This package is planned as a plugin to integrate SAML to InvoicePlane 1. Using the package let InvoicePlane act as an SAML SP (Service Provider). An IDP integration is currently not planned.
SAML generally implements SingleSignOn (SSO) and SingleLogout (SLO) between different web applications. This package allows the implementation of SingleSignOn. Though configurations of SingleLogout are available, the SLO part has not been tested and might therefore not work correctly.
Automatic account creation has been added as well. When signing in via the IDP with an unknown account an adminstator user is created using both the given name and email and some standard configurations.
Base for the package is not the zip-package of the website but the development stack from github. First load the git master branch from github. Then install the package using composer
:
git clone https://github.com/InvoicePlane/InvoicePlane.git
cd InvoicePlane
composer install
npm install
grunt build
composer require "kingstarter/laravel-saml":"dev-master"
Basically all that has to be done is calling the install script and configuring both the SP and the IDP for SAML authentication. The plugin install script will modify InvoicePlane to support SAML:
cd {ip-root-path}/
perl vendor/kingstarter/invoiceplane-saml/install-plugin.pl -v
After running the install script the general settings have been appended by a SAML entry. Login to InvoicePlane, go within system settings to the Saml settings. There are some sample settings given. Upon saving all settings will be added to the database. A metadata file is not needed.
As Entity ID / Issuer
the page address can be used, e.g. https://invoiceplane.example.com
. The SAML-Response consumer URL (SP login destination) is the samlauth endpoint:
https://invoiceplane.example.com/index.php/sessions/samlauth
Certificates can be added using the integration settings. Alternatively they should be placed within the /var/ip_certs
directory.
- SP Crt:
/var/ip_certs/ip-sp.crt
- SP Key:
/var/ip_certs/ip-sp.crt
- IDP Crt: Stored within database using the configuration page.
Within application/config/config.php
the samlauth API endpoint needs to be added within the csrf_exclude_uris
array (should be done automatically by the install script). In case IP is blocking with an 403 forbidden error it might be necessary to check the config entry:
$config['csrf_exclude_uris'] = array(
'sessions/samlauth'
);
- The package is redesigned using a fork of Trajches Kanboard SAMLAuth Plugin as model.