I'm trying to make a Client portal (IdP) in PHP.
That portal links to several SP's (like Magento, Google Analytics and Wordpress)
Seeing how this needs to works my IdP needs to initiate authentication. when clicked on a link to an SP the authentication needs to start.
So it needs an IdP first application. I try to set it up with SimpleSAML, the only problem is the initial explanation on the simpleSAML website isn't clear enough for me (https://simplesamlphp.org/docs/stable/simplesamlphp-idp) can someone give me some better or in depth explanation about IdP first?
this is a new client portal but the clients already have accounts with the mentioned sites and other sites, sometimes more than 1 account. Is it possible to connect those accounts without doing it myself but let the clients connect them?
If there are better solutions than SAML to this problem please don't hesitate to mention them
4.5 IdP initiated login
If you use a simpleSAMLphp IdP, and you want users to be able to bookmark the login page, you need to test IdP initiated login. To test IdP initiated login from a simpleSAMLphp IdP, you can access:
https://.../simplesaml/saml2/idp/SSOService.php?spentityid=<entity ID of your SP>&RelayState=<URL the user should be sent to after login>
Note that the RelayState parameter is only supported if the IdP runs version 1.5 of simpleSAMLphp. If it isn't supported by the IdP, you need to configure the RelayStateoption in the authentication source configuration.
As for account linking, it's my understanding that simple doesn't do this (it's getting out of the simple realm). To use it, you'll have to clean up accounts.
[edit]Actually, I suppose you could - though you'd have to build a structure to do it. You would need to somehow build a mapping of accounts from the corporate ID to the SP accounts at Wordpress, Google, etc.
Related
I am learning about SAML and already read many articles and forums but I still having confusion about setup IdP.
I am using "https://simplesamlphp.org/"
For example, I have 3 websites "example.com", "one.example.com", "two.example.com";
All are on three different server.
Now, I want to setup single sign on login using SAML then on which server I need to setup IdP.
As "example.com" is main domain which has all the information about user.
As I learn, when I login to "example.com" then it sends request to IdP.
But I don't get any idea where I have to set IdP and what Idp contains?.
Its on same server where "example.com" hosted OR its different server and what logic I have to write on that server?
It's simple login function OR I need to setup "simplesaml" for this and set login logic to there.
After setting up IdP, what I need to do on other server "one.example.com", "two.example.com"?
Do I need to install again "simplesaml" to both server and set SP and IdP?
In sort, which server has IdP and SP? And on which server I need to install "simplesaml"?
Thanks in advance
simpleSAMLphp is the IDP.
You don't need to write any code, just setup the config.
You will also have 3 SP = the three websites.
They can all be on the same server or you can have one server for the IDP and one server each for the websites. It doesn't actually matter.
The simpleSAMLphp web site shows you the changes you need to make to each of the SP in order to communicate with the IDP.
Identity provider is the one who supplies info about users. You'd create one, let's call it idp.example.com.
You'd install simpleSAML there and configure it so it can read info about your users, be it in MySQL, LDAP etc. (this is the tricky part with IdP setup).
Now, your websites would be service providers and if user isn't authenticated, they'd redirect the user to idp.example.com, user logs in, idp.example.com returns the user to service provider with the XML document containing assertions.
That means your SP needs to be able to consume the SAMLResponse which IdP sends to your site.
You can consume this with simpleSAML, which you'd configure in SP mode now.
Bear in mind that SSP (simplesamlphp) isn't the only option in PHP to deal with SAML. There's also Lightsaml - a proper library. SimpleSAML isn't just a library, it's a complete solution and quite honestly - a super SUPER terrible one at that, it's the epitome of crap code one can type out and make a system that actually works (much like wordpress).
TL;DR:
create an IdP -> idp.example.com -> configure or create the module that authenticates users against your user source (LDAP, ActiveDirectory, relational database etc.)
configure your 3 websites to authenticate using idp.example.com
configure your 3 websites to be able to consume responses from idp.example.com
It's all doable with simplesamlphp. If you want to take it further and implement or play with SAML on your own - you can use the library I linked. It'll take way, way, way longer to do it via Lightsaml library though since you have to take care of single logout and single sign-on, encryption, digital signatures, endpoints, metadata etc.
I am a newbie in SSO implementation. We are looking at implementing SSO for a client that uses a php application (supported by us), for their employees to login to the application. We are in the process of setting up Simple SAML for this .. I have been reading articles on SSO, many of which are helpful. Pardon me for asking this, I know it is dumb. In this scenario, who is the IDP and who will be the service provider. The client apparently uses SSO for other applications as well. Can someone throw some light on what all I need to setup from our end.. I will research on how to do each of them..could someone please help by mentioning the things that need to be implemented.
who is the IDP and who will be the service provider.
IDP (Identity Provider) is the one who creates, stores, maintains and authenticates the identity of the user or principal in saml terms. So in your case it is the clients application.
SP (Service Provider) is the one who provides the service or resource to a user (authenticated by IDP) so in your case it is your application.
could someone please help by mentioning the things that need to be implemented.
As you can see in the above diagram when user will try to access a resource on your site you will have to redirect them to IDP to confirm whether this user is authenticated and if you should return them the resource/response they are looking for. The SSO url and other details are exchanged between IDP and SP through Metadata.
Once IDP has authenticated the user it will POST a response on your application url. This response contains an assertion through which you will know user details and whether user is authenticated or not. You will have to parse this response (xml). Also, these assertions are generally signed with certificate and are encoded base 64.
You will also have to think about SLO so when a user clicks on logout in your site you might have to clear their session from your application and redirect them to the IDP so they get logged out from there as well.
As suggested by smartin you can use some library which will make it easier to implement SAML. I am also learning about SAML as we are working on converting our current application into IDP :)
I found this SAML official documentation and some of the diagrams very helpful. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html
Your app is the SP, and the customer will provide to you the IdP metadata to register on your SP.
In order to add SAML support to a PHP application, you have 2 alternatives:
simpleSAMLphp
php-saml
LightSAML
All of them are well documented, you will need to spend some time reading/learning.
I'm trying to find a way to log my users from my portal to another service. I'm not very knowledgeable on how SAML SSO works but from what I gather the Portal is the IdP (i.e., us) and I should create a response with certain user-dependent attributes to send to the SP.
I'm using Symfony2 and I read about SimpleSAMLphp but I had troubles installing. The important part is, how should I construct my response? I don't think I should reauthenticate the user since he is already and using the portal.
Thank you and if you found anything illogical please let me know.
So my scenario goes like :
I have two sites a.com and site b.com and one authentication server cauth.com.
what client wants is ...
When user lands on a.com or b.com user fills in the login form on respective site , but the action of form will be on cauth.com (cauth.com/authenticate). when user is authenticated on cauth he is loggined on the both sites.
I am thinking to implement SAML to achieve the same and flow is like
after authentication iDP(cauth.com) will send SAML response to the both the service providers and user will be given access to both the sites .
I am novice in SAML and unable to get proper documentation and comprehension for the same.
What I want to know is :
Is my solution to the problem worth implementation ?
Is it possible to make site (cauth.com) as identity provider.I have looked at thread Making your PHP website into SAML Identity Provider but not able to get proper solution.
SimpleSamlPHP should be pretty easy to set up. You'll want to make a copy of the folder modules/exampleauth/ and then alter the file modules/<yournewmodule>/lib/Auth/Source/External.php to work for your site. The documentation is good though and it's definitely the easiest thing for your need, and the right one.
I should add that following the instructions to set up SimpleSamlPHP should give you a basic understanding of which metadata files are most important and where they live and how things interact.
I am not sure which technology you are using for your application. If you are free to switch to JAVA then I can suggest you Spring-Saml because its very easy to implement and fulfill your requirement. Spring-Saml has good documentation and online support as well being it as open-source project.
You can refer this link for Spring-saml and for code-repo use this link
You can integrate spring-saml in your abc.com and xyz.com application to make it Service provider(SP) and you can deploy it on different domain as well. Then you need to have one IDP (identity provider server) for your SPs. So you can use either ADFS with Active directory or LDAP to act as IDP.
We had similar requirement for our customer. I recently integrated spring-saml in my project.
Please let me know for any help
A federated Single Sign On (SSO) mechanism like SAML or OpenID Connect will give you what you want.
This comes with the important distinction that the login form would not be presented on a.com or b.com but those sites would rather redirect to cauth.com and the user would authenticate there. cauth.com would then send a verifiable "assertion" to a.com and b.com that the user has authenticated successfully. This constitutes one of the major goals of federated SSO, namely that the user credentials should not be presented/stored-by foreign websites and makes the means of authentication independent from the target websites ("Relying Parties").
So what you should be looking for is a suitable implementation of SAML or OpenID Connect for your platform (don't write it yourself!) and leverage that.
Shibboleth is open source and one of the most popular SSO solutions. It includes a SAML Identity Provider which you can download here: https://shibboleth.net/downloads/identity-provider/latest/ .
If your client is willing, one approach would be to use a cloud SSO provider like Okta which has a developer program and could make things easier.
I think there is a subtle misunderstanding in your description. For SAML authentication, if a user at site a.com either clicks a login link/button or tries to access a secure page, that user will receive an http 305 redirect to cauth.com. There the user will enter their credentials, and the user will be redirected back to a.com. If that user then goes to site b.com and tries to access secure content, b.com sends the user to cauth.com with the same http 305 redirect. This time, as there is an active session for the user's browser at cauth.com, the user does NOT see the credential form. Instead, the IDP returns the user with a successful authentication to b.com. It appears to the user that they are automatically logged on to site b, but in truth a SAML authentication flow has occurred.
Hans Z's answer elides the fact the that IDP only sends the assertions on the request of a or b (the Relying parties or RPs, also known as Service Providers or SPs). It is not a broadcast to all RPs.
I'll reinforce that SAML does NOT support a.com receiving the credentials from the user and then passing them to the authentication engine. This is a pattern one may be familiar with from LDAP.
Take a look at the sequence diagram in the wikipedia entry on SAML.
Follow below instruction to get SAML implimentation with PHP.
SAML login setup is very easy in php.
First register on onelogin server
https://www.onelogin.com/signup and create demo app on it. After
it follow all instruction to set Idp (Identity provider setting ) and
sp (service provider setting) to settings.php
https://developers.onelogin.com/saml/php
It worked perfect for me with CI and and php
I want to set up a Portal for consumers.
This portal has to have multiple buttons to go to other locations, for example Google and Wordpress.
This by means of SSO, I found out that SAML is best practice for this.
I'm only wondering and trying to find out if my application has to be an IdP (Identity Provider) or an SP (Service Provider).
This application will be made in PHP per request of the client.
Edit
I've looked into simpleSaml, Because the answers I got are good but not concluding. In essention I want this http://documentation.pingidentity.com/display/PF610/IdP-Initiated+SSO--POST with a client portal and I want to go from the client portal to Google analytics, Magento, Wordpress and some local other websites
The IDP authetnicates the users, the SPs then trust the IDP to have authenticated the users correctly.
If your users will authenticate on your site, you will be the IDP. If on the other hand the users log in to google, andyou then trust google for authentication, you will be the SP
IDP stands for Identity Provider who has users information and stores the users databases.
SP stands for Service Provider who allows the users to use its service by getting authenticated from their IDP.
A simple flow is:-
User wants to access the SP website.
SP redirect the user to IDP to log in on IDP.
Once User is successfully logged in there IDP redirect the user to SP with success response.
If SP gets a success response from IDP it allows user access to it.
Now if you got the flow you can easily derive that Google cannot be used as SP has it already contains user database and don't provide the user provisioning (Creation of user at run time).
So with Google, You will be SP and Google will be IDP.
Wordpress provide user provisioning and can be used both as SP and IDP.
So with Wordpress,
If you want your user to login in Wordpress, You will be IDP and Wordpress will be SP. You can try this plugin to achieve it.
If you want Wordpress user to login on your site. You will be SP and Wordpress will be IDP. You can try this plugin to achieve it.
You are the IDP and Google/Wordpress are SPs