A long time ago I wrote an authentication module allowing users to login to phpBB3 with a SAML2 token. The authentication module wraps SimpleSamlPhP in a phpBB authentication module and integrates with the phpBB user and group management system.

I finally found the time to remove the client specific configurations from the source, and publish it in full on Github:

https://github.com/strandbygaard/phpbb-saml2

The authentication module was written for phpBB v3.x (current version as of this post), and has the following features:

  • Federated user authentication with SAML2
  • Automatic user profile creation on phpBB
  • Automatic management of user group-memberships on phpBB

The authentication module wraps SimpleSamlPhP in a phpBB authentication module and integrates with the phpBB user and group management system, so that a profile is automatically created for new users, and new users are made members of relevant groups in phpBB based on attributes in their SAML2 token.

The module is quite rudimentary, as it was developed in a very short timeframe for a one-off project with somewhat specific requirements. It has, however, been used on a medium traffic production phpBB site for the past year and a half without any issues to date.

Limitations

This module is merely the plumbing between SimpleSamlPhP and phpBB. It does not deal the configuration of SimpleSamlPhP, and it requires some knowledge of phpBB to install and enable the authentication module.

SimpleSamlPhP is a very mature framework that is successfully used in large production environments with thousands of simultaneous users, and multiple logins (issued tokens) per second. It does require some knowledge about things like certificates, SSL, and SAML2 federation to configure it, but their website provides a great starting point for howtos.

I highly recommend that a basic SimpleSamlPhP is successfully tested with the identity provider before the module is enabled in phpBB. Different identity providers have different default settings, and it can take some tweaking of configurations for SimpleSamlPhP to make it work.

I have successfully tested with module with several different identity providers including SimpleSamlPhP itself, Safewhere*Identify, and Microsoft AD FS2.0.



blog comments powered by Disqus

Published

22 January 2014

Tags