korotovsky
Further explanation on managers service id
Please forgive my ignorance. Could you please explain acme_bundle.your_own_fetch_service.id and acme_bundle.guzzle_service.id some more?
In regards to the following portion in the config.yml:
managers:
http:
provider: service # Active provider for HTTP OTP manager
providers: # Available HTTP providers
service:
id: acme_bundle.your_own_fetch_service.id
guzzle:
client: acme_bundle.guzzle_service.id
resource: http://idp.example.com/internal/v1/sso
I currently have the Identity Provider running. But am unable to run the service provider application
I get the following exception when trying to run the service provider server:
You have requested a non-existent service "acme_bundle.your_own_fetch_service.id".
The problem is I don't know how to implement the required service or understand what the code should be.
Your assistance is much appreciated.
Hey @timothyjeffcoat,
The service id acme_bundle.your_own_fetch_service.id should be implemented in the following way: you have to create a class, that will implement this interface: https://github.com/korotovsky/SingleSignOnLibrary/blob/0.3.x/src/Krtv/SingleSignOn/Manager/Http/Provider/ProviderInterface.php. This service have to return https://github.com/korotovsky/SingleSignOnLibrary/blob/0.3.x/src/Krtv/SingleSignOn/Model/OneTimePasswordInterface.php instance or null.
You could also use this https://github.com/korotovsky/SingleSignOnLibrary/blob/0.3.x/src/Krtv/SingleSignOn/Manager/Http/Provider/Guzzle/OneTimePasswordProvider.php built-in provider that already using guzzle library for HTTP requests. In this case you have to use this example of yml config:
guzzle:
client: acme_bundle.guzzle_service.id
resource: http://idp.example.com/internal/v1/sso
Where acme_bundle.guzzle_service.id is guzzle as a backend service. So in another words it should be simply guzzle http client instance.
All service ids above are just examples, and could have different names. So It's just a services in Dependency Injection container.
Hi @korotovsky, While implementing the Service Provider part. I was welcomed with this error message. Can you please help me out.
The service "security.authentication.provider.krtv_single_sign_on_service_provider.ma
in" has a dependency on a non-existent service "security.user.provider.concrete.main"
.
My website integrates with a different platform so I want people to access the other platform through SSO having registered on my website.
Will adding the sso key under the main interfere with my original registration and login process? On my website they just authenticate normally with username / password.
Here's my security.yml
`# To get started with security, check out the documentation:
http://symfony.com/doc/current/security.html
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT # if you are using acl then this line must be commented
providers:
fos_userbundle:
id: fos_user.user_manager
db_provider:
entity:
class: Application\Sonata\UserBundle\Entity\User
property: username
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
target: /admin/login
anonymous: true
switch_user: true
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
always_use_default_target_path: false
default_target_path: /portal
logout:
invalidate_session: true
path: /logout
target: http://demo.com/sso/logout?service=consumer1
anonymous: true
sso:
require_previous_session: false
provider: main
check_path: /otp/validate/ # Same as in app/config/routing.yml
sso_scheme: http # Required
sso_host: demo.com # Required
# sso_otp_scheme: http # Optional
# sso_otp_host: consumer1.com # Optional
sso_failure_path: /login # Can also be as an absolute path to service provider
sso_path: /sso/login/ # SSO endpoint on IdP.
# sso_service_extra: null # Default service extra parameters. Optional.
# sso_service_extra_parameter: service_extra # Parameter name. Optional
# sso_login_required: 1 # Optional
# sso_login_required_parameter: login_required # Optional
sso_service: consumer1 # Consumer name
# saml:
# pattern:
# context: user
# form_login:
# provider: fos_userbundle
# success_handler: app.security.login_success_handler
# logout:
# success_handler: app.security.logout_success_handler
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/sso/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be accessed without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/portal/, role: [ROLE_USER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
`
My website integrates with a different platform so I want people to access the other platform through SSO having registered on my website.
You should consider yo use OAuth server in this case. SSO is better to use when you have full control of your SP services
Unfortunately the platform only supports CAS and SAML so I'm stuck with having to use that for SSO
Here's the gist
https://gist.github.com/marvoh/80dc8e56996ceef8444ae6fc6443f008
Hello, i got the same issue with guzzle configuration part. The service "security.authentication.provider.krtv_single_sign_on_service_provider.main" has a dependency on a non-existent service "security.user.provider.concrete.main"
Could you please send us an example of implementation of your providers ?
providers: # Available HTTP providers service: id: acme_bundle.your_own_fetch_service.id
guzzle:
client: acme_bundle.guzzle_service.id
resource: http://idp.example.com/internal/v1/sso
Hello, Can you please tell me on which case is the method fetch() (in class OneTimePasswordProvider.php) called? https://github.com/korotovsky/SingleSignOnLibrary/blob/0.3.x/src/Krtv/SingleSignOn/Manager/Http/Provider/Guzzle/OneTimePasswordProvider.php
I have two projects using the SSO bundle, the configurations are exactly the same. However one is working well, the other one do not. The other one seems never call the method fetch(), I do not know why. In the login action, I added this:
if (!$this->get('security.authorization_checker')->isGranted('IS_AUTHENTICATED_FULLY')) {
throw $this->createAccessDeniedException();
}
But it is always throwing the exception.
So in the end, it has an endless loop with the uri: /otp/validate. The log is like this:
[2019-02-22 03:37:15] request.INFO: Matched route "otp". {"route_parameters":{"_controller":"Symfony\\Bundle\\FrameworkBundle\\Controller\\RedirectController::urlRedirectAction","path":"/otp/validate/","permanent":true,"scheme":null,"httpPort":80,"httpsPort":443,"_route":"otp"},"request_uri":"http://example.local/otp/validate?_hash=pmKByF%2FyHi5LvHcriNa67bvXcIJTSMoTTJ0d1QmyFio%3D&_otp=%2B4o3lAQmYH8w9H9sobYff4zZYO2FCROd%2FRYpAfFQLu8uPOoG2DRAWbv1XI2Y3P0tOwTy2NtMwxVsU48%2BLMxyUg%3D%3D&_target_path=http%3A%2F%2Fexample.local%2Fuser%2Flogin%3FauthAll%3Dtrue"} [] [2019-02-22 03:37:15] security.INFO: Populated the TokenStorage with an anonymous Token. [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Krtv\Bundle\SingleSignOnServiceProviderBundle\EventListener\AuthenticationContextSubscriber::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\DebugHandlersListener::configure". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ProfilerListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Bundle\FrameworkBundle\EventListener\SessionListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\FragmentListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\RouterListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\LocaleListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\HttpKernel\EventListener\TranslatorListener::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "Symfony\Component\Security\Http\Firewall::onKernelRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.request" to listener "SunCat\MobileDetectBundle\EventListener\RequestResponseListener::handleRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.controller" to listener "MDPI\MainBundle\Listener\ControllerListener::onKernelController". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.controller" to listener "Symfony\Bundle\FrameworkBundle\DataCollector\RouterDataCollector::onKernelController". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.controller" to listener "Symfony\Component\HttpKernel\DataCollector\RequestDataCollector::onKernelController". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.controller" to listener "Sensio\Bundle\FrameworkExtraBundle\EventListener\ControllerListener::onKernelController". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.controller" to listener "Sensio\Bundle\FrameworkExtraBundle\EventListener\ParamConverterListener::onKernelController". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.controller" to listener "Sensio\Bundle\FrameworkExtraBundle\EventListener\TemplateListener::onKernelController". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "MDPI\MainBundle\Listener\ControllerListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Bridge\Monolog\Handler\FirePHPHandler::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "SunCat\MobileDetectBundle\EventListener\RequestResponseListener::handleResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\ResponseListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\Security\Http\RememberMe\ResponseListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Sensio\Bundle\FrameworkExtraBundle\EventListener\CacheListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\ProfilerListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Bundle\WebProfilerBundle\EventListener\WebDebugToolbarListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\SaveSessionListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.response" to listener "Symfony\Component\HttpKernel\EventListener\StreamedResponseListener::onKernelResponse". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.finish_request" to listener "Symfony\Component\HttpKernel\EventListener\LocaleListener::onKernelFinishRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.finish_request" to listener "Symfony\Component\HttpKernel\EventListener\TranslatorListener::onKernelFinishRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.finish_request" to listener "Symfony\Component\HttpKernel\EventListener\RouterListener::onKernelFinishRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.finish_request" to listener "Symfony\Component\Security\Http\Firewall::onKernelFinishRequest". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.terminate" to listener "Symfony\Bundle\SwiftmailerBundle\EventListener\EmailSenderListener::onTerminate". [] [] [2019-02-22 03:37:15] event.DEBUG: Notified event "kernel.terminate" to listener "Symfony\Component\HttpKernel\EventListener\ProfilerListener::onKernelTerminate". [] []
in a loop.
@korotovsky Could you please help me? Thank you
Hi @ywcdiao,
The fetch() method is called by https://github.com/korotovsky/SingleSignOnLibrary/blob/0.3.x/src/Krtv/SingleSignOn/Manager/Http/OneTimePasswordManager.php#L45 it means the whole flow is running in the https://github.com/korotovsky/SingleSignOnServiceProviderBundle/blob/0.3.x/src/Krtv/Bundle/SingleSignOnServiceProviderBundle/Authentication/Provider/OneTimePasswordAuthenticationProvider.php#L90 when authentication is activated. To activate the provider you either have to throw AccessDeniedException from security package (!) that's important or forward user to protected area behind any firewall.
To avoid cyclic loops make sure that your user got sufficient roles to pass the firewall after authentication process (provider flow)
Please let me know was it helpful or now to help other users of this bundle.
Hi @korotovsky ,
Thank you very much for your kind help! I figured out the problem. It failed when symfony security check the check_path: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php#L115
Because I set the check_path as '/otp/validate/'. But in browser the uri is http://example.local/otp/validate?_hash=pmKByF%2FyHi5LvHcriNa67bvXcIJTSMoTTJ0d1QmyFio%3D&_otp=%2B4o3lAQmYH8w9H9sobYff4zZYO2FCROd%2FRYpAfFQLu8uPOoG2DRAWbv1XI2Y3P0tOwTy2NtMwxVsU48%2BLMxyUg%3D%3D&_target_path=http%3A%2F%2Fexample.local%2Fuser%2Flogin%3FauthAll%3Dtrue The path was changed to '/otp/validate' automatically by the nginx config, the suffix '/' was auto trimmed. That is why the url was redirected endlessly.