Symfony 2.6 Shibboleth Login - The Easy Way

Published:
Modified:
Tags:
symfony
shibboleth
security

There was a time we had to write complicated-hard-to-maintain Shibboleth bundles to get it working with Symfony. I did as well back in the Symfony 2.4 days. Fortunately since Symfony 2.6 there is a new security firewall option called remote_user. The REMOTE_USER variable passed by the http server is actually a standard.

A lot of authentication modules, like auth_kerb for Apache provide the username using the REMOTE_USER environment variable. This variable can be trusted by the application since the authentication happened before the request reached it.

This principle is also used by Shibboleth, at least in my situation. However the passed variable names was called differently, but it still passed the username in it. Luckily Symfony has even a configuration for that. So with only a few lines of code, you replace your home-brewed-insecure bundle for well-tested-built-in Symfony option. The built-in form_login and logout options are used to redirect to the Shibboleth endpoints where the actual login and logout takes place.

// app/config/security.yml
security:
    // ...

    firewalls:
        shibboleth_firewall:
            pattern:   ^/

            remote_user:
                provider: main
                # Rename this if Shibboleth uses another var
                user: REMOTE_USER

            # Use the form login to redirect to the Shibboleth login endpoint
            form_login:
                login_path: http://example.com/login-endpoint

            # Use the logout to redirect to the Shibboleth logout endpoint
            logout:
                path: /logout
                target: http://example.com/logout-endpoint
                invalidate_session: true

Testing

To test this in PHPUnit:

<?php

$client = static::createClient();
$this->client->request('GET', '/secure', [], [], [
    'REMOTE_USER' => 'admin'
]);

If you want to simulate it during testing set the REMOTE_USER in .htaccess:

# Shibboleth user login. Use for testing only!
SetEnv REMOTE_USER admin