Creating authentication sources

All authentication sources are located in the lib/Auth/Source/ directory in a module, and the class name is \SimpleSAML\Module\<module>\Auth\Source\<name> . The authentication source must extend the \SimpleSAML\Auth\Source class or one of its subclasses.

The "entry point" of an authentication source is the authenticate() -function. Once that function is called, the authentication module can do whatever it wishes to do. There are only two requirements:

Everything else is up to the module. If the module needs to redirect the user, for example because it needs to show the user a page asking for credentials, it needs to save the state array. For that we have the \SimpleSAML\Auth\State class. This is only a convenience class, and you are not required to use it (but its use is encouraged, since it handles some potential pitfalls).

Saving state

The \SimpleSAML\Auth\State class has two functions that you should use: saveState($state, $stage) , and loadState($id, $stage) . The $stage parameter must be an unique identifier for the current position in the authentication. It is used to prevent a malicious user from taking a state you save in one location, and give it to a different location.

The saveState() -function returns an id, which you should pass to the loadState() -function later.

Username/password authentication

Since username/password authentication is quite a common operation, a base class has been created for this. This is the \SimpleSAML\Module\core\Auth\UserPassBase class, which is can be found as modules/core/lib/Auth/UserPassBase.php .

The only function you need to implement is the login($username, $password) -function. This function receives the username and password the user entered, and is expected to return the attributes of that user. If the username or password is incorrect, it should throw an error saying so:

  throw new \SimpleSAML\Error\Error('WRONGUSERPASS');

" Implementing custom username/password authentication " describes how to implement username/password authentication using that base class.

Generic rules & requirements