settings-custom.php

<?php
/**
 * SAML Authentication Configuration with Group-Based Admin Assignment
 *
 * Group-Based Admin Assignment:
 * ────────────────────────────────────────────────────────────────────────
 * To make members of specific Authentik groups admins in Xibo:
 *
 * 1. In Authentik, create a custom property mapping for your SAML provider:
 *    - Name: saml-usertypeid
 *    - Expression: Return "1" if user in admin group, else return empty string
 *    - Example: return "1" if user.groups.all() | selectattr("name", "equalto", "OTS IT") else ""
 *
 * 2. Attach this mapping to the SAML provider via the API or UI
 *
 * 3. The usertypeid mapping below will read this attribute from the SAML response
 *
 * 4. On JIT provisioning, Xibo will assign users with usertypeid=1 as super-admins
 *
 * Excluded Groups:
 * ────────────────────────────────────────────────────────────────────────
 * Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.
 * However, users in excluded groups can still log in via SSO (they'll use the
 * default 'Users' group). Use this to prevent internal admin groups from appearing
 * as Xibo user groups.
 */

$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = [
    'workflow' => [
        'jit' => true,
        'field_to_identify' => 'UserName',
        'libraryQuota' => 1000,
        'homePage' => 'icondashboard.view',
        'slo' => true,
        'mapping' => [
            'UserID' => '',
            // usertypeid: Set to 1 (super-admin) for members of admin groups.
            // Requires a custom SAML property mapping in Authentik (see notes above).
            'usertypeid' => 'usertypeid',
            'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
            'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        ],
        'group' => 'Users',
        'matchGroups' => [
            'enabled' => true,
            'attribute' => 'http://schemas.xmlsoap.org/claims/Group',
            'extractionRegEx' => null,
        ],
    ],
    'strict' => true,
    'debug' => true,
    'baseurl' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml',
    'idp' => [
        'entityId' => 'signs-otsdemo-cms',
        'singleSignOnService' => [
            'url' => 'https://app.ots-signs.com/auth/application/saml/{AUTHENTIK_SLUG}/sso/binding/redirect/',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'singleLogoutService' => [
            'url' => 'https://app.ots-signs.com/auth/application/saml/{AUTHENTIK_SLUG}/slo/binding/redirect/',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'x509cert' => '',
    ],
    'sp' => [
        'entityId' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/metadata',
        'assertionConsumerService' => [
            'url' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/acs',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ],
        'singleLogoutService' => [
            'url' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/sls',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'x509cert' => '',
        'privateKey' => '',
    ],
    'security' => [
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => false,
        'logoutRequestSigned' => false,
        'logoutResponseSigned' => false,
        'signMetadata' => false,
        'wantMessagesSigned' => false,
        'wantAssertionsSigned' => false,
        'wantAssertionsEncrypted' => false,
        'wantNameIdEncrypted' => false,
    ],
];

// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}
Add custom error and not found pages, and implement SAML authentication configuration - Created a new error page (error.twig) with a user-friendly design for displaying error messages. - Created a new not found page (not-found.twig) to handle 404 errors with appropriate messaging and actions. - Added a SAML authentication configuration file (settings-custom.php) to support group-based admin assignment and user provisioning. 2026-04-08 12:33:52 -04:00			`<?php`
			`/**`
			`* SAML Authentication Configuration with Group-Based Admin Assignment`
			`*`
			`* Group-Based Admin Assignment:`
			`* ────────────────────────────────────────────────────────────────────────`
			`* To make members of specific Authentik groups admins in Xibo:`
			`*`
			`* 1. In Authentik, create a custom property mapping for your SAML provider:`
			`* - Name: saml-usertypeid`
			`* - Expression: Return "1" if user in admin group, else return empty string`
			`* - Example: return "1" if user.groups.all() \| selectattr("name", "equalto", "OTS IT") else ""`
			`*`
			`* 2. Attach this mapping to the SAML provider via the API or UI`
			`*`
			`* 3. The usertypeid mapping below will read this attribute from the SAML response`
			`*`
			`* 4. On JIT provisioning, Xibo will assign users with usertypeid=1 as super-admins`
			`*`
			`* Excluded Groups:`
			`* ────────────────────────────────────────────────────────────────────────`
			`* Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.`
			`* However, users in excluded groups can still log in via SSO (they'll use the`
			`* default 'Users' group). Use this to prevent internal admin groups from appearing`
			`* as Xibo user groups.`
			`*/`

			`$authentication = new \Xibo\Middleware\SAMLAuthentication();`
			`$samlSettings = [`
			`'workflow' => [`
			`'jit' => true,`
			`'field_to_identify' => 'UserName',`
			`'libraryQuota' => 1000,`
			`'homePage' => 'icondashboard.view',`
			`'slo' => true,`
			`'mapping' => [`
			`'UserID' => '',`
			`// usertypeid: Set to 1 (super-admin) for members of admin groups.`
			`// Requires a custom SAML property mapping in Authentik (see notes above).`
			`'usertypeid' => 'usertypeid',`
			`'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',`
			`'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',`
			`],`
			`'group' => 'Users',`
			`'matchGroups' => [`
			`'enabled' => true,`
			`'attribute' => 'http://schemas.xmlsoap.org/claims/Group',`
			`'extractionRegEx' => null,`
			`],`
			`],`
			`'strict' => true,`
			`'debug' => true,`
			`'baseurl' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml',`
			`'idp' => [`
			`'entityId' => 'signs-otsdemo-cms',`
			`'singleSignOnService' => [`
			`'url' => 'https://app.ots-signs.com/auth/application/saml/{AUTHENTIK_SLUG}/sso/binding/redirect/',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`'singleLogoutService' => [`
			`'url' => 'https://app.ots-signs.com/auth/application/saml/{AUTHENTIK_SLUG}/slo/binding/redirect/',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`'x509cert' => '',`
			`],`
			`'sp' => [`
			`'entityId' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/metadata',`
			`'assertionConsumerService' => [`
			`'url' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/acs',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',`
			`],`
			`'singleLogoutService' => [`
			`'url' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/sls',`
			`'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',`
			`],`
			`'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',`
			`'x509cert' => '',`
			`'privateKey' => '',`
			`],`
			`'security' => [`
			`'nameIdEncrypted' => false,`
			`'authnRequestsSigned' => false,`
			`'logoutRequestSigned' => false,`
			`'logoutResponseSigned' => false,`
			`'signMetadata' => false,`
			`'wantMessagesSigned' => false,`
			`'wantAssertionsSigned' => false,`
			`'wantAssertionsEncrypted' => false,`
			`'wantNameIdEncrypted' => false,`
			`],`
			`];`

			`// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}`