Andreas Böhler

To follow up on this after a year of use: It's been working well so far! I can't use the authentication hook, because it's too late. When authenticating with SAML, the user should not be asked for username/password if he has already logged on to another service.

It works a bit differently now, the method described above had the problem that the session cookie was never set. Thus, upon creating a new file or folder, an invalid request token error message was received. The extension still hooks into the initDMS hook, but checks if the cookie is set. If not, it authenticates using SAML and then creates the session and cookies the same way as the regular login controller does (more or less).

You can find the extension code here: https://www.aboehler.at/hg/seedsaml/

Yes, I just hacked together a quick script to enable SSO with SAML. It's a SeedDMS extension, so no changes to SeedDMS are necessary. It works the following way: An initDMS hook is called when the DMS is started. Here, we check if we have a valid SAML assertion (using simpleSAMLphp). If yes, we check if a user account with that name already exists. If not, a user account is created. Then, the settings object is modified to enable automatic user login with the user id of the SAML user. The postLogin...