New Login plugin for SAML SSO authentication #7386

mattab · 2015-03-08T20:31:53Z

The goal of this issue is to create a new Authentication plugin for Piwik that will let users login via the SAML 2.0 framework for SSO auth.

Here is a general view of the SAML 2.0 framework: http://en.wikipedia.org/wiki/SAML_2.0
Our Identity Provider is based on CA’s SiteMinder http://www.ca.com/us/securecenter/ca-single-sign-on.aspx (Now called Single Sign On) but only supports HTTP Redirect Binding
http://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Binding
You may be able to use some of the code from this GitHub project even though it is built to use CAS or SAML 1.1 https://github.com/fnp/piwik-CASLogin
Otherwise other users have had a lot of success with simpleSAMLphp https://simplesamlphp.org/
To make this simple we do not have a requirement to autoprovision users we will be adding them by hand with a fake password but will authenticate the through our Identity Provider.

Here are the requirements for the new Authentication Plugin:

Login process needs to be extended to support both existing internal authentication mechanisms as well as SAML authentication via Client's IDP.
Login Page and related modules should provide a clear link to initiate SAML authentication.
SAML Authentication attempts should be logged and clearly identifiable.
SAML Authentication should provide verbose logging for debugging purposes.
SAML configurations should be defined in a single location accessible only to administrators.
SAML encryption keys must be stored in a secure area and only accessible to administrators and protected from exposure.
SAML Authentication will only allow access if a corresponding user exists and is active in the local authentication database.
Logout terminates active sessions for the application only.

Recommended deliverables:

Note: there is this plugin that does CAS Login in Piwik: https://github.com/fnp/piwik-CASLogin

huan086 · 2017-04-12T04:12:50Z

Any progress on this? If no, I will be hiring people to develop this

mattab · 2017-08-01T05:38:24Z

SAML plugin has been re-created from scratch and is now available on the Marketplace!

If you need help we can provide some support for SAML, learn more here: https://piwik.org/support/login-saml/

sgiehl · 2017-09-10T14:35:13Z

As mentioned by @mattab, this plugin has been released. Closing this issue now.

mattab added the c: New plugin For features that probably will not be added to Matomo, but could be implemented as plugins. label Mar 8, 2015

mattab added this to the Mid term milestone Mar 8, 2015

mattab added the Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. label Apr 8, 2015

mattab added the Lower priority label Dec 5, 2016

mattab modified the milestones: Long term, Mid term Dec 5, 2016

mattab modified the milestones: 3.1.0, Backlog (Help wanted) Jun 21, 2017

matomo-org deleted a comment from pitbulk Aug 1, 2017

sgiehl closed this as completed Sep 10, 2017

mattab modified the milestones: 3.2.0, 3.1.1 Sep 14, 2017

Provide feedback