Local SAML SP config

commands/web/configure-local-saml

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+#ddev-generated
+#annertech-ddev
+
+## Description: Configure SAML with DDEV and a local SP (service provider)
+## Usage: configure-local-saml
+## Example: "ddev configure-local-saml"
+
+cp .ddev/scripts/local-saml/simplesaml.conf .ddev/nginx/
+
+mkdir -p sso/config
+mkdir -p sso/log
+cp --no-clobber .ddev/scripts/local-saml/config/acl.php sso/config/
+cp --no-clobber .ddev/scripts/local-saml/config/authsources.php sso/config/
+cp --no-clobber .ddev/scripts/local-saml/config/config.php sso/config/

nginx/simplesaml.conf

@@ -0,0 +1,13 @@
+#ddev-generated
+# Allow access to simplesaml paths.
+location ^~ /simplesaml {
+    alias /var/www/html/vendor/simplesamlphp/simplesamlphp/public;
+
+    location ~^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
+        fastcgi_param SCRIPT_NAME /simplesaml$phpfile;
+        fastcgi_param PATH_INFO $pathinfo if_not_empty;
+    }
+}

scripts/local-saml/config/acl.php

@@ -0,0 +1,66 @@
+<?php
+
+#ddev-generated
+
+/**
+ * @file
+ * Cloned from https://github.com/simplesamlphp/simplesamlphp/blob/master/config/acl.php.dist
+ */
+
+/*
+ * This file defines "named" access control lists, which can
+ * be reused in several places.
+ */
+$config = [
+    'adminlist' => [
+        //['allow', 'equals', 'mail', '[email protected]'],
+        //['allow', 'has', 'groups', 'admin'],
+        // The default action is to deny access.
+    ],
+
+    'example-simple' => [
+        ['allow', 'equals', 'mail', '[email protected]'],
+        ['allow', 'equals', 'mail', '[email protected]'],
+        // The default action is to deny access.
+    ],
+
+    'example-deny-some' => [
+        ['deny', 'equals', 'mail', '[email protected]'],
+        ['allow'], // Allow everybody else.
+    ],
+
+    'example-maildomain' => [
+        ['allow', 'equals-preg', 'mail', '/@example\.org$/'],
+        // The default action is to deny access.
+    ],
+
+    'example-allow-employees' => [
+        ['allow', 'has', 'eduPersonAffiliation', 'employee'],
+        // The default action is to deny access.
+    ],
+
+    'example-allow-employees-not-students' => [
+        ['deny', 'has', 'eduPersonAffiliation', 'student'],
+        ['allow', 'has', 'eduPersonAffiliation', 'employee'],
+        // The default action is to deny access.
+    ],
+
+    'example-deny-student-except-one' => [
+        ['deny', 'and',
+            ['has', 'eduPersonAffiliation', 'student'],
+            ['not', 'equals', 'mail', '[email protected]'],
+        ],
+        ['allow'],
+    ],
+
+    'example-allow-or' => [
+        ['allow', 'or',
+            ['equals', 'eduPersonAffiliation', 'student', 'member'],
+            ['equals', 'mail', '[email protected]'],
+        ],
+    ],
+
+    'example-allow-all' => [
+        ['allow'],
+    ],
+];