We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

SAML Aunthentication

    • 24676
    • 60 Posts
    rebornmedia Reply #1, 7 years, 8 months ago
    Has anyone had any experience with user authentication with SAML. I have a client requesting it but I can't find anything in the docs/forums.

    Is this something fairly easy to do - can someone point me in the right direction?

    Thanks all!
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 7 years, 8 months ago
      I don't know anything about SAML, but if you find out how to do it, you'll be looking for these:

      http://bobsguides.com/blog.html/2016/04/06/bypassing-the-modx-manager-login-i/

      http://bobsguides.com/blog.html/2016/04/09/bypassing-the-modx-manager-login-ii/

      http://bobsguides.com/blog.html/2016/04/15/bypassing-the-modx-manager-login-iii/
        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 24676
        • 60 Posts
        rebornmedia Reply #3, 7 years, 8 months ago
        Thanks Bob - That is certainly a really useful step in the right direction!
          • 24676
          • 60 Posts
          rebornmedia Reply #4, 7 years, 1 month ago
          Hi Bob - I have been working though these posts ( which are great!)

          I am having a problem with this one:

          http://bobsguides.com/blog.html/2016/04/09/bypassing-the-modx-manager-login-ii

          My code is

          <?php
 
/* Return if the user is already there ($username is already set in this event) */
 
$existingUser = $modx->getObject('modUser', array ('username' => $username));
if ($existingUser) {
   $modx->event->_output = false;
   return;
}
 
/* Generate a random, 50 character password */
$password = "";
for($i=0;$i<50;$i++) {
    $password .= chr( (mt_rand(1, 36) <= 26) ? mt_rand(97, 122) : mt_rand(48, 57 ));
}
 
/* Create the new user */
 
$fields = array(
    'username' => $username,
    'password' => $password,
    'blocked' => '0',
    'email' => '[email protected]',
    'passwordnotifymethod' => 'x',
);
 
$response = $modx->runProcessor('security/user/create', $fields);
 
if ($response->isError()) {
    if ($response->hasFieldErrors()) {
        $fieldErrors = $response->getAllErrors();
        $errorMessage = implode("\n", $fieldErrors);
    } else {
        $errorMessage = $response->getMessage();
    }
    $modx->log(modX::LOG_LEVEL_ERROR, '[OnBeforeManagerLogin] ' . $errorMessage);
    $modx->event->_output = true;
    return;
}
 
$modx->event->_output = false;
return;


          and i running my plugin on the onBedforeManagerLogin event - but I am not having any luck!

          in my error report I am just getting:

          [OnBeforeManagerLogin] Permission denied!

          Any idea what I am doing wrong?
            • 3749
            • 24,544 Posts
            BobRay Reply #5, 7 years, 1 month ago
            I think it's a problem with the logic of the article. The "current user" would be the (anonymous) user, who wouldn't have permission to run the processor. I think the answer is to replace the processor call and the code below it with something like this (untested):


            /* Create the new user */
  
$fields = array(
    'username' => $username,
    'password' => $password,
    'blocked' => '0',
    'email' => '[email protected]',
    'passwordnotifymethod' => 'x',
);
  
$user = $modx->newObject('modUser');
$user->fromArray($fields);

if (! user->save()) {
   $modx->log(modX::LOG_LEVEL_ERROR, '[OnBeforeManagerLogin] Unable to save user ');
    $modx->event->_output = true;
    return;
}

$modx->event->_output = false;
return;
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
              • 24676
              • 60 Posts
              rebornmedia Reply #6, 7 years, 1 month ago
              Awesome thanks Bob - thank you for taking the time to respond!

              It is now throwing this error

              Fatal error: Call to a member function get() on a non-object in ....core/model/modx/processors/security/login.class.php on line 134

              it appears it is failing when it is trying to work out if the user is blocked or not. I am sure there is a way around it.

              For me, I don't think it is going to be an issue as I am going to create this user with a snippet not a plugin I think. I think I am slowly getting my head around it.

                • 3749
                • 24,544 Posts
                BobRay Reply #7, 7 years, 1 month ago
                That's probably this line:

                if (! user->save()) {


                It's missing a $. It should be:

                if (! $user->save()) {
                  Did I help you? Buy me a beer
                  Get my Book: MODX:The Official Guide
                  MODX info for everyone: http://bobsguides.com/modx.html
                  My MODX Extras
                  Bob's Guides is now hosted at A2 MODX Hosting
                  • 24676
                  • 60 Posts
                  rebornmedia Reply #8, 7 years, 1 month ago
                  Hi Bob (Sorry me again)
                  I have been working on this SAML SSO integration with MODX for a while now - I finally think I am getting there. I will certainly post how I did it ( If I every make it! )

                  I just have a bit of an issue with logging in users in MODX.

                  I have my plugin ( onWebAuthentication) On firing this goes to my IDP to get authentication, and returns my credentials all fine. Then it comes to this bit of code: 

                  $authenticated = false;

/* Your authentication code here sets $authenticated to true if the
   user should be allowed to log in */
   
 
$username = $user->get('username');

if(!empty($username)){
   $authenticated = true;
}

$modx->event->_output = (bool) $authenticated;
return true;


                  What i expected to happen was the username entered in my login form would be logged in ( as long as they exist in the DB) but what is actually happening is an anonymous user is getting created and logged in instead?! Pretty baffled by this. Any ideas?
                    • 17301
                    • 932 Posts
                    LK Reply #9, 7 years, 1 month ago
                    Looks like you've not declared $user.

                    $user = $modx->getUser();


                    It'll probably still be going off of the previous declaration - if its the same snippet.

                    $user = $modx->newObject('modUser');
                    [ed. note: lkfranklin last edited this post 7 years, 1 month ago.]
                      ■ email: [email protected] | ■ website: https://alienbuild.uk

                      The greatest compliment you can give back to us, is to spend a few seconds leaving a rating at our trustpilot: https://uk.trustpilot.com/review/alienbuild.uk about the service we provided. We always drop mention of services offered by businesses we've worked with in the past to those of interest.
                      • 24676
                      • 60 Posts
                      rebornmedia Reply #10, 7 years, 1 month ago
                      I might be getting it hugely wrong! but :

                      $user = $modx->getUser();


                      will try and get the current authorised user, of which there isn't one. I am trying to authorise the user that is trying to login and bypassing the need for their password. The user already exists so I don't need to create one.

                      What I expected from my plugin code is that it checks if the inputed username is a valid user and then authenticates them if they are found in the DB.