diff --git a/.env.example b/.env.example
index e82b5c5bc..a631d4a1a 100644
--- a/.env.example
+++ b/.env.example
@@ -152,4 +152,5 @@ LDAP_TIME_LIM=600
IMPORT_TIME_LIMIT=600
IMPORT_MEMORY_LIMIT=500M
REPORT_TIME_LIMIT=12000
+REQUIRE_SAML=false
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 5c6524bf6..a0908a37e 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -75,6 +75,13 @@ class LoginController extends Controller
return redirect()->intended('/');
}
+ // If the environment is set to ALWAYS require SAML, go straight to the SAML route.
+ // We don't need to check other settings, as this should override those.
+ if (config('app.require_saml')) {
+ return redirect()->route('saml.login');
+ }
+
+
if ($this->saml->isEnabled() && Setting::getSettings()->saml_forcelogin == "1" && !($request->has('nosaml') || $request->session()->has('error'))) {
return redirect()->route('saml.login');
}
@@ -197,6 +204,12 @@ class LoginController extends Controller
*/
public function login(Request $request)
{
+
+ //If the environment is set to ALWAYS require SAML, return access denied
+ if (config('app.require_saml')) {
+ return view('errors.403');
+ }
+
if (Setting::getSettings()->login_common_disabled == "1") {
return view('errors.403');
}
diff --git a/config/app.php b/config/app.php
index 555be910c..f08334a6e 100755
--- a/config/app.php
+++ b/config/app.php
@@ -255,7 +255,20 @@ return [
'enable_csp' => env('ENABLE_CSP', false),
+ /*
+ |--------------------------------------------------------------------------
+ | Require SAML Login
+ |--------------------------------------------------------------------------
+ |
+ | Disable the ability to login via form login, and disables the 'nosaml'
+ | workaround. It requires all logins to process via SAML login.
+ | (This is for high security setups. If your SAML configuration is not
+ | working, this option should be set to false. This option is not needed
+ | to successfully configure SAML authentication.)
+ |
+ */
+ 'require_saml' => env('REQUIRE_SAML', false),
/*
|--------------------------------------------------------------------------
diff --git a/resources/lang/en/admin/settings/general.php b/resources/lang/en/admin/settings/general.php
index ef6878cf5..c83f68678 100644
--- a/resources/lang/en/admin/settings/general.php
+++ b/resources/lang/en/admin/settings/general.php
@@ -174,7 +174,7 @@ return [
'saml_idp_metadata_help' => 'You can specify the IdP metadata using a URL or XML file.',
'saml_attr_mapping_username' => 'Attribute Mapping - Username',
'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.',
- 'saml_forcelogin_label' => 'SAML Force Login',
+ 'saml_forcelogin_label' => 'SAML Default Login',
'saml_forcelogin' => 'Make SAML the primary login',
'saml_forcelogin_help' => 'You can use \'/login?nosaml\' to get to the normal login page.',
'saml_slo_label' => 'SAML Single Log Out',
diff --git a/resources/views/settings/saml.blade.php b/resources/views/settings/saml.blade.php
index 02f475fdd..1241d1ccc 100644
--- a/resources/views/settings/saml.blade.php
+++ b/resources/views/settings/saml.blade.php
@@ -39,7 +39,7 @@