README

This package provides Shibboleth authentication for Laravel. It was forked from razorbacks/laravel-shibboleth.

For development, it can emulate an IdP (via mrclay/shibalike).

Installation

Use composer to require the latest release into your project:

composer require clemsonmartech/laravel-shibboleth

If you you would like to use the emulated IdP via shibalike, then you will need to manually register it on any version - this is not automatically loaded.

Jhu\Wse\LaravelShibboleth\ShibalikeServiceProvider::class,

Note that the password is the same as the username for shibalike.

Publish the default configuration file:

php artisan vendor:publish --provider="Jhu\Wse\LaravelShibboleth\ShibbolethServiceProvider"

Optionally, you can also publish the views for the shibalike emulated IdP login:

php artisan vendor:publish --provider="Jhu\Wse\LaravelShibboleth\ShibalikeServiceProvider"

Change the driver to shibboleth in your config/auth.php file.

'providers' => [
    'users' => [
        'driver' => 'shibboleth',
        'model'  => App\Models\User::class,
    ],
],

Now users may login via Shibboleth by going to https://example.com/shibboleth-login and logout using https://example.com/shibboleth-logout so you can provide a custom link or redirect based on email address in the login form.

@if (Auth::guest())
    <a href="/shibboleth-login">Login</a>
@else
    <a href="/shibboleth-logout">
        Logout {{ Auth::user()->name }}
    </a>
@endif

You may configure server variable mappings in config/shibboleth.php such as the user's first name, last name, entitlements, etc. You can take a look at them by reading what's been populated into the $_SERVER variable after authentication.

<?php print_r($_SERVER);

If the config setting shibboleth.update_users is set to true (the default) then mapped values will be synced to the user table upon successful authentication. To disable updated, set shibboleth.update_users to false.

Authorization

You can check for an entitlement string of the current user statically:

$entitlement = 'urn:mace:uark.edu:ADGroups:Computing Services:Something';

if (Entitlement::has($entitlement)) {
    // authorize something
}

Now you can draft policies and gates around these entitlements.

JWTAuth Tokens

If you're taking advantage of token authentication with tymon/jwt-auth then set this variable in your .env

JWTAUTH=true