For one of our customers I need to write a custom authsource module. I allready set up SimpleSAMLphp as an Idp using various authsources like LDAP, SQLauth, etc. All of those authsources have in common that they use a login form and authenticate against the sspmod_core_Auth_UserPassBase class. This means that there will be a login form for username and password etc.
The special case right here is the following:
The SAML installation (IdP) is inside the companies network. If a user (inside of that network/authenticated via AD) visits a host that is inside that network, the username will be automatically injected in its browser and is available via $_SERVER['PHP_AUTH_USER'] and we have the guarantee, that the user is allready "validated".
This means we do not have to "authenticate" the user any more. We do not have to show a login form and just need to mark that user as authenticated.
Now I am a little stuck, because for my understanding it would be a little bit "overdosed" to write an own authsource that extends the default UserPassBase class. I would have to handle empty passwords and automatically forward/post from login form etc.
I guess there is a better way to handle that. The flow would be pretty simple:
SP redirects to IdP. The IdP "login page" reads PHP_AUTH_USER (no output like a login form), authenticates the user (without any further check) and redirects as expected if user was detected correctly. If the PHP_AUTH_USER could not be found in any way, the user will be redirected to some kind of error page.
Any ideas how to solve that the correct way? I guess I will have to write my own completely new authsource class that extends the base SimpleSAML_Auth_Source class? Maybe someone has an example for that situation before I am going to reinvent the wheel!?
