I don't know if what I would like to do is possible. I'm trying to integrate the authentication mechanism of my university in an android application which uses Laravel as backend. I've decoded the SAMLResponse and in the XML file I found this
'SPNameQualifier' = 'https://sp-esse3-unimib-prod.cineca.it/shibboleth',
'NameQualifier' = 'https://idp-idm.unimib.it/idp/shibboleth'
which are the SP and IdP URI I think. In my Android app I want that users login without register because they can use their university account. In the SAMLResponse I've also the SignatureValue, X509Certificate and other data but I can't figure out how to configure everything.
Searching on Google, I found those packages laravel-saml2 and php-saml. Are those packages good to fit my problem? Can you help me to understand how to configure everything?
I'd look at SimpleSAMLphp. You application will be a "service provider" or SP. You'll need to generate metadata for your application, which you'll need to share with the IdP administrators at your university to enable the integration. The SSP quickstart link provided above gives details on obtaining metadata for your SP, and how to convert the Identity Provider-supplied XML metadata into a format that's readable by the SSP libraries.
Only after the exchange of metadata occurs and your application is trusted can you being to exchange SAML responses. SSP makes this process easy, as you'll just end up calling a few lines of code any time a resource needs to be protected, i.e.
require_once('../../lib/_autoload.php');
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth();
$attributes = $as->getAttributes();
That's all that's needed to make sure the SAML flies back and forth... but integrating is a different story. There are surely policies and procedures that your university imposes that you'll need to follow, and you can't just integrate with the University without following their integration procedures, i.e. a proper IdP isn't going to provide a SAML assertion to just any old application that asks for it.
Related
I am learning about SAML and already read many articles and forums but I still having confusion about setup IdP.
I am using "https://simplesamlphp.org/"
For example, I have 3 websites "example.com", "one.example.com", "two.example.com";
All are on three different server.
Now, I want to setup single sign on login using SAML then on which server I need to setup IdP.
As "example.com" is main domain which has all the information about user.
As I learn, when I login to "example.com" then it sends request to IdP.
But I don't get any idea where I have to set IdP and what Idp contains?.
Its on same server where "example.com" hosted OR its different server and what logic I have to write on that server?
It's simple login function OR I need to setup "simplesaml" for this and set login logic to there.
After setting up IdP, what I need to do on other server "one.example.com", "two.example.com"?
Do I need to install again "simplesaml" to both server and set SP and IdP?
In sort, which server has IdP and SP? And on which server I need to install "simplesaml"?
Thanks in advance
simpleSAMLphp is the IDP.
You don't need to write any code, just setup the config.
You will also have 3 SP = the three websites.
They can all be on the same server or you can have one server for the IDP and one server each for the websites. It doesn't actually matter.
The simpleSAMLphp web site shows you the changes you need to make to each of the SP in order to communicate with the IDP.
Identity provider is the one who supplies info about users. You'd create one, let's call it idp.example.com.
You'd install simpleSAML there and configure it so it can read info about your users, be it in MySQL, LDAP etc. (this is the tricky part with IdP setup).
Now, your websites would be service providers and if user isn't authenticated, they'd redirect the user to idp.example.com, user logs in, idp.example.com returns the user to service provider with the XML document containing assertions.
That means your SP needs to be able to consume the SAMLResponse which IdP sends to your site.
You can consume this with simpleSAML, which you'd configure in SP mode now.
Bear in mind that SSP (simplesamlphp) isn't the only option in PHP to deal with SAML. There's also Lightsaml - a proper library. SimpleSAML isn't just a library, it's a complete solution and quite honestly - a super SUPER terrible one at that, it's the epitome of crap code one can type out and make a system that actually works (much like wordpress).
TL;DR:
create an IdP -> idp.example.com -> configure or create the module that authenticates users against your user source (LDAP, ActiveDirectory, relational database etc.)
configure your 3 websites to authenticate using idp.example.com
configure your 3 websites to be able to consume responses from idp.example.com
It's all doable with simplesamlphp. If you want to take it further and implement or play with SAML on your own - you can use the library I linked. It'll take way, way, way longer to do it via Lightsaml library though since you have to take care of single logout and single sign-on, encryption, digital signatures, endpoints, metadata etc.
I am a newbie in SSO implementation. We are looking at implementing SSO for a client that uses a php application (supported by us), for their employees to login to the application. We are in the process of setting up Simple SAML for this .. I have been reading articles on SSO, many of which are helpful. Pardon me for asking this, I know it is dumb. In this scenario, who is the IDP and who will be the service provider. The client apparently uses SSO for other applications as well. Can someone throw some light on what all I need to setup from our end.. I will research on how to do each of them..could someone please help by mentioning the things that need to be implemented.
who is the IDP and who will be the service provider.
IDP (Identity Provider) is the one who creates, stores, maintains and authenticates the identity of the user or principal in saml terms. So in your case it is the clients application.
SP (Service Provider) is the one who provides the service or resource to a user (authenticated by IDP) so in your case it is your application.
could someone please help by mentioning the things that need to be implemented.
As you can see in the above diagram when user will try to access a resource on your site you will have to redirect them to IDP to confirm whether this user is authenticated and if you should return them the resource/response they are looking for. The SSO url and other details are exchanged between IDP and SP through Metadata.
Once IDP has authenticated the user it will POST a response on your application url. This response contains an assertion through which you will know user details and whether user is authenticated or not. You will have to parse this response (xml). Also, these assertions are generally signed with certificate and are encoded base 64.
You will also have to think about SLO so when a user clicks on logout in your site you might have to clear their session from your application and redirect them to the IDP so they get logged out from there as well.
As suggested by smartin you can use some library which will make it easier to implement SAML. I am also learning about SAML as we are working on converting our current application into IDP :)
I found this SAML official documentation and some of the diagrams very helpful. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html
Your app is the SP, and the customer will provide to you the IdP metadata to register on your SP.
In order to add SAML support to a PHP application, you have 2 alternatives:
simpleSAMLphp
php-saml
LightSAML
All of them are well documented, you will need to spend some time reading/learning.
I'm trying to find a way to log my users from my portal to another service. I'm not very knowledgeable on how SAML SSO works but from what I gather the Portal is the IdP (i.e., us) and I should create a response with certain user-dependent attributes to send to the SP.
I'm using Symfony2 and I read about SimpleSAMLphp but I had troubles installing. The important part is, how should I construct my response? I don't think I should reauthenticate the user since he is already and using the portal.
Thank you and if you found anything illogical please let me know.
I'm working on a project where I'm developing a platform. As a solo-developer I made the decision to use Lumen as a PHP back-end and create an RESTful API.
Web shops should be able to install a plugin so they can access the API without having to code themselves.
I need to keep track of the web shops that use the API. I just need the same way to retrieve access tokens like Twitter and Facebook do when you register an app.
So I was thinking about OAuth2 Server but I have never used it before so I'm not sure if I'm on the right path...
If you want your own OAuth2 system then yes you will need a server running it.
The idea of OAuth2 is to authenticate your clients where a shop equals one client.
OAuth2 is not about individual users but clients. With that idea in mind you can setup an OAuth2 server and its only job would be to authenticate each request, make sure it belongs to a recognized client and then issue a token.
With that token you can then go on and issue more requests to actually interact with the system you are building. This is a very high level view of the entire system, of course.
There can be multiple variations on this, how tokens are issued, what type they
are etc. I prefer JWT ( JSON Web Tokens ) as it's JSON and thus lightweight.
A quick search revealed this: http://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/
I do have my own article on building your own OAuth2 system, however it is based on dot net not PHP. You are welcome to use it though maybe it will help clarify the concept.
Here's the link : https://eidand.com/2015/03/28/authorization-system-with-owin-web-api-json-web-tokens/
My website is used by multiple companies. These companies want to implement SSO. So they log into their company portal and click a link to my website. They go to my website's home page without logging in. My website is in php. The different companies can have their website in any language. We want this to be as general as possible so all companies can use it. It also needs to be secure for obvious reasons and also because we are a health company with phi.
I've read through a lot on simpleSAMLphp, but I'm just not sure if I'm right about how to implement this.
Do I just set up my website as an SP with simpleSAML and say to other companies "this is what I use make yourself an Idp and send me the correct data" ? Is there another way to go about this ?
Well, if you wanna provide a good service, guess you would have to support multiple SSO protocols, and let the clients choose. Beside SAML there are OAuth OpenID Connect and JWT I would mention as relatively simple and well adopted. I find JWT especially simple and easy to use.
Regarding SAML PHP implementation, I have tried with simpleSAML but it turned out to be too complicated to integrate it into an existing app. I prefer the lightSAML library, which is actually v2 of aerialship/lightsaml, especially because my app was in Symfony and lightsaml had a security bundle.
Yes - pretty much.
You send the companies your SP metadata and they import it and then they send you their IDP metadata and you import it.
The trick is the "primary key" i.e. how does the user in another system match a user in yours. NameID is usually used for this and it can have a number of formats.
Again, this is all in the metadata.
Another very useful part of being the Service Provider (SP) in a SAML integration, is to have a IdP Discovery Service. Since each one of your partners will exchange metadata with your organization, each is essentially a point-to-point SAML connection. The IdP Discovery Service uses something in the request to identify the partner and invoke a SAML SP-Initiated SSO transaction. One of the common strategies is to use URL naming such as yourpartner.company.com. Then the IdP Discovery Service detects the subdomain "yourpartner" in the URL and then invokes the proper SP transaction. There are other strategies, but I find this one works best for most organizations.