templates/settings-custom.php.template

<?php
/**
 * SAML Authentication Configuration with Group-Based Admin Assignment
 *
 * Group-Based Admin Assignment (AUTOMATIC):
 * ────────────────────────────────────────────────────────────────────────
 * The OTSSignsOrchestrator AUTOMATICALLY creates and configures:
 *
 * 1. A custom property mapping "saml-usertypeid" in Authentik that:
 *    - Returns "1" for users in the "OTS IT" group
 *    - Returns empty string for other users
 *
 * 2. Attaches this mapping to the SAML provider so the attribute is sent in SAML responses
 *
 * 3. Configures Xibo to read the usertypeid SAML attribute (see 'usertypeid' mapping below)
 *
 * Result: OTS IT members are automatically assigned as super-admins on SSO login.
 *         Other users are assigned normal permissions.
 *
 * If OTS IT members are NOT getting admin access:
 * ────────────────────────────────────────────────────────────────────────
 * 1. Check Authentik logs for "saml-usertypeid" mapping creation errors
 * 2. Verify the mapping exists: Authentik → Customization → Property Mappings
 * 3. Verify it's attached to the SAML provider: Authentik → Providers → SAML → Properties
 * 4. Enable Xibo SAML debug logging below ('debug' => true) and check xibo.log after login
 * 5. Check SAML assertion in browser dev tools (Network tab, catch SAML response)
 *
 * Excluded Groups:
 * ────────────────────────────────────────────────────────────────────────
 * Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.
 * However, users in excluded groups can still log in via SSO (they'll use the
 * default 'Users' group). Use this to prevent internal admin groups from appearing
 * as Xibo user groups.
 */

$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = [
    'workflow' => [
        'jit' => true,
        'field_to_identify' => 'UserName',
        'libraryQuota' => 1000,
        'homePage' => 'icondashboard.view',
        'slo' => true,
        'mapping' => [
            'UserID' => '',
            // usertypeid: Set to 1 (super-admin) for members of OTS IT group.
            // The saml-usertypeid custom property mapping (auto-created during provisioning)
            // outputs this attribute. Xibo's JIT provisioning reads it and auto-assigns admins.
            'usertypeid' => 'saml-usertypeid',
            'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
            'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        ],
        'group' => 'Users',
        'matchGroups' => [
            'enabled' => true,
            'attribute' => 'http://schemas.goauthentik.io/2021/02/saml/groups',
            'extractionRegEx' => null,
        ],
    ],
    'strict' => true,
    'debug' => true,
    'baseurl' => '{{SAML_BASE_URL}}',
    'idp' => [
        'entityId' => '{{AUTHENTIK_IDP_ENTITY_ID}}',
        'singleSignOnService' => [
            'url' => '{{AUTHENTIK_SSO_URL}}',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'singleLogoutService' => [
            'url' => '{{AUTHENTIK_SLO_URL}}',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'x509cert' => '{{AUTHENTIK_IDP_X509_CERT}}',
    ],
    'sp' => [
        'entityId' => '{{SAML_SP_ENTITY_ID}}',
        'assertionConsumerService' => [
            'url' => '{{SAML_BASE_URL}}/acs',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ],
        'singleLogoutService' => [
            'url' => '{{SAML_BASE_URL}}/sls',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'x509cert' => '',
        'privateKey' => '',
    ],
    'security' => [
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => false,
        'logoutResponseSigned' => false,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantAssertionsEncrypted' => false,
        'wantNameIdEncrypted' => false,
    ],
];

// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}
work with authentik 2026-02-27 17:48:21 -05:00			`<?php`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`/**`
			`* SAML Authentication Configuration with Group-Based Admin Assignment`
			`*`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`* Group-Based Admin Assignment (AUTOMATIC):`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`* ────────────────────────────────────────────────────────────────────────`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`* The OTSSignsOrchestrator AUTOMATICALLY creates and configures:`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`*`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`* 1. A custom property mapping "saml-usertypeid" in Authentik that:`
			`* - Returns "1" for users in the "OTS IT" group`
			`* - Returns empty string for other users`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`*`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`* 2. Attaches this mapping to the SAML provider so the attribute is sent in SAML responses`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`*`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`* 3. Configures Xibo to read the usertypeid SAML attribute (see 'usertypeid' mapping below)`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`*`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`* Result: OTS IT members are automatically assigned as super-admins on SSO login.`
			`* Other users are assigned normal permissions.`
			`*`
			`* If OTS IT members are NOT getting admin access:`
			`* ────────────────────────────────────────────────────────────────────────`
			`* 1. Check Authentik logs for "saml-usertypeid" mapping creation errors`
			`* 2. Verify the mapping exists: Authentik → Customization → Property Mappings`
			`* 3. Verify it's attached to the SAML provider: Authentik → Providers → SAML → Properties`
			`* 4. Enable Xibo SAML debug logging below ('debug' => true) and check xibo.log after login`
			`* 5. Check SAML assertion in browser dev tools (Network tab, catch SAML response)`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00			`*`
			`* Excluded Groups:`
			`* ────────────────────────────────────────────────────────────────────────`
			`* Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.`
			`* However, users in excluded groups can still log in via SSO (they'll use the`
			`* default 'Users' group). Use this to prevent internal admin groups from appearing`
			`* as Xibo user groups.`
			`*/`

work with authentik 2026-02-27 17:48:21 -05:00			`$authentication = new \Xibo\Middleware\SAMLAuthentication();`
			`$samlSettings = [`
			`'workflow' => [`
			`'jit' => true,`
			`'field_to_identify' => 'UserName',`
			`'libraryQuota' => 1000,`
			`'homePage' => 'icondashboard.view',`
			`'slo' => true,`
			`'mapping' => [`
			`'UserID' => '',`
feat: Update Authentik integration and enhance Docker Compose templates 2026-03-14 22:51:52 -04:00			`// usertypeid: Set to 1 (super-admin) for members of OTS IT group.`
			`// The saml-usertypeid custom property mapping (auto-created during provisioning)`
			`// outputs this attribute. Xibo's JIT provisioning reads it and auto-assigns admins.`
			`'usertypeid' => 'saml-usertypeid',`
work with authentik 2026-02-27 17:48:21 -05:00			`'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',`
			`'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',`
			`],`
			`'group' => 'Users',`
			`'matchGroups' => [`
feat: Implement Authentik group synchronization and add confirmation dialogs for service management 2026-03-04 21:33:29 -05:00			`'enabled' => true,`
			`'attribute' => 'http://schemas.goauthentik.io/2021/02/saml/groups',`
work with authentik 2026-02-27 17:48:21 -05:00			`'extractionRegEx' => null,`
			`],`
			`],`
			`'strict' => true,`
			`'debug' => true,`
			`'baseurl' => '{{SAML_BASE_URL}}',`
			`'idp' => [`
			`'entityId' => '{{AUTHENTIK_IDP_ENTITY_ID}}',`
			`'singleSignOnService' => [`
			`'url' => '{{AUTHENTIK_SSO_URL}}',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`'singleLogoutService' => [`
			`'url' => '{{AUTHENTIK_SLO_URL}}',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`'x509cert' => '{{AUTHENTIK_IDP_X509_CERT}}',`
			`],`
			`'sp' => [`
			`'entityId' => '{{SAML_SP_ENTITY_ID}}',`
			`'assertionConsumerService' => [`
			`'url' => '{{SAML_BASE_URL}}/acs',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',`
			`],`
			`'singleLogoutService' => [`
			`'url' => '{{SAML_BASE_URL}}/sls',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',`
			`'x509cert' => '',`
			`'privateKey' => '',`
			`],`
			`'security' => [`
			`'nameIdEncrypted' => false,`
			`'authnRequestsSigned' => false,`
			`'logoutRequestSigned' => false,`
			`'logoutResponseSigned' => false,`
			`'signMetadata' => false,`
			`'wantMessagesSigned' => false,`
			`'wantAssertionsSigned' => false,`
			`'wantAssertionsEncrypted' => false,`
			`'wantNameIdEncrypted' => false,`
			`],`
			`];`
feat: Implement customer invitation infrastructure in Authentik - Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization. 2026-03-04 21:58:59 -05:00
			`// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}`