I want to set up a Portal for consumers.
This portal has to have multiple buttons to go to other locations, for example Google and Wordpress.
This by means of SSO, I found out that SAML is best practice for this.
I'm only wondering and trying to find out if my application has to be an IdP (Identity Provider) or an SP (Service Provider).
This application will be made in PHP per request of the client.
Edit
I've looked into simpleSaml, Because the answers I got are good but not concluding. In essention I want this http://documentation.pingidentity.com/display/PF610/IdP-Initiated+SSO--POST with a client portal and I want to go from the client portal to Google analytics, Magento, Wordpress and some local other websites
The IDP authetnicates the users, the SPs then trust the IDP to have authenticated the users correctly.
If your users will authenticate on your site, you will be the IDP. If on the other hand the users log in to google, andyou then trust google for authentication, you will be the SP
IDP stands for Identity Provider who has users information and stores the users databases.
SP stands for Service Provider who allows the users to use its service by getting authenticated from their IDP.
A simple flow is:-
User wants to access the SP website.
SP redirect the user to IDP to log in on IDP.
Once User is successfully logged in there IDP redirect the user to SP with success response.
If SP gets a success response from IDP it allows user access to it.
Now if you got the flow you can easily derive that Google cannot be used as SP has it already contains user database and don't provide the user provisioning (Creation of user at run time).
So with Google, You will be SP and Google will be IDP.
Wordpress provide user provisioning and can be used both as SP and IDP.
So with Wordpress,
If you want your user to login in Wordpress, You will be IDP and Wordpress will be SP. You can try this plugin to achieve it.
If you want Wordpress user to login on your site. You will be SP and Wordpress will be IDP. You can try this plugin to achieve it.
You are the IDP and Google/Wordpress are SPs
Related
I'm having difficulty finding guidance on the implementation of SAML alongside an existing, traditional authentication system.
I have created a SaaS application in CodeIgnitor which has the typical, run-of-the-mill authentication system using a local users table with hashing and salting etc.
I'm looking to add SAML SSO to attract more enterprise customers. I have a question however where my Google Fu is falling short.
How can I integrate SAML authentication so that it works along-side my traditional, local authentication? If my customers choose SAML then I will require them to bind their existing local accounts to their SAML federated identities. What do I do to cater for my non-SAML users?
Do I need two login URL's such as https://app.com/saml/login for my SAML users and https://app.com/login for my non-SAML users, and just expect customers to choose the right one? Or perhaps I ask for their email/username first, and then require them to submit that value to see if they're SAML or not - and route them accordingly?
You need to install an Identity provider (IDP) that supports SAML.
You use the IDP Initiated SAML profile.
Your app. is connected to the IDP via a SAML stack.
Other enterprises can then federate with your IDP i.e. login to your web site with their credentials via SAML.
The IDP Initiated SAML profile provides a URL that you give to customers that takes them to your IDP with their customer credentials and thence to your app.
Users going direct to your website use the local connection.
That said, rather use OpenID Connect - it's much simpler but the principles are the same.
We have a website create in PHP and MySQL where users can register and login. Recently my client gave me some 3rd party service/website which also required users to login to access their services. Now, my client wants that if users is already logged-in to our site and when we redirect user to other/3rd party site it should not ask for the password or login again. When I talked to 3rd party site to provide solution for this, they ask me to implement/use SAML 2.0 SSO option to achieve this feature. Though, I heard about auth0 and SAML but I have no idea from where should I start from.
Do I have to add something on our website? Like auth0 service?
Do I have to ask something from them to implement this? What changes do I need to make ?
What will be the steps involve in this, When we redirect user to 3rd party site it will be auto logged-in or something?
Some confusion here.
Auth0 is an Identity as a Service product, not part of SAML. You've tagged OAuth but that has nothing to do with SAML either. It's a completely different protocol.
What you need is a SAML client-side stack. As you are using PHP, use simpleSAMLphp.
As you are the client, you need to implement the SP mode.
If you were intending to use Auth0, use this sample.
Then use Auth0 to do the SAML connection to the SAML IDP.
So the path is:
PHP application --> Auth0 --> SAML protocol --> SAML IDP
Just to be clear, use either simpleSAMLphp or Auth0.
It seems that your customer want you to be a "Identity Provider", so that when the users are loggued to your website, they will autolog to the other 3rs party customer's website.
Technical Solution : MiniOrange
I recently did this, connecting my PHP/MySQL app to external customer's intranets with "MiniOrange" SAML Solution.
more informations here : https://www.miniorange.com/ and https://idp.miniorange.com/
support : I had many free hours of Skype Support, they are very good, they helped me until it worked !
installating/pricing : I paid for having an onsite licence (they installed this on my server at zero cost), but you can use the Cloud version (start from 10$/month), and they have Wordpress and other CMS plugins...
Answers to your questions :
1) Do I have to add something on our website? Like auth0 service? :
yes, your website must be a identity provider...
2) Do I have to ask something from them to implement this? What changes do I need to make ?
Yes, they have to install and configure a "Service Provider" connector, that will automatically connect to the Identity Provider (your website) with JSON Web Tokens (JWT) for example, check if the user is already connected to your website (if yes, your website return a token, and then the user autologs to the 3rd party website, if not, he's redirected to the SAML login form for instance)...all this process will be invisible for the user.
3) What will be the steps involve in this, When we redirect user to 3rd party site it will be auto logged-in or something?
The process will be like this :
the user goes to the 3rd party site
the "service provider" connector installed in this 3rd party site checks if the user is connected to this 3rd party site.
If yes, nothing to do, the user is already connected.
If not connected, then the user is redirected to your website's login form.
The user types his login/password, then is redirected to the 3rd party website.
the 3rd party website (in which the user isn't yet loggued) ask to his "service provider" module to call the "Identity Provider" (ie your website) with JWT Json Web Tokens for example (the communication between the IDP identity provider and the SP Service Provider is invisible for the user in the browser, but if you install "SAML DevTools extension" Chrome extension, you'll see the tokens exchanged between the Identity Provider and the Service Provider)
As you are connected to your website (being the "identity provider"), then the Identity Provider returns a SAML Response token, that allows the user to automatically connect to the 3rd party website...And that's done, the user is auto-loggued !
So my scenario goes like :
I have two sites a.com and site b.com and one authentication server cauth.com.
what client wants is ...
When user lands on a.com or b.com user fills in the login form on respective site , but the action of form will be on cauth.com (cauth.com/authenticate). when user is authenticated on cauth he is loggined on the both sites.
I am thinking to implement SAML to achieve the same and flow is like
after authentication iDP(cauth.com) will send SAML response to the both the service providers and user will be given access to both the sites .
I am novice in SAML and unable to get proper documentation and comprehension for the same.
What I want to know is :
Is my solution to the problem worth implementation ?
Is it possible to make site (cauth.com) as identity provider.I have looked at thread Making your PHP website into SAML Identity Provider but not able to get proper solution.
SimpleSamlPHP should be pretty easy to set up. You'll want to make a copy of the folder modules/exampleauth/ and then alter the file modules/<yournewmodule>/lib/Auth/Source/External.php to work for your site. The documentation is good though and it's definitely the easiest thing for your need, and the right one.
I should add that following the instructions to set up SimpleSamlPHP should give you a basic understanding of which metadata files are most important and where they live and how things interact.
I am not sure which technology you are using for your application. If you are free to switch to JAVA then I can suggest you Spring-Saml because its very easy to implement and fulfill your requirement. Spring-Saml has good documentation and online support as well being it as open-source project.
You can refer this link for Spring-saml and for code-repo use this link
You can integrate spring-saml in your abc.com and xyz.com application to make it Service provider(SP) and you can deploy it on different domain as well. Then you need to have one IDP (identity provider server) for your SPs. So you can use either ADFS with Active directory or LDAP to act as IDP.
We had similar requirement for our customer. I recently integrated spring-saml in my project.
Please let me know for any help
A federated Single Sign On (SSO) mechanism like SAML or OpenID Connect will give you what you want.
This comes with the important distinction that the login form would not be presented on a.com or b.com but those sites would rather redirect to cauth.com and the user would authenticate there. cauth.com would then send a verifiable "assertion" to a.com and b.com that the user has authenticated successfully. This constitutes one of the major goals of federated SSO, namely that the user credentials should not be presented/stored-by foreign websites and makes the means of authentication independent from the target websites ("Relying Parties").
So what you should be looking for is a suitable implementation of SAML or OpenID Connect for your platform (don't write it yourself!) and leverage that.
Shibboleth is open source and one of the most popular SSO solutions. It includes a SAML Identity Provider which you can download here: https://shibboleth.net/downloads/identity-provider/latest/ .
If your client is willing, one approach would be to use a cloud SSO provider like Okta which has a developer program and could make things easier.
I think there is a subtle misunderstanding in your description. For SAML authentication, if a user at site a.com either clicks a login link/button or tries to access a secure page, that user will receive an http 305 redirect to cauth.com. There the user will enter their credentials, and the user will be redirected back to a.com. If that user then goes to site b.com and tries to access secure content, b.com sends the user to cauth.com with the same http 305 redirect. This time, as there is an active session for the user's browser at cauth.com, the user does NOT see the credential form. Instead, the IDP returns the user with a successful authentication to b.com. It appears to the user that they are automatically logged on to site b, but in truth a SAML authentication flow has occurred.
Hans Z's answer elides the fact the that IDP only sends the assertions on the request of a or b (the Relying parties or RPs, also known as Service Providers or SPs). It is not a broadcast to all RPs.
I'll reinforce that SAML does NOT support a.com receiving the credentials from the user and then passing them to the authentication engine. This is a pattern one may be familiar with from LDAP.
Take a look at the sequence diagram in the wikipedia entry on SAML.
Follow below instruction to get SAML implimentation with PHP.
SAML login setup is very easy in php.
First register on onelogin server
https://www.onelogin.com/signup and create demo app on it. After
it follow all instruction to set Idp (Identity provider setting ) and
sp (service provider setting) to settings.php
https://developers.onelogin.com/saml/php
It worked perfect for me with CI and and php
I'm trying to make a Client portal (IdP) in PHP.
That portal links to several SP's (like Magento, Google Analytics and Wordpress)
Seeing how this needs to works my IdP needs to initiate authentication. when clicked on a link to an SP the authentication needs to start.
So it needs an IdP first application. I try to set it up with SimpleSAML, the only problem is the initial explanation on the simpleSAML website isn't clear enough for me (https://simplesamlphp.org/docs/stable/simplesamlphp-idp) can someone give me some better or in depth explanation about IdP first?
this is a new client portal but the clients already have accounts with the mentioned sites and other sites, sometimes more than 1 account. Is it possible to connect those accounts without doing it myself but let the clients connect them?
If there are better solutions than SAML to this problem please don't hesitate to mention them
4.5 IdP initiated login
If you use a simpleSAMLphp IdP, and you want users to be able to bookmark the login page, you need to test IdP initiated login. To test IdP initiated login from a simpleSAMLphp IdP, you can access:
https://.../simplesaml/saml2/idp/SSOService.php?spentityid=<entity ID of your SP>&RelayState=<URL the user should be sent to after login>
Note that the RelayState parameter is only supported if the IdP runs version 1.5 of simpleSAMLphp. If it isn't supported by the IdP, you need to configure the RelayStateoption in the authentication source configuration.
As for account linking, it's my understanding that simple doesn't do this (it's getting out of the simple realm). To use it, you'll have to clean up accounts.
[edit]Actually, I suppose you could - though you'd have to build a structure to do it. You would need to somehow build a mapping of accounts from the corporate ID to the SP accounts at Wordpress, Google, etc.
I'm writing an iPhone app which works against my own server.
Basically, it's a forum where users can post. I don't want users to sign-in for an account on my server but I rather prefer them to login using any existing account they have: Facebook, Linkedin, Foursquare, etc.
So from the app itself, I want them to be able to login using their existing account which will then allow them to post on the forum.
My question is that: when a user is posting a message, how can I verify whether or not he is logged in with any service? I need to validate it both on the client and server side. I plan on writing the server side using PHP.
Thanks
See this question for a similar discussion (just limited to Facebook sign on). Here's a high-level overview of what should happen (taken from that discussion I linked to):
User opens the app on the phone. Chooses a service with which to authenticate.
Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
Your app takes the token and sends it to your server.
Your server receives the token and validates it. It checks it against the service's API and (at least for Facebook and Twitter) get the corresponding user ID.
Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn't been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
The session key is used for all further communication between your app and your server until the user logs out.
On the phone, you're going to want some OAuth library to allow users to authenticate with another service. You'll probably want to use the Facebook iOS SDK to allow them to use Facebook and use one of the suggested OAuth libraries here for your other authentication services. I have only used the Facebook SDK, so I can't speak as to the general OAuth libraries.
Once logged in, the phone should not store the access token, only the session key.
Assuming that users can use more than one service to access their account, you will also want some way of connecting two services to the same user (probably by email address).
It's up to you to decide how your app and your server communicate. I'd go for a JSON+REST API for communications with the server.
Another option to get your users to login using multiple services is Socialize (www.getsocialize.com). It's an open source SDK that manages your users and authentication so you don't have to implement all the steps that cbrauchli has outlined above.
I was exploring if better/easy to use/implement options exist in 2020 using third party libraries to allow login with social accounts. And found two options:
AuthorizeMe - https://github.com/rubygarage/authorize-me & https://rubygarage.org/blog/authorizeme-ios-libary
Auth0 - https://auth0.com/learn/social-login/ & https://auth0.com/blog/using-centralized-login-to-add-authentication-to-your-ios-apps/
AuthorizeMe supports:
Facebook
Twitter
Google
Instagram
LinkedIn
plus custom providers
Auth0 supports:
Facebook
Twitter
Google
Microsoft (Windows Live)
Yahoo
Instagram
Amazon
LinkedIn
Github
PayPal
vKontakte
Yandex
Box
Baidu
Ren Ren (Xiaonei)
Weibo
Shopify
Wordpress
Yammer
SoundCloud
and custom providers as well
Disclaimer: I am not affiliated with Auth0 or AuthorizeMe.