Scroll to navigation

Lemonldap::NG::Portal::Main::Issuer(3pm) User Contributed Perl Documentation Lemonldap::NG::Portal::Main::Issuer(3pm)

NAME

Lemonldap::NG::Portal::Main::Issuer - Base class for identity providers.

SYNOPSIS

  package Lemonldap::NG::Portal::Issuer::My;
  use strict;
  use Mouse;
  extends 'Lemonldap::NG::Portal::Main::Issuer';
  use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);

  # Required: URL root path
  use constant path => 'saml';
  
  # Optional initialization method
  sub init {
      my ($self) = @_;
      ...
      # Must return 1 (succeed) or 0 (failure)
  }
  
  # Required methods are run() and logout(), they are launched only for
  # authenticated users
  # $req is a Lemonldap::NG::Portal::Main::Request object
  # They must return a Lemonldap::NG::Portal::Main::Constants constant
  sub run {
      my ( $self, $req ) = @_
      ...
      return PE_OK
  }
  
  sub logout {
      my ( $self, $req ) = @_
      ...
      return PE_OK
  }
  1;

DESCRIPTION

Lemonldap::NG::Portal::Main::Issuer is a base class to write identity providers for Lemonldap::NG web-SSO system. It provide several methods to write easily an IdP and manage authentication if the identity request comes before authentication.

WRITING AN IDENTITY PROVIDER

To write a classic identity provider, you just have to inherit this class and write run() and logout() methods. These methods must return a Lemonldap::NG::Portal::Main::Constants constant.

A classic identity provider needs a "issuerDB>XXX<Path" parameter in LLNG configuration to declare its base URI path (see Lemonldap::NG::Manager::Build). Example: /saml/. All requests that starts with /saml/ will call run() after authentication if needed, and no one else.

The logout() function is called when user asks for logout on this server. If you want to write an identity provider, you must implement a single logout system.

managing other URI path

Lemonldap::NG::Portal::Main::Issuer provides methods to bind a method to an URI path:
addAuthRoute() for authenticated users
addUnauthRoute() for unauthenticated users

They must be called during initialization process (so you must write the optional init() sub).

Be careful with "add*authRoute()": you can't catch here your root path (= path declared in "$self->path") because it is caught by this module, but you can catch sub-routes (ie "/path/something").

Example:

  sub init {
      my ($self) = @_;
      ...
      $self->addUnauthRoute( saml => { soap => 'soapServer' }, [ 'POST' ] );
      return 1;
  }
  sub soapServer {
      my ( $self, $req ) = @_;
      ...
      # You must return a valid PSGI response
      return [ 200, [ 'Content-Type' => 'application/xml' ], [] ];
  }

avoid conflicts in path

If you share base URI path with another plugin (a "Auth::*" module for example), it is recommended to write a "ssoMatch" function that returns true if "$req->uri" has to be handled by Issuer module. See "Issuer::SAML" or "Issuer::OpenIDConnect" to have some examples.

SEE ALSO

<http://lemonldap-ng.org/>

AUTHORS

LemonLDAP::NG team <http://lemonldap-ng.org/team>

BUG REPORT

Use OW2 system to report bug or ask for features: <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>

DOWNLOAD

Lemonldap::NG is available at <http://forge.objectweb.org/project/showfiles.php?group_id=274>

COPYRIGHT AND LICENSE

See COPYING file for details.

This library is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

2019-10-04 perl v5.28.1