, which has different default browser styling, so we need to add custom
+ * styling to ensure the button is still full-width and text is left-aligned
+ */
+ width: 100%;
+ text-align: left;
}
.realme_button:hover, .realme_button:focus {
background-color: #2f5f93;
@@ -164,8 +172,8 @@
}
/*
- Top-level widgets
- -----------------------------------------------------
+ Top-level widgets
+ -----------------------------------------------------
*/
.realme_primary_login {
max-width: 28em;
@@ -228,8 +236,8 @@
}
/*
- Components
- -----------------------------------------------------
+ Components
+ -----------------------------------------------------
*/
/* Used to separate elements vertically. Can be themed*/
.realme_hr {
@@ -267,8 +275,8 @@
}
/*
- Popup
- -----------------------------------------------------
+ Popup
+ -----------------------------------------------------
*/
.realme_arrow_top_left, .realme_arrow_top_right, .realme_arrow_side_left, .realme_arrow_side_right {
padding-top: 1.2em;
@@ -336,7 +344,7 @@
transition: opacity 0.3s;
opacity: 0;
visibility: hidden;
- z-index: -1;
+ z-index: 2;
_display: none;
/*ie6*/
}
@@ -484,7 +492,6 @@
.no_touch .realme_popup_wrapper:hover {
opacity: 1 !important;
visibility: visible !important;
- z-index: 2;
}
.realme_find_out_more {
@@ -545,8 +552,8 @@
}
/*
- Colour themes
- -----------------------------------------------------
+ Colour themes
+ -----------------------------------------------------
*/
.realme_theme_default {
color: #000 !important;
diff --git a/docs/en/configuration.md b/docs/en/configuration.md
index e6db51f..6673a1b 100644
--- a/docs/en/configuration.md
+++ b/docs/en/configuration.md
@@ -4,30 +4,28 @@
The following values need to be defined in your `_ss_environment.php` file for **all** environments. See the [SilverStripe documentation on environment management](https://docs.silverstripe.org/en/3.1/getting_started/environment_management/) for more information.
-| **Environment Const** | **Example** | **Notes** |
-| ------------------------------ | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `REALME_CONFIG_DIR` | /sites/realme-dev/secure/config | Directory where SimpleSAMLphp configuration will reside. Needs to be writeable by the web server user during setup, and readable afterwards. |
-| `REALME_CERT_DIR` | /sites/realme-dev/secure/certs | Directory where certificates will reside. All certificates should be placed here. Needs to be readable (but ideally not writeable) by the web server user. |
-| `REALME_LOG_DIR` | /sites/realme-dev/logs | Directory where SimpleSAMLphp logs will reside. Needs to be writeable by the web server user. |
-| `REALME_TEMP_DIR` | /tmp/simplesaml | Directory where SimpleSAMLphp can create temporary files. Needs to be writeable by the web server user. |
-| `REALME_SIGNING_CERT_FILENAME` | mts_saml_sp.pem | Name of the SAML secure signing certificate for the required environment. For MTS, this is provided by RealMe, and is available in the RealMe Shared Workspace. |
-| `REALME_MUTUAL_CERT_FILENAME` | mts_mutual_ssl_sp.pem | Name of the mutual back-channel secure signing certificate for the required environment. For MTS, this is provided by RealMe, and is available in the RealMe Shared Workspace. |
-| `REALME_SIGNING_CERT_PASSWORD` | password | Only required if your SAML secure signing certificate (`REALME_SIGNING_CERT_FILENAME`) requires a password to use. Do not define this unless it's required. |
-| `REALME_MUTUAL_CERT_PASSWORD` | password | Only required if your mutual back-channel secure signing certificate (`REALME_SIGNING_CERT_FILENAME`) requires a password to use. Do not define this unless it's required. |
-
-In addition to these, YML configuration is required to specify some values that should be consistently
-applied across environments. These are noted below.
-
-Create a file in your project called for example `mysite/_config/realme.yml`. In this file, specify the
-following, with appropriate values set. Examples are given below, but should be evaluated for your own
-application.
+| **Environment Const** | **Example** | **Notes** |
+| ------------------------------ | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `REALME_CERT_DIR` | /sites/realme-dev/secure/certs | Directory where all certificates will reside. All certificates should be placed here. Needs to be readable (but ideally not writeable) by the web server user. |
+| `REALME_SIGNING_CERT_FILENAME` | mts_saml_sp.pem | Name of the SAML secure signing certificate for the required environment. For MTS, this is provided by RealMe, and is available on the RealMe developers site. |
+| `REALME_SIGNING_CERT_PASSWORD` | password | Only required if your SAML secure signing certificate (`REALME_SIGNING_CERT_FILENAME`) requires a password to use. Do not define this unless it's required. This is deprecated. |
-```yml
----
-Name: realmeproject
+In addition to these, YML configuration is required to specify some values that should be consistently applied across
+environments. These are noted below.
+
+Create a file in your project called for example `mysite/_config/realme.yml`. In this file, specify the following, with
+appropriate values set. Examples are given below, but should be evaluated for your own application.
+
+Note that the below configuration assumes that you are using the `SS_ENVIRONMENT_TYPE` const correctly on your
+development, staging/test and production environments.
+
+```---
+Name: realmedev
---
RealMeService:
- entity_ids:
+ realme_env: 'mts'
+ integration_type: 'login'
+ sp_entity_ids:
mts: "https://dev.your-website.govt.nz/p-realm/s-name"
ite: "https://uat.your-website.govt.nz/p-realm/s-name"
prod: "https://www.your-website.govt.nz/p-realm/s-name"
@@ -39,46 +37,55 @@ RealMeService:
mts: "https://dev.your-website.govt.nz/"
ite: "https://uat.your-website.govt.nz"
prod: "https://www.your-website.govt.nz/"
- backchannel_proxy_hosts:
- mts: null
- ite: "env:http_proxy"
- prod: "env:http_proxy"
- backchannel_proxy_ports:
- mts: null
- ite: "env:http_proxy"
- prod: "env:http_proxy"
metadata_organisation_name: "RealMe Demo Organisation"
metadata_organisation_display_name: "RealMe Demo Organisation"
metadata_organisation_url: "https://realme-demo.govt.nz"
- metadata_contact_support_company: "SilverStripe"
- metadata_contact_support_firstnames: "Jane"
- metadata_contact_support_surname: "Smith"
+ metadata_contact_support_company: "Your Company"
+ metadata_contact_support_firstnames: "Your"
+ metadata_contact_support_surname: "Name"
+RealMeLoginForm:
+ service_name_1: "this website"
+ service_name_2: "this website"
+ service_name_3: "this website"
---
Name: realmetest
Only:
environment: test
After:
- - 'RealMe'
+ - 'realmedev'
---
RealMeService:
- auth_source_name: 'realme-ite'
+ realme_env: 'ite'
---
Name: realmeprod
Only:
environment: live
After:
- - 'RealMe'
+ - 'realmedev'
---
RealMeService:
- auth_source_name: 'realme-prod'
+ realme_env: 'prod'
---
```
-The values you set for `entity_ids` should conform to the RealMe standard for entity IDs. In summary, the
+The value you set for `realme_env` must be one of 'mts', 'ite' or 'prod'.
+
+The value you set for `integration_type` must be one of 'login' or 'assert'.
+
+The values you set for `sp_entity_ids` should conform to the RealMe standard for entity IDs. In summary, the
domain should be relevant to the agency, the first part of the path should be the privacy realm name, and
-the second part of the path should be the service name.
+the second part of the path should be the service name.
+
+The values for `service_name_1`, `service_name_2` and `service_name_3` should fit in these sentences:
+
+* `service_name_1`: "To access the [online service], you need a RealMe login."
+* `service_name_2`: "To log in to [this service] you need a RealMe login."
+* `service_name_3`: "[This service] uses RealMe login to secure and protect your personal information."
-#### Note: the service name cannot be more than 10 characters in length, or the validation will fail.
+**Note:** None of these are required for the assert form, as they are not used (it only uses organisation name, which is
+taken from the `metadata_organisation_name` config value instead.
+
+**Note:** the service name cannot be more than 10 characters in length, or the validation will fail.
The values you set for `authn_contexts` can be one of the following, depending on the requirements of your
application:
@@ -90,104 +97,108 @@ application:
| urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Mobile:SMS | Not recommended. Requires a username, password, and specifically requires the use of an SMS token. |
| urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Token:SID | Not recommended. Requires a username, password, and specifically requires the use of an RSA token. |
-If you are wanting to test SMS tokens on the ITE environment, further documentation is available on the RealMe
-Shared Workspace.
+**Note:** The AuthN context must be set to 'ModStrength' if you are using the 'assert' integration type, low strength is
+not available for this integration type.
+
+If you are wanting to test SMS tokens on the ITE environment, further documentation is available on the [RealMe developers site](https://developers.realme.govt.nz/how-to-integrate/testing-tools/).
## RealMe Environments
The RealMe system consists of three separate environments - MTS, ITE and Production.
-In MTS, you confirm that your setup is correct, and you can correctly parse all the different types of
-messages that RealMe may pass back to your application.
+In MTS, you confirm that your setup is correct, and you can correctly parse all the different types of messages that
+RealMe may pass back to your application.
-In ITE, which is equivalent to a pre-prod or staging environment, you confirm that your website will work
-correctly when deployed to production, using your own secure certificates, and any custom configuration
-(e.g. `authn_context` values) set.
+In ITE, which is equivalent to a pre-prod or staging environment, you confirm that your website will work correctly when
+deployed to production, using your own secure certificates, and any custom configuration (e.g. `authn_context` values)
+set.
In production, you allow real users to use RealMe for authentication.
-### Configuring for MTS
-
-The required SSL certificates for MTS are provided by the RealMe Operations team, once you have access to
-the RealMe Shared Workspace. These certificates (at time of writing they are named `mts_saml_sp.pem`,
-`mts_mutual_ssl_sp.pem`) should be loaded into the directory specified by `REALME_CERT_DIR`.
-
-You will also need to place `mts_saml_idp.cer` into the same directory, however this file as provided by
-RealMe is incorrect and requires a minor edit.
-
-* On the first line of the file, before the certificate starts, you need to add the following: `-----BEGIN CERTIFICATE-----`
-* Add a new line to the end of the file, after the certificate ends, and add the following: `-----END CERTIFICATE-----`
-
-The file should now look something like this:
-```
------BEGIN CERTIFICATE-----
-MIIECT...
-...
-...
------END CERTIFICATE-----
-```
-
-Once in place, and ensuring the `REALME_SIGNING_CERT_FILENAME` and `REALME_MUTUAL_CERT_FILENAME` consts are
-defined correctly, you can run the setup task which will validate all provided details, create the
-configuration files required, and provide you with the XML you need to provide to RealMe.
-
-If you are developing locally, note that the module enforces your environment to be configured for https.
-If you don't have this setup by default, [ngrok](https://ngrok.com/download) is a nice, easy to use tool
-that provides this functionality. You just run ngrok, and copy the https URL that it gives you - this will
-let you access your site protected via https, however you will need to ensure you set the `SS_TRUSTED_PROXY_IPS`
-const in your _ss_environment.php , e.g. `define('SS_TRUSTED_PROXY_IPS', '*');` so that we know that ngrok is
-trust-worthy and allowed to pass http traffic as https.
-
-If you do this, ngrok will give you a random URL each time you start it, which means that you will need to
-change the above YML configuration and re-run the below task every time you restart ngrok. Alternatively,
-set this up on a development server that has the capability to perform SSL communication natively. You
-can use self-signed certificates if required.
-
-Run the below task as the user that your web server runs as (for example, the `www-data` or `httpd` user).
-
-```bash
-cd /path/to/your/webroot
-framework/sake dev/tasks/RealMeSetupTask forEnv=mts
+### MTS: [Messaging Test Environment](https://mts.realme.govt.nz/logon-mts/home)
+
+The development environment is known as MTS. This environment is setup to allow testing of your code on your development
+environment. In this environment, RealMe provide all SSL certificates required to communicate.
+
+- Review the documentation on the 'Try it out now' page on the [RealMe Developers site](https://developers.realme.govt.nz/try-it-out-now/).
+- Download the integration bundle from the [RealMe Developers site](https://developers.realme.govt.nz/try-it-out-now/).
+- Unpack the following three certificates into the directory you've specified in `REALME_CERT_DIR` (outside of your webroot):
+ - `mts_assert_saml_idp.cer`
+ - `mts_login_saml_idp.cer`
+ - `mts_saml_sp.pem`
+- The `mts_assert_saml_idp.cer` and `mts_login_saml_idp.cer` files are not correctly provided. You will need to manually add the following to the files:
+ - Add a new line as line 1 of the file with the following: `-----BEGIN CERTIFICATE-----`
+ - Add a new line as the last line of the file with the following: `-----END CERTIFICATE-----`
+- Ensure your `realme.yml` [configuration](docs/en/configuration.md) is complete (see above).
+- Run the RealMe build task to validate your configuration and get the XML metadata to provide to MTS: `framework/sake dev/tasks/RealMeSetupTask forEnv=mts`
+- Save the XML output from the above task to an XML file, and upload this to MTS:
+ - For a 'logon' integration, submit here: [MTS logon metadata upload](https://mts.realme.govt.nz/logon-mts/metadataupdate).
+ - For an 'assert' integration, submit here: [MTS assert metadata upload](https://mts.realme.govt.nz/realme-mts/metadata/import.xhtml).
+- Either use the `$RealMeLoginForm` global template variable or add the `RealMeAuthenticator` and access `/Security/login`.
+- Once authenticated, you can access user data from templates using `$RealMeUser` (e.g. `$RealMeUser.SPNameID`), or in a controller by using `RealMeService::currentRealMeUser()`.
+
+If you are developing locally, note that the module enforces your environment to be configured for https. If you don't
+have this setup by default, [ngrok](https://ngrok.com/download) is a nice, easy to use tool that provides this
+functionality. You just run ngrok, and copy the https URL that it gives you - this will let you access your site
+protected via https, however you will need to ensure you set the `SS_TRUSTED_PROXY_IPS` const in your
+_ss_environment.php, e.g. `define('SS_TRUSTED_PROXY_IPS', '*');` so that we know that ngrok is trust-worthy and allowed
+to pass http traffic as https.
+
+If you do this, ngrok will give you a random URL each time you start it, which means that you will need to change the
+above YML configuration and re-integrate to MTS every time you restart ngrok. Alternatively, set this up on a
+development server that has the capability to perform SSL communication natively. You can use self-signed certificates
+if required.
+
+You should now be able to proceed to testing the standard login form, or [using the RealMe templates](templates.md).
+
+### ITE: Integration Test Environment
+
+- Complete an integration to MTS.
+- You will need a secure certificate which meets the requirements as seen on the [Certificate requirements](https://developers.realme.govt.nz/how-realme-works/certificate-requirements/) page.
+ - If you are using the Common Web Platform, you can request that the CWP Operations team set this up for you by raising a ticket on the [CWP Service desk](https://www.cwp.govt.nz/service-desk/new-request/).
+ - Otherwise, you can generate one yourself and install it into your test or staging environment.
+- Request an account on the [RealMe Developers site](https://developers.realme.govt.nz/), and complete an integration request for ITE.
+- Publish your site to your test or staging environment with a working configuration (`realme.yml` file) for ITE.
+
+### PROD: Production Environment
+
+- Complete an integration to MTS and ITE.
+- Follow the steps as for the ITE environment above, but creating an integration request for production rather than ITE.
+
+## Syncing Realme with SilverStripe members
+After logging in the module can sync the attributes returned from RealMe (depending on your assertion type) and sync the
+details with the appropriate members.
+
+To setup syncing, you must have the `RealMeMemberExtension` enabled on Member (or subclass) and then tell the module to
+sync with the database via the following configuration in realme.yml. You can also include
+`login_member_after_authentication` which will automatically login a user (as a SilverStripe `Member` object) after
+successful RealMe authentication.
+
+```yml
+Member:
+ extensions:
+ - RealMeMemberExtension
+RealMeService:
+ sync_with_local_member_database: true
+ login_member_after_authentication: true
```
-If any validation errors are found, these will be listed and will need to be fixed. Once you've fixed these,
-just re-run the setup task above. If you need to change YML configuration, just add flush=1 to the third
-parameter (e.g. `framework/sake dev/tasks/RealMeSetupTask forEnv=mts\&flush=1`).
-
-If you've already run the setup task, you can re-run it to update configuration files by using `force=1`.
-
-The above command will generate a screen of XML configuration. This needs to be copied into a new XML file
-and [uploaded to MTS here](https://mts.realme.govt.nz/logon-mts/metadataupdate) in order to verify
-bi-directional communication between the RealMe MTS servers and your local development environment.
-Note that this means the URLs you use to access the website cannot change - if you do change them,
-you will need to re-run the `RealMeSetupTask` and re-upload the resulting XML to RealMe.
-
-By default on your development site, the module will use the connection to MTS, so no other changes
-need to be made. You should now be able to proceed to testing the standard login form, or
-[using the RealMe templates](templates.md).
-
-If there are difficulties connecting to RealMe using the mutual back-channel SSL certificate (via the
-`SOAPClient` call), you can use the following `openssl` command to test connectivity outside of PHP
-to rule out firewall/networking issues (note the paths to the PEM file which may need to change):
-
-```bash
-openssl s_client -tls1 -cert /path/to/certificate/directory/mts_mutual_ssl_sp.pem -connect as.mts.realme.govt.nz:443/sso/ArtifactResolver/metaAlias/logon/logonidp
-```
+Run a `dev/build` and after a valid RealMe login, a new member will be synced based on the RealMe FLT or FIT. If not
+found, a new member will be created.
### UAT and production environments
-The SAML signing and mutual security certificates must be purchased by the agency. More information
-on SSL certificates can be found in the [SSL Certificates](ssl-certs.md) documentation.
+The SAML signing security certificates must be purchased by the agency, or if you are hosting on the Common Web Platform
+then the [CWP Service desk](https://www.cwp.govt.nz/service-desk/new-request/) can do this for you. More information
+on the requirements can be found on the [RealMe developers site](https://developers.realme.govt.nz/how-realme-works/certificate-requirements/).
#### When you're hosting on CWP
-For UAT and production environments, the above environment consts will be defined for you by CWP Operations
-once the certificates have been purchased and installed.
-[Create a Service Desk ticket](https://www.cwp.govt.nz/service-desk/new-request/) to request the start of
-this process.
+For UAT and production environments, the above environment consts will be defined for you by CWP Operations once the
+certificates have been purchased and installed. [Create a Service Desk ticket](https://www.cwp.govt.nz/service-desk/new-request/)
+to request the start of this process.
#### When you're hosting elsewhere
You will need to purchase and install these certificates yourself in appropriate places on your server,
-and then set all environment constants appropriately. More information on SSL certificates can be found
-in the [SSL Certificates](ssl-certs.md) documentation.
+and then set all environment constants appropriately.
\ No newline at end of file
diff --git a/docs/en/installation.md b/docs/en/installation.md
deleted file mode 100644
index a3917ab..0000000
--- a/docs/en/installation.md
+++ /dev/null
@@ -1,56 +0,0 @@
-# Installation of the RealMe module
-
-The module is best installed via Composer by running the below command:
-
-```bash
-composer require silverstripe/realme dev-master
-```
-
-After composer installation, you need to modify your `.htaccess` file in your web-root, in order to allow access to the
-SimpleSAMLphp web-root - normally this is not allowed as it's within the 'vendor' directory, however SimpleSAMLphp
-requires this.
-
-Normally, you'd have something like the following:
-```
-
- SetEnv HTTP_MOD_REWRITE On
- RewriteEngine On
-
- # Enable HTTP Basic authentication workaround for PHP running in CGI mode
- RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-
- # Deny access to potentially sensitive files and folders
- RewriteRule ^vendor(/|$) - [F,L,NC]
- RewriteRule silverstripe-cache(/|$) - [F,L,NC]
- RewriteRule composer\.(json|lock) - [F,L,NC]
-
- # Redirect legacy index.php requests
- RewriteCond %{REQUEST_URI} ^(?:(.*)/)?index\.php [NC]
- RewriteRule ^index\.php(?:/(.*))?$ %1/$1 [R=301,L]
-
- # Process through SilverStripe if no file with the requested name exists.
- # Pass through the original path as a query parameter, and retain the existing parameters.
- RewriteCond %{REQUEST_URI} ^(.*)$
- RewriteCond %{REQUEST_FILENAME} !-f
- RewriteRule .* framework/main.php?url=%1 [QSA]
-
-```
-
-Just prior to the 'vendor' lines above, insert the following:
-```
- # Allow access to SimpleSAMLphp directory within vendor/
- RewriteRule ^vendor/madmatt/simplesamlphp/www - [L,NC]
-```
-
-Once installation is completed, configuration is required before this module will work. See the
-[configuration section](configuration.md) for full details.
-
-### SimpleSAML Admin password
-
-You can define a simplesaml admin password in the configuration by adding a simplesaml_hashed_admin_password to the
-realme.yml if this is not set, it is generated each time the setup task is run.
-
-```
-RealMeService:
- simplesaml_hashed_admin_password: my-special-password
-```
\ No newline at end of file
diff --git a/docs/en/ssl-certs.md b/docs/en/ssl-certs.md
deleted file mode 100644
index c40d58e..0000000
--- a/docs/en/ssl-certs.md
+++ /dev/null
@@ -1,78 +0,0 @@
-# RealMe module for SilverStripe
-
-## SSL Certificates
-
-Information regarding purchasing and using SSL certificates for RealMe will be documented in this file.
-
-Four certificates must be purchased by the agency - two each for ITE and production environments.
-
-**Note: This is not required if using CWP infrastructure. In CWP, you should
-[raise a service desk ticket](https://www.cwp.govt.nz/service-desk/new-request/) to begin this process -
-CWP Operations staff will purchase certificates, install them, and invoice you for this service. These
-instructions are only necessary when using this module on infrastructure other than CWP.
-
-### Requirements when purchasing & installing certificates
-
-RealMe places some restrictions on which certificate authorities can be used, and also the type of
-certificates purchased. Of note, these are:
-
-* SSL Certificates must be purchased from either [RapidSSL](https://www.rapidssl.com/) or
- [VeriSign](https://www.verisign.com/).
-* When purchasing certificates, RealMe requires that three-year expiries are purchased and used.
-* The certificate bit length must be 2048 (this is generally the default).
-* The serial number must be non-negative (the default).
-* The common name on the certificates must be as per RealMe instructions for the different
- environments - see the below table.
-
-### Certificate naming requirements
-
-Exact instructions can be found in the Technical Architecture document within the RealMe Shared Workspace.
-
-In the table below, `highlighted` text indicates sections of the common name that would be changed when
-purchasing certificates.
-
-| **Certificate Description** | **Common Name Example** |
-| ------------------------------------------ | -------------------------------------------- |
-| SAML Signing certificate for ITE | ite.sa.saml.sig.`realme-demo.cwp.govt.nz` |
-| SAML Mutual SSL certificate for ITE | ite.sa.mutual.ssl.`realme-demo.cwp.govt.nz` |
-| SAML Signing certificate for production | prod.sa.saml.sig.`realme-demo.cwp.govt.nz` |
-| SAML Mutual SSL certificate for production | prod.sa.mutual.ssl.`realme-demo.cwp.govt.nz` |
-
-### Manually creating certificate requests
-
-Step One: Generate private key files:
-Note the domain names in these commands should be replaced with your own.
-
-```bash
-openssl genrsa -out ite.sa.saml.sig.realme-demo.cwp.govt.nz.key 2048
-openssl genrsa -out ite.sa.mutual.ssl.realme-demo.cwp.got.nz.key 2048
-```
-
-Step Two: Create certificate signing requests:
-Note the domain names in these commands should be replaced with your own.
-
-```bash
-openssl req -new -key ite.sa.saml.sig.realme-demo.cwp.govt.nz.key -out ite.sa.saml.sig.realme-demo.cwp.govt.nz.csr
-openssl req -new -key ite.sa.mutual.ssl.realme-demo.cwp.govt.nz.key -out ite.sa.mutual.ssl.realme-demo.cwp.govt.nz.csr
-```
-
-When prompted by `openssl`, use the following parameters:
-
-| **Paramater** | **Value** |
-| ------------------------ | -------------------------------------- |
-| Country Name | NZ |
-| State or Province Name | Region of Agency, typically Wellington |
-| Locality Name | City name, typically Wellington |
-| Organisation Name | Legal name of Agency |
-| Organisational Unit Name | Leave blank |
-| Common Name | See above table for examples |
-| Email Address | Leave blank |
-| A challenge password | Leave blank |
-| An optional company name | Leave blank |
-
-### Manually installing certificates
-
-If not running on CWP, then you must manually create the directory that the `REALME_CERT_DIR` environment variable
-points to. As well as loading the certificates that have been purchased into this folder, the appropriate public keys
-from the RealMe Shared Workspace must be added as well. More information on this process is available within the RealMe
-shared workspace.
diff --git a/docs/en/templates.md b/docs/en/templates.md
index 55f3807..c3bb161 100644
--- a/docs/en/templates.md
+++ b/docs/en/templates.md
@@ -11,6 +11,13 @@ to show a template for RealMe login.
RealMe have some strict rules for how you present the RealMe login functionality, please see
the instructions in the RealMe Shared Workspace for complete details.
+Along with the standard large-form login forms, there is also a 'mini' login form, suitable
+for use in the header and footer of websites. This can be included by adding a method to your
+normal Page_Controller that returns a `new RealMeMiniLoginForm($this, __FUNCTION__);`. This
+form uses `GET` rather than `POST`, so is an extension of the normal login form. This bypasses
+the requirement to go to `Security/login`, so is only useful when it is the only method of
+login to a website.
+
Further documentation on using these templates can be found in the template files themselves:
[RealMeLoginForm.ss](../../templates/Includes/RealMeLoginForm.ss) and
[RealMeLoginForm_secondary.ss](../../templates/Includes/RealMeLoginForm_secondary.ss).
diff --git a/lang/en.yml b/lang/en.yml
index 59b2fc8..329bc61 100644
--- a/lang/en.yml
+++ b/lang/en.yml
@@ -1,9 +1,9 @@
en:
RealMeAuthenticator:
TITLE: "RealMe Account"
- LOGINFAILURE: "Unfortunately we're not able to authenticate you via RealMe right now."
+ LOGINFAILURE: "Unfortunately we're not able to authenticate you via RealMe right now. Please try again shortly."
RealMeSecurityExtension:
- LOGINFAILURE: "Unfortunately we're not able to authenticate you via RealMe right now."
+ LOGINFAILURE: "Unfortunately we're not able to authenticate you via RealMe right now. Please try again shortly."
AUTHERROR: "Sorry, we couldn't verify your RealMe account. Please try again."
AUTHN_FAILED: "You have chosen to leave RealMe without completing the login process."
TIMEOUT: "Your session has expired due to inactivity."
@@ -12,7 +12,8 @@ en:
NO_AVAILABLE_IDP: "RealMe reported that the TXT service or the RealMe token service is not available. You may try again later. If the problem persists, please contact RealMe Help Desk on 0800 664 774."
GENERAL_ERROR: "RealMe reported a serious application error with the message [{errorMsg}]. Please try again later. If the problem persists, please contact RealMe Help Desk on 0800 664 774."
RealMeLoginForm:
- LOGINBUTTON: "Login or Register with RealMe"
+ LOGINBUTTON: "Login"
+ ASSERTLOGINBUTTON: "Share your details with {orgname}"
RealMeSetupTask:
ERR_NOT_CLI: "This task can only be run from the command-line, not in your browser."
ERR_ALREADY_RUN: "This task has already been run once ({path} already exists). If you want to re-run it, please add force=1 as the third arg"
@@ -26,14 +27,11 @@ en:
ERR_LOG_DIR_NOT_WRITEABLE: "Logging dir specified ('{dir}') must be created and able to be written to. Ensure permissions are set correctly and the directory is absolute"
ERR_TEMP_DIR_MISSING: "No temp dir is specified. Define the REALME_TEMP_DIR const in your _ss_environment.php file"
ERR_TEMP_DIR_NOT_WRITEABLE: "Temp dir specified ('{dir}') not writeable, or the parent dir is not writeable. Ensure permissions are set correctly and the directory is absolute"
- ERR_SIMPLE_SAML_CONFIG_DIR_MISSING: "No RealMe configuration dir (for SimpleSAMLphp) is specified. Define the REALME_CONFIG_DIR const in your _ss_environment.php file"
ERR_SIMPLE_SAML_CONFIG_DIR_NOT_WRITEABLE: "RealMe configuration dir specified ('{dir}') must be created and able to be written to. Ensure permissions are set correctly, and the directory is absolute"
- ERR_SIMPLE_SAML_NO_ADMIN_PASS: "A SimpleSAMLphp admin password couldn't be found or generated. Generate one yourself and store it in your YML configuration. See RealMeService::findOrMakeSimpleSAMLPassword() for more details"
- ERR_SIMPLE_SAML_NO_SALT: "A salt for SimpleSAMLphp couldn't be found or generated. Generate one yourself and store it in your YML configuration. See RealMeService::generateSimpleSAMLSalt() for more details"
ERR_CONFIG_NO_ENTITYID: "No entityID specified for environment '{env}'. Specify this in your YML configuration, see the module documentation for more details"
- ERR_CONFIG_ENTITYID: "The '{env}' entityId ('{entityId}') must be https, not be 'localhost', and must contain a valid service name and privacy realm e.g. https://my-realme-integration.govt.nz/p-realm/s-name"
- ERR_CONFIG_ENTITYID_SERVICE_NAME: "The '{env}' service name '{serviceName}' must be under 10 characters and not blank for entityID '{entityId}' "
- ERR_CONFIG_ENTITYID_PRIVACY_REALM: "The '{env}' privacy realm '{privacyRealm}' must not be blank for entityID '{entityId}' "
+ ERR_CONFIG_ENTITYID: "The Entity ID ('{entityId}') must be https, not be 'localhost', and must contain a valid service name and privacy realm e.g. https://my-realme-integration.govt.nz/p-realm/s-name"
+ ERR_CONFIG_ENTITYID_SERVICE_NAME: "The service name '{serviceName}' must be a maximum of 20 characters and not blank for entityID '{entityId}' "
+ ERR_CONFIG_ENTITYID_PRIVACY_REALM: "The privacy realm '{privacyRealm}' must not be blank for entityID '{entityId}' "
ERR_CONFIG_NO_AUTHNCONTEXT: "No AuthnContext specified for environment '{env}'. Specify this in your YML configuration, see the module documentation for more details"
ERR_CONFIG_INVALID_AUTHNCONTEXT: "The AuthnContext specified for environment '{env}' is invalid, please check your configuration"
ERR_CONFIG_ASSERTION_SERVICE_URL: "The assertion consumer service URL is missing or invalid for environment '{env}'. The metadata_assertion_service_domains list needs to be added in your YML configuration for all RealMe environments, it must be a valid URL, and not localhost"
@@ -43,6 +41,17 @@ en:
ERR_CONFIG_NO_SUPPORT_CONTACT: "Support contact detail is missing from YML configuration. Ensure the following values are defined in YML configuration: metadata_contact_support_company, metadata_contact_support_firstnames, metadata_contact_support_surname"
ERR_CERT_NO_SIGNING_CERT: "No SAML signing PEM certificate defined, or the file can't be read. Define the {const} const in your _ss_environment.php file, and ensure the file exists in the certificate directory"
ERR_CERT_SIGNING_CERT_CONTENT: "The file specified for the signing certificate ({file}) does not contain a valid certificate (beginning with -----BEGIN CERTIFICATE-----). Check this file to ensure it contains the certificate and private key"
- ERR_CERT_NO_MUTUAL_CERT: "No mutual back-channel PEM certificate defined, or the file can't be read. Define the {const} const in your _ss_environment.php file, and ensure the file exists in the certificate directory"
VALIDATION_SUCCESS: "Validation succeeded, continuing with setup..."
- BUILD_FINISH: "RealMe setup complete. Please copy the XML into a file for upload to the %s environment or DIA to complete the integration"
\ No newline at end of file
+ BUILD_FINISH: "RealMe setup complete. Please copy the XML into a file for upload to the %s environment or DIA to complete the integration"
+ RealMeService:
+ ERROR_AUTHNFAILED: "You have chosen to leave RealMe."
+ ERROR_TIMEOUT: "Your RealMe session has timed out – please try again."
+ ERROR_INTERNAL: "RealMe was unable to process your request due to a RealMe internal error. Please try again. If the problem persists, please contact the RealMe Help Desk. From New Zealand dial 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_NOAVAILABLEIDP: "RealMe reported that the TXT service or the token service is not available. You may try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand dial 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_REQUESTUNSUPPORTED: "RealMe reported a serious application error with the message 'Request Unsupported'. Please try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand: 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_NOPASSIVE: "RealMe reported a serious application error with the message 'No Passive'. Please try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand: 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_REQUESTDENIED: "RealMe reported a serious application error with the message 'Request Denied'. Please try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand: 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_UNSUPPORTEDBINDING: "RealMe reported a serious application error with the message 'Unsupported Binding'. Please try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand: 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_UNKNOWNPRINCIPAL: "You are unable to use RealMe to verify your identity if you do not have a RealMe account. Visit the RealMe home page for more information and to create an account."
+ ERROR_NOAUTHNCONTEXT: "RealMe reported a serious application error with the message 'No AuthN Context'. Please try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand: 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
+ ERROR_GENERAL: "RealMe reported a serious application error. Please try again later. If the problem persists, please contact the RealMe Help Desk. From New Zealand: 0800 664 774 (toll free), from overseas dial +64 9 357 4468 (overseas call charges apply)."
\ No newline at end of file
diff --git a/templates/Includes/RealMeAssertForm.ss b/templates/Includes/RealMeAssertForm.ss
new file mode 100644
index 0000000..1df1c87
--- /dev/null
+++ b/templates/Includes/RealMeAssertForm.ss
@@ -0,0 +1,82 @@
+<%--"
+
+# RealMe Primary Login Module
+
+The RealMe primary (webpage body) login box, is available in two sizes, recommended on the right hand side of the page
+near the top.
+
+{@link realme/_config/config.yml}
+{@link realme/code/RealMeLoginForm.php}
+
+
+## Color scheme options
+
+Color options are defined in config.yml, but these are the actual css classnames you can choose from:
+
+1. realme_theme_default
+2. realme_theme_dark
+3. realme_theme_light
+
+
+## Popup window
+
+The popup module is flexible, and can be configured by your developer to fit the available width in your page.
+(popup not supported for IE6 or touch devices).
+
+Select one of the four popup styles below and apply it to the .realme_popup_wrapper element
+
+1. realme_arrow_top_left
+2. realme_arrow_top_right
+3. realme_arrow_side_left
+4. realme_arrow_side_right
+
+You can specify the width of the popup by specifying a width attribute for the .realme_popup element
+or directly in your css, e.g. .realme_popup {width: 450px}
+
+"--%>
+<% if $HasRealMeLastError %>
+ $RealMeLastError
+<% end_if %>
+
+
\ No newline at end of file
diff --git a/templates/Includes/RealMeLoginForm.ss b/templates/Includes/RealMeLoginForm.ss
index 2d0fb06..a32d622 100644
--- a/templates/Includes/RealMeLoginForm.ss
+++ b/templates/Includes/RealMeLoginForm.ss
@@ -34,10 +34,18 @@ You can specify the width of the popup by specifying a width attribute for the .
or directly in your css, e.g. .realme_popup {width: 450px}
"--%>
+<% if $HasRealMeLastError %>
+ $RealMeLastError
+<% end_if %>
+