. If that's not done, the translation function will not utilize the
+translations even if provided.
 
 ### Multi-Factor Authentication (MFA) simpleSAMLphp Module
 A simpleSAMLphp module for prompting the user for MFA credentials (such as a
@@ -285,9 +269,9 @@ Example (for `metadata/saml20-idp-hosted.php`):
 
     use Sil\PhpEnv\Env;
     use Sil\Psr3Adapters\Psr3SamlLogger;
-    
+
     // ...
-    
+
     'authproc' => [
         10 => [
             // Required:
@@ -303,7 +287,7 @@ Example (for `metadata/saml20-idp-hosted.php`):
             // Optional:
             'loggerClass' => Psr3SamlLogger::class,
         ],
-        
+
         // ...
     ],
 
@@ -312,7 +296,7 @@ the user's Employee ID stored in it. In certain situations, this may be
 displayed to the user, as well as being used in log messages.
 
 The `loggerClass` parameter specifies the name of a PSR-3 compatible class that
-can be autoloaded, to use as the logger within ExpiryDate.
+can be autoloaded, to use as the logger within the module.
 
 The `mfaSetupUrl` parameter is for the URL of where to send the user if they
 want/need to set up MFA.
@@ -327,12 +311,12 @@ Based on...
   implemented as AuthProcs,
 - implementing my solution as an AuthProc and having a number of tests that all
   confirm that it is working as desired, and
-- a discussion in the SimpleSAMLphp mailing list about this:  
+- a discussion in the SimpleSAMLphp mailing list about this:
   https://groups.google.com/d/msg/simplesamlphp/ocQols0NCZ8/RL_WAcryBwAJ
 
 ... it seems sufficiently safe to implement MFA using a simpleSAMLphp AuthProc.
 
-For more of the details, please see this Stack Overflow Q&A:  
+For more of the details, please see this Stack Overflow Q&A:
 https://stackoverflow.com/q/46566014/3813891
 
 #### Acknowledgements
@@ -361,9 +345,9 @@ Example (for `metadata/saml20-idp-hosted.php`):
 
     use Sil\PhpEnv\Env;
     use Sil\Psr3Adapters\Psr3SamlLogger;
-    
+
     // ...
-    
+
     'authproc' => [
         10 => [
             // Required:
@@ -375,7 +359,7 @@ Example (for `metadata/saml20-idp-hosted.php`):
             // Optional:
             'loggerClass' => Psr3SamlLogger::class,
         ],
-        
+
         // ...
     ],
 
@@ -397,8 +381,6 @@ SimpleSAMLphp auth module implementing custom business logic:
 - rate limiting
 - status endpoint
 
-[![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](https://raw.githubusercontent.com/silinternational/simplesamlphp-module-silauth/develop/LICENSE)
-
 #### Database Migrations
 To create another database migration file, run the following (replacing
 `YourMigrationName` with whatever you want the migration to be named, using
@@ -466,7 +448,7 @@ load balancer) in the TRUSTED_IP_ADDRESSES environment variable (see
 `local.env.dist`).
 
 #### Status Check
-To check the status of the website, you can access this URL:  
+To check the status of the website, you can access this URL:
 `https://(your domain name)/module.php/silauth/status.php`
 
 ### SilDisco module for SAML Discovery

@@ -19,14 +19,10 @@ default:
       paths:    [ '%paths.base%//features//profilereview.feature' ]
       contexts: [ 'ProfileReviewContext' ]
     sildisco_features:
-      contexts: ['SilDiscoContext']
+      contexts: [ 'SilDiscoContext' ]
       paths:
-        - '%paths.base%//features//Sp1Idp1Sp2Idp2Sp3.feature'
-        - '%paths.base%//features//Sp1Idp2Sp2Sp3Idp1.feature'
-        - '%paths.base%//features//Sp2Idp2Sp1Idp1Sp3.feature'
-        - '%paths.base%//features//Sp2Idp2Sp1Idp2Sp3.feature'
-        - '%paths.base%//features//Sp3Idp1Sp1Idp1Sp2Idp2.feature'
-#        - '%paths.base%//features//WwwMetadataCept.feature'
+        - '%paths.base%//features//sildisco.feature'
+        - '%paths.base%//features//WwwMetadataCept.feature'
     status_features:
       paths:    [ '%paths.base%//features//status.feature' ]
       contexts: [ 'StatusContext' ]
@@ -25,10 +25,6 @@
         'SingleSignOnService' => 'http://ssp-idp1.local:8085/saml2/idp/SSOService.php',
         'SingleLogoutService' => 'http://ssp-idp1.local:8085/saml2/idp/SingleLogoutService.php',
         'certData' => 'MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==',
-
-        // NOTE: This breaks being able to test the hub's authentication sources
-        //       since the hub doesn't create an SP entry in the session
-        'SPList' => ['http://ssp-sp1.local:8081', 'http://ssp-sp2.local:8082', 'http://ssp-sp3.local:8083'],
     ],
     'http://ssp-idp1.local' => [
         'metadata-set' => 'saml20-idp-remote',
@@ -44,12 +40,7 @@
 
         'SingleSignOnService' => 'http://ssp-idp1.local/saml2/idp/SSOService.php',
         'SingleLogoutService' => 'http://ssp-idp1.local/saml2/idp/SingleLogoutService.php',
-        //  'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
         'certData' => 'MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==',
-
-        // NOTE: This breaks being able to test the hub's authentication sources
-        //       since the hub doesn't create an SP entry in the session
-        'SPList' => ['http://ssp-sp1.local', 'http://ssp-sp2.local', 'http://ssp-sp3.local'],
     ],
 
     /*

@@ -13,6 +13,7 @@
 
 $metadata['http://ssp-idp1.local:8085'] = [
     'entityid' => 'http://ssp-idp1.local:8085',
+    'name' => ['en' => 'IDP 1'],
 
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.

@@ -7,6 +7,7 @@
 
 $metadata['http://ssp-idp2.local:8086'] = [
     'entityid' => 'http://ssp-idp2.local:8086',
+    'name' => ['en' => 'IDP 2'],
 
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.

@@ -7,6 +7,7 @@
 
 $metadata['http://ssp-idp3.local:8087'] = [
     'entityid' => 'http://ssp-idp3.local:8087',
+    'name' => ['en' => 'IDP 3'],
 
     /*
      * The hostname of the server (VHOST) that will use this SAML entity.

@@ -41,7 +41,6 @@ services:
       PROFILE_URL_FOR_TESTS: http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub
       ADMIN_PASS: b
       SECRET_SALT: abc123
-      IDP_NAME: x
     volumes:
       - ./dockerbuild/run-integration-tests.sh:/data/run-integration-tests.sh
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
@@ -111,7 +110,6 @@ services:
     environment:
       ADMIN_PASS: "abc123"
       SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJ"
-      IDP_NAME: "Hub"
       SECURE_COOKIE: "false"
       SHOW_SAML_ERRORS: "true"
       THEME_COLOR_SCHEME: "orange-light_blue"
@@ -162,7 +160,6 @@ services:
     environment:
       ADMIN_PASS: "a"
       SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJ"
-      IDP_NAME: "IDP 1"
       IDP_DOMAIN_NAME: "mfaidp"
       ID_BROKER_ACCESS_TOKEN: "dummy"
       ID_BROKER_ASSERT_VALID_IP: "false"
@@ -217,7 +214,6 @@ services:
     environment:
       ADMIN_PASS: "b"
       SECRET_SALT: "h57fjemb&dn^nsJFGNjweJ"
-      IDP_NAME: "IDP 2"
       IDP_DOMAIN_NAME: "ssp-idp2.local"
       ID_BROKER_ACCESS_TOKEN: "test-cli-abc123"
       ID_BROKER_ASSERT_VALID_IP: "true"
@@ -261,7 +257,6 @@ services:
       SECRET_SALT: "h57fjem34fh*nsJFGNjweJ"
       SECURE_COOKIE: "false"
       SHOW_SAML_ERRORS: "true"
-      IDP_NAME: "IdP3"
       THEME_COLOR_SCHEME: "orange-light_blue"
 
   ssp-sp1.local: