Integration with vBulletin - SAML Integration (SP - service provider)

SAML Authentication Integration - Allow your users to authenticate using SAML

Version: 0.90, by kyle222

SAML Authentication Integration
This add-on extends vBulletin to be able to consume SAML assertions from identity providers (IdPs).

SAML (security assertion markup language) is a well defined XML-based OASIS standard for exchanging authentication information. It allows identity providers (IdPs) to authenticate users, then single sign-on on to multiple service providers (SPs). SAML is used by many Enterprises and has become the defacto standard for Enterprise authentication into SaaS applications (such as salesforce.com, Google Apps, WebEx, etc.).


Benefits of SAML

• single sign-on (SSO)
• ability to use Enterprise credentials (such as Active Directory)
• users do not need to remember separate username/passwords for your forums

Troubleshooting
Server Requirements:
PHP5 with ability to make HTTPS SOAP calls (using SSL)


Notes
This add-on works well with Username Management add-on (https://vborg.vbsupport.ru/showthread.php?t=101326) allowing users to setup different usernames from the IdP login.

SAML (this add-on) is being used for authentication on https://secure.tricipher.com/forums/. See http://www.myonelogin.com/ for additional SAML information (along with a free IdP implementation for testing).

Permission is granted for anyone to do anything with this add-on.

[pein87]

nice work I'll look into this installed.

[Daniel_HBK]

thank you

[tommythejoat]

I have been reading about SAML since seeing this mod but I don't know enough yet to answer my own questions. e.g. what version of SAML is it using? 1.1 and 2.0 apparently use different protocols on the wire.

Are there some recommended .net IdP's.

Our association is using iMIS 15 for our membership database with some interactive services under Windows and I would like to use the same authentication for my vBulletin members who are Association Members (in the iMIS database) and Registered Guests (not in the iMIS database). It looks like I would need to modify this code to handle the Registered Guests who would come back from the iMIS system as not authenticated.

This really looks great for single sign on. I wish I had noticed it 12 months ago.

[int20]

How I can use this hack with Google Apps?

[tommythejoat]

Our CRM vendor was not interested in providing a SAML IdP, so I modified this mod to work with their web service provider that was available for iMIS 15.

All our sites are on the same top level domain at nawcc.org, so we are using a cookie with a Guid to provide a handle on the current user session no matter which system the users are logged onto working.

I have the login and autoregistration working with our vBulletin 3.84 but I am wondering about the actual operational behavior.

In particular the product should recognize an IdP logged in user when they appear on the board by using a plug in at forumhome_start and/or error_nopermission.

I was thinking that the plug-in could see that the Guid cookie was there and valid but the vBulletin session cookie(s) were not there and perform the same autologin that is done when one logs on through the IdP. The current functions in function_samllogin and samllogin already are set up to do all the work. The only difference is that the process does not start with the bounce back url to the IdP.

We will be implemented this same feature with our Joomla site and with anohter php application for a classifieds and auction site.

We could spend a modest amount of money on this.