Allow to configure SAML via env variables

.env

@@ -32,6 +32,10 @@ ALLOW_ATTACHMENT_DOWNLOADS=0
 # Use gravatars for user avatars, when user has no own avatar defined
 USE_GRAVATAR=0
 
+# The public reachable URL of this Part-DB installation. This is used for generating links to the website in emails and so on
+# This must end with a slash!
+DEFAULT_URI="https://partdb.changeme.invalid/"
+
 ###################################################################################
 # Email settings
 ###################################################################################
@@ -69,6 +73,31 @@ ERROR_PAGE_ADMIN_EMAIL=''
 # If this is set to true, solutions to common problems are shown on error pages. Disable this, if you do not want your users to see them...
 ERROR_PAGE_SHOW_HELP=1
 
+###################################################################################
+# SAML Single sign on-settings
+###################################################################################
+# Set this to 1 to enable SAML single sign on
+SAML_ENABLED=0
+
+# The entity ID of your SAML IDP (e.g. the realm name of your Keycloak server)
+SAML_IDP_ENTITY_ID="https://idp.changeme.invalid/realms/master"
+# The URL of your SAML IDP SingleSignOnService (e.g. the endpoint of your Keycloak server)
+SAML_IDP_SINGLE_SIGN_ON_SERVICE="https://idp.changeme.invalid/realms/master/protocol/saml"
+# The URL of your SAML IDP SingleLogoutService (e.g. the endpoint of your Keycloak server)
+SAML_IDP_SINGLE_LOGOUT_SERVICE="https://idp.changeme.invalid/realms/master/protocol/saml"
+# The public certificate of the SAML IDP (e.g. the certificate of your Keycloak server)
+SAML_IDP_X509_CERT="MIIC..."
+
+# The entity of your SAML SP, must match the SP entityID configured in your SAML IDP (e.g. Keycloak).
+# This should be a the domain name of your Part-DB installation, followed by "/sp"
+SAML_SP_ENTITY_ID="https://partdb.changeme.invalid/sp"
+
+# The public certificate of the SAML SP
+SAML_SP_X509_CERT="MIIC..."
+# The private key of the SAML SP
+SAMLP_SP_PRIVATE_KEY="MIIE..."
+
+
 ######################################################################################
 # Other settings
 ######################################################################################

VERSION

@@ -1 +1 @@
-1.0.1
+1.1.0-dev

config/packages/hslavich_onelogin_saml.yaml

@@ -1,24 +1,27 @@
+# See https://github.com/SAML-Toolkits/php-saml for more information about the SAML settings
+
 hslavich_onelogin_saml:
   # Basic settings
   idp:
-    entityId: 'http://localhost:8080/realms/master'
+    entityId: '%env(string:SAML_IDP_ENTITY_ID)%'
     singleSignOnService:
-      url: 'http://localhost:8080/realms/master/protocol/saml'
+      url: '%env(string:SAML_IDP_SINGLE_SIGN_ON_SERVICE)%'
       binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
     singleLogoutService:
-      url: 'http://localhost:8080/realms/master/protocol/saml'
+      url: '%env(string:SAML_IDP_SINGLE_LOGOUT_SERVICE)%'
       binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-    x509cert: 'MIICmzCCAYMCBgGGcG8PJTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjMwMjIwMjAwNDMyWhcNMzMwMjIwMjAwNjEyWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQAle3ob0ary+Hq+mr2IvGueJicIxNqGeG/eV+NpoHUVggHSdb+9kudy+Os0xhAtz8nffTc8T5PK09GClXy7O5mAg8X9E5p0YeRZOxqgBXXVEtgPXaliD2N2mVrY/Ju2uLNAtrwWdBfnLBZuPZLD26TzOX/Q4u39SbhoA395S/iPwmxM00xDtrnXFGc2RYTgoTuLWFF6uioAmzxZSdIphLPiPwDMs5KCypW+lTOn8pztdAhAylXqiG7yFhReP7oEyb8IcNlUulJaloIfTWyLuQI1fEXA2gdkRULiOuxjGM3Wt2I6OOnZVzT7/+3/h7HVF4EI/xDpET6hQw7YszDr39AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACaRkpf12OxGpdrsfsR5uslWl3GPA7HaKFHkRN3+0owf4j61rRJdxpkNmFKLGEZGAn3F+IBVzXIOx+mOq71BLKj/hxJ82bYJeUtK0a/fsX3S7z8TMXMgzzIQXS+XE4X7E8M3JEF+OKSuwG6bcaPJR8xscQ7i6z0rW14P1QgoEFAA6xhoHxK/AH2CTH/f8ojc2F5pPaYQJkuznd0OfcLAhPwMJ8btKGq9rNV/1EI59V+srA9lHvSWPfg6jXPsX96PSjTGljuHbZGMIka2mz4YOUvn9jlCGgv+gruIxeq8VKKPxfmDlSs9Jeof93MtYY92s4dDaJOru04mlqyKeFBic6o='
+    x509cert: '%env(string:SAML_IDP_X509_CERT)%'
   sp:
-    entityId: 'http://localhost:8000/saml/metadata'
+    entityId: '%env(string:SAML_SP_ENTITY_ID)%'
     assertionConsumerService:
-      url: 'http://localhost:8000/saml/acs'
+      url: '%partdb.default_uri%saml/acs'
       binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
     singleLogoutService:
-      url: 'http://localhost:8000/logout'
+      url: '%partdb.default_uri%logout'
       binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
-    x509cert: 'MIICmzCCAYMCBgGGcIfLmDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZwYXJ0ZGIwHhcNMjMwMjIwMjAzMTMzWhcNMzMwMjIwMjAzMzEzWjARMQ8wDQYDVQQDDAZwYXJ0ZGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmz9Lr8PxVjqqhGjjH4FbhVDbEPIplcQ1cFhTKu1NYpwHIm01pNnEwiyoLMBrZ16qq0PvCX+KCIjuJbC44k6N/+UCjbSZ8Fu+vyT9OkKVLvimc5sg9m9Kys+WiuaxzSEa2dA88khyGb6O9huuVYjibjROAN5I20h8f0FLfvolqWfEXVM00LIYYCHcvKNGq6PH0SS+2P6CGHoRrEFOoi7v7kkL6gWqYzPA/T7GSb78W14gU6FKcvQXPYOdsL7dYDy634BCd9k/tNF6JkiFi9U1IP8LEYkQUq3mKGRSjoPKKztws00ol3Nfd04XAdPKxIb3ff3io0vONE3QfJsgTzdR7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEkYH4pCKxqoABjYGRml+ea5nteF/qsff6qHcNU8Unw1XLZO7ES1GU4Ij3RSFdt1SoKnphXnBtlVIechkOnOaECGs4RdbG4RGSFfusiEcWHbp1C0n3cnaUoV0/PJ3iETeeaPduqz9I/dlwhOxEOkpCaomYm4j2hfNcI9pmdM8bZuG+6dedh02ILrufQiCREmF6Sp+AOjueoFOoGwsXMbTuKo9pNizCO2OTT6nrjbNhjzoIvzbmlqiOGFs7YmpyTHcyqm66ACOnu1Nq9z9QLGkhvwjAmEytp6A9yEEkl0QO+DVhlAnvfdSMaR9jgyGtnBXQGOHv4osPtCtrk3IU4nB3s='
-    privateKey: 'MIIEogIBAAKCAQEAps/S6/D8VY6qoRo4x+BW4VQ2xDyKZXENXBYUyrtTWKcByJtNaTZxMIsqCzAa2deqqtD7wl/igiI7iWwuOJOjf/lAo20mfBbvr8k/TpClS74pnObIPZvSsrPlormsc0hGtnQPPJIchm+jvYbrlWI4m40TgDeSNtIfH9BS376JalnxF1TNNCyGGAh3LyjRqujx9Ekvtj+ghh6EaxBTqIu7+5JC+oFqmMzwP0+xkm+/FteIFOhSnL0Fz2DnbC+3WA8ut+AQnfZP7TReiZIhYvVNSD/CxGJEFKt5ihkUo6Dyis7cLNNKJdzX3dOFwHTysSG93394qNLzjRN0HybIE83UewIDAQABAoIBAA1M7dLtPJlvzjAZQKTDQPondlRwRVKwUHHiutatWAhuDIjbxTDZ6+2Ecx5AQCvVc+C52BEYBx38L8YVz5uoPfWiwKInPlXPmF3qTHdtthhTecruZdHvvj2MdYdjiZoJjcXXfC2GsuqPNT2T5+3Zzoysk3z6MVjYqS2mtSzs6tUFZOY13/zMnrELjR2dFrigndjQgb5vENJ+/WNH4k9rt7KGDaMniJWHi3bDDNwilR0XrwhJVav0PIl7h8bMk95ixqo5B+RN0EMhfS+j3+8QJhYbGzXIyJbgMGTUGb23tBIDl6RFblLoic/PEVpA5yhVbLtdoMy5Mn+Y28yZPh6/VB0CgYEA1xtwZVbrRObv76bIkqgCXEYbiXhbFHzGTaI23UEBrV60VNr5LZl/vqA6JowDFUYl30Ytzr7TvC5KwfrNhaYOqVd4rMg145cn8J61bRHArMaXouVYVwWKEni50gCktVy8Tt2Nbzfja2rccCqv3JM2HHp49+e9CLi/D95XPAip3vcCgYEAxoYB7/OQmGMHnqwz2CUnLhGcnC1X4fZ+EJuRo1BXRcntCS4lwXCoyC3Es+YLZ6tfhUp17i/HaT3tJyp6F+EM43zIxwyDVCl6t0yFkjLHRdZHR3xGMMfcMLZGRY99Y25QyW1/GJFKff7D+rKvrpBVcl+9xLYcpIN6ULuHqs9f4Z0CgYBrDL2/wSTusltAEemJitE56K31mQ8CwCHUKuFQ9PQHurTV8e/F8LkxPf4ShuVV5gYc+oj7dd5brVII/W7gj0aGogBtRGoFLIl05xb1A7u2gFKgf7CaBiizjp8zUpyloVQZj4q+ibrFD3ZK4AOLKzvnqk+fWBWsTHzRQd56Avm++wKBgF3eR1Q6CojDanrwWaM+DgSOd0qxdfh2IK2hoX9jIaDyFY5dr6SDrIraeUPG5mWidowD5Tc2iEeO7G+0ef6IfxuhiR31ILPO2SOKny29rNOsug9nB5lRJyAxT5DchCFbq/9SMuJe8KYarHgBvWgA/yYRdx1oLqrrMA60XTW60E9RAoGALmoMX1CLe7BBrqaZrHBAqkV/6koTPSMuYVUZpbKgTmA7VsBScUZaX8huS7ARjLfoujxcNuFT4haPlY7gybvhEN0dMlqRwVNeiD3jo+PdDxu3h9SM6GTuVks1XWoifHBRj2NngBEipV3WDXLJR2sAbUArUdL58y12f7EWFdX41+s='
+    x509cert: '%env(string:SAML_SP_X509_CERT)%'
+    privateKey: '%env(string:SAMLP_SP_PRIVATE_KEY)%'
+
   # Optional settings
   #baseurl: 'http://myapp.com'
   strict: true

config/packages/routing.yaml

@@ -4,7 +4,7 @@ framework:
 
         # Configure how to generate URLs in non-HTTP contexts, such as CLI commands.
         # See https://symfony.com/doc/current/routing.html#generating-urls-in-commands
-        #default_uri: http://localhost
+        default_uri: '%env(DEFAULT_URI)%'
 
 when@prod:
     framework:

config/packages/twig.yaml

@@ -19,6 +19,7 @@ twig:
         sidebar_tree_updater: '@App\Services\Trees\SidebarTreeUpdater'
         avatar_helper: '@App\Services\UserSystem\UserAvatarHelper'
         available_themes: '%partdb.available_themes%'
+        saml_enabled: '%partdb.saml.enabled%'
 
 when@test:
     twig:

config/parameters.yaml

@@ -13,6 +13,8 @@ parameters:
   partdb.global_theme: ''                                     # The theme to use globally (see public/build/themes/ for choices, use name without .css). Set to '' for default bootstrap theme
   partdb.locale_menu: ['en', 'de', 'fr', 'ru', 'ja']          # The languages that are shown in user drop down menu
 
+  partdb.default_uri: '%env(string:DEFAULT_URI)%'             # The default URI to use for the Part-DB instance (e.g. https://part-db.example.com/). This is used for generating links in emails
+
   ######################################################################################################################
   # Users and Privacy
   ######################################################################################################################
@@ -39,6 +41,11 @@ parameters:
   partdb.error_pages.admin_email: '%env(trim:string:ERROR_PAGE_ADMIN_EMAIL)%'     # You can set an email address here, which is shown on an error page, how to contact an administrator
   partdb.error_pages.show_help: '%env(trim:string:ERROR_PAGE_SHOW_HELP)%'         # If this is set to true, solutions to common problems are shown on error pages. Disable this, if you do not want your users to see them...
 
+  ######################################################################################################################
+  # SAML
+  ######################################################################################################################
+  partdb.saml.enabled: '%env(bool:SAML_ENABLED)%'              # If this is set to true, SAML authentication is enabled
+
   ######################################################################################################################
   # Sidebar
   ######################################################################################################################
@@ -110,3 +117,5 @@ parameters:
 
   env(TRUSTED_PROXIES): '127.0.0.1' #By default trust only our own server
   env(TRUSTED_HOSTS): '' # Trust all host names by default
+
+  env(DEFAULT_URI): 'https://partdb.changeme.invalid/'

config/routes/hslavich_saml.yaml

@@ -1,2 +1,4 @@
 hslavich_saml_sp:
-  resource: "@HslavichOneloginSamlBundle/Resources/config/routing.yml"
+  resource: "@HslavichOneloginSamlBundle/Resources/config/routing.yml"
+  # Only load the SAML routes if SAML is enabled
+  condition: "env('SAML_ENABLED') == '1' or env('SAML_ENABLED') == 'true'"

templates/security/login.html.twig

@@ -27,7 +27,14 @@
 
         <input type="hidden" name="_target_path" value="{{ app.request.query.get('_target_path') }}" />
 
-        <a href="{{ path('saml_login') }}">SAML Login</a>
+        {% if saml_enabled %}
+            <div class="col-md-9 offset-md-3 col-lg-10 offset-lg-2">
+                <a class="btn btn-secondary" href="{{ path('saml_login') }}"><i class="fa-solid fa-house-user"></i> {% trans %}login.sso_saml_login{% endtrans %}</a>
+
+                <p class="text-muted">{% trans %}login.local_login_hint{% endtrans %}</p>
+            </div>
+
+        {% endif %}
 
         <div class="form-group row">
             <label class="col-form-label col-md-3 col-lg-2">{% trans %}login.username.label{% endtrans %}</label>

translations/messages.en.xlf

@@ -10981,5 +10981,17 @@ Element 3</target>
         <target>Your user uses single sign-on (SSO). You can not change the password and 2FA settings here. Configure them on your central SSO provider instead!</target>
       </segment>
     </unit>
+    <unit id="32beTBH" name="login.sso_saml_login">
+      <segment>
+        <source>login.sso_saml_login</source>
+        <target>Single Sign-On Login (SSO)</target>
+      </segment>
+    </unit>
+    <unit id="wnMLanX" name="login.local_login_hint">
+      <segment>
+        <source>login.local_login_hint</source>
+        <target>The form below is only for log in for a local user. If you want to log in via single sign-on, press the button above.</target>
+      </segment>
+    </unit>
   </file>
 </xliff>