Add custom error and not found pages, and implement SAML authentication configuration

- Created a new error page (error.twig) with a user-friendly design for displaying error messages. - Created a new not found page (not-found.twig) to handle 404 errors with appropriate messaging and actions. - Added a SAML authentication configuration file (settings-custom.php) to support group-based admin assignment and user provisioning.
2026-04-08 12:33:52 -04:00
parent d1c69404bb
commit 8edcdedcd5
9 changed files with 9871 additions and 1757 deletions
--- a/settings-custom.php
+++ b/settings-custom.php
@@ -0,0 +1,93 @@
+<?php
+/**
+ * SAML Authentication Configuration with Group-Based Admin Assignment
+ *
+ * Group-Based Admin Assignment:
+ * ────────────────────────────────────────────────────────────────────────
+ * To make members of specific Authentik groups admins in Xibo:
+ *
+ * 1. In Authentik, create a custom property mapping for your SAML provider:
+ *    - Name: saml-usertypeid
+ *    - Expression: Return "1" if user in admin group, else return empty string
+ *    - Example: return "1" if user.groups.all() | selectattr("name", "equalto", "OTS IT") else ""
+ *
+ * 2. Attach this mapping to the SAML provider via the API or UI
+ *
+ * 3. The usertypeid mapping below will read this attribute from the SAML response
+ *
+ * 4. On JIT provisioning, Xibo will assign users with usertypeid=1 as super-admins
+ *
+ * Excluded Groups:
+ * ────────────────────────────────────────────────────────────────────────
+ * Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.
+ * However, users in excluded groups can still log in via SSO (they'll use the
+ * default 'Users' group). Use this to prevent internal admin groups from appearing
+ * as Xibo user groups.
+ */
+
+$authentication = new \Xibo\Middleware\SAMLAuthentication();
+$samlSettings = [
+    'workflow' => [
+        'jit' => true,
+        'field_to_identify' => 'UserName',
+        'libraryQuota' => 1000,
+        'homePage' => 'icondashboard.view',
+        'slo' => true,
+        'mapping' => [
+            'UserID' => '',
+            // usertypeid: Set to 1 (super-admin) for members of admin groups.
+            // Requires a custom SAML property mapping in Authentik (see notes above).
+            'usertypeid' => 'usertypeid',
+            'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
+            'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
+        ],
+        'group' => 'Users',
+        'matchGroups' => [
+            'enabled' => true,
+            'attribute' => 'http://schemas.xmlsoap.org/claims/Group',
+            'extractionRegEx' => null,
+        ],
+    ],
+    'strict' => true,
+    'debug' => true,
+    'baseurl' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml',
+    'idp' => [
+        'entityId' => 'signs-otsdemo-cms',
+        'singleSignOnService' => [
+            'url' => 'https://app.ots-signs.com/auth/application/saml/{AUTHENTIK_SLUG}/sso/binding/redirect/',
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ],
+        'singleLogoutService' => [
+            'url' => 'https://app.ots-signs.com/auth/application/saml/{AUTHENTIK_SLUG}/slo/binding/redirect/',
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ],
+        'x509cert' => '',
+    ],
+    'sp' => [
+        'entityId' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/metadata',
+        'assertionConsumerService' => [
+            'url' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/acs',
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+        ],
+        'singleLogoutService' => [
+            'url' => 'https://app.ots-signs.com/{CUSTOMER_SLUG}/cms/saml/sls',
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ],
+        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+        'x509cert' => '',
+        'privateKey' => '',
+    ],
+    'security' => [
+        'nameIdEncrypted' => false,
+        'authnRequestsSigned' => false,
+        'logoutRequestSigned' => false,
+        'logoutResponseSigned' => false,
+        'signMetadata' => false,
+        'wantMessagesSigned' => false,
+        'wantAssertionsSigned' => false,
+        'wantAssertionsEncrypted' => false,
+        'wantNameIdEncrypted' => false,
+    ],
+];
+
+// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}