ssp & sandstorm.io
17 views
Skip to first unread message
raz
Nov 15, 2016, 11:42:56 PM11/15/16
to simple...@googlegroups.com
Hello, I'm writing this hoping for some recommendations and guides
setting up simpleSAMLphp as IdP.
I have a sandstorm instance which,afaiu, acts like SP. It has the option
to provide metadata on my.host.com/_saml/config/default and provides a
Service URL and also a Service Logout URL. Sandstorm asks for a
* SAML provider entry point URL
* SAML provider logout URL (optional)
* SAML cert for above provider
The entity ID is my.host.com
So as far as I understand SSP only needs to be set up as a IdP and
Sandstorm will serve as a SP? I don't have to set up simpleSAMLphp as SP?
Also from sandstorm doc:
> Your SAML IDP should be configured to return a persistent nameID. In
> addition, if you are not using Active Directory, you must configure
> your IDP to provide two extra attributes, email and displayName.
So,again, afaiu the authentication will relay on the SSP server, right?
I'm asking this since the login for sandstorm is currently very
comfortable for the sake of users (they only have to insert their mail
address and a token will be emailed, no passwords) and I'll like to keep
it this process as clean as possible to users but also I'll like to add
2FA. Since it's not supported natively the option to go seems like setup
a SAML server and integrate with other services from there. But if I set
SAML I'll lose too the passwordless SSO?
Thanks for any guidance, recommendation on this topic.
--
Raz
setting up simpleSAMLphp as IdP.
I have a sandstorm instance which,afaiu, acts like SP. It has the option
to provide metadata on my.host.com/_saml/config/default and provides a
Service URL and also a Service Logout URL. Sandstorm asks for a
* SAML provider entry point URL
* SAML provider logout URL (optional)
* SAML cert for above provider
The entity ID is my.host.com
So as far as I understand SSP only needs to be set up as a IdP and
Sandstorm will serve as a SP? I don't have to set up simpleSAMLphp as SP?
Also from sandstorm doc:
> Your SAML IDP should be configured to return a persistent nameID. In
> addition, if you are not using Active Directory, you must configure
> your IDP to provide two extra attributes, email and displayName.
So,again, afaiu the authentication will relay on the SSP server, right?
I'm asking this since the login for sandstorm is currently very
comfortable for the sake of users (they only have to insert their mail
address and a token will be emailed, no passwords) and I'll like to keep
it this process as clean as possible to users but also I'll like to add
2FA. Since it's not supported natively the option to go seems like setup
a SAML server and integrate with other services from there. But if I set
SAML I'll lose too the passwordless SSO?
Thanks for any guidance, recommendation on this topic.
--
Raz
Peter Schober
Nov 16, 2016, 4:21:55 AM11/16/16
to simple...@googlegroups.com
* raz <r...@lupercio.mx> [2016-11-16 05:43]:
in SAML 2.0 Metadata. The SSP admin UI will show you the metadata of
your IDP.
(Let's just assume the SP supports the Redirect binding for authn requests.)
> * SAML provider logout URL (optional)
Cf. SingleLogoutService/@Location, but possibly this isn't even for
SAML protocol messages, but for orinary "give us a URL end end up at"
redirects.
> * SAML cert for above provider
The file referenced by the 'certificate' parameter in your
metadata/saml20-idp-hosted.php
Note that that's not a legal entityID: Those need to be URIs and a URI
at least has a (registered) schema. "https://my.host.com" would be
legal value, though.
> So as far as I understand SSP only needs to be set up as a IdP and
> Sandstorm will serve as a SP? I don't have to set up simpleSAMLphp
> as SP?
Yes, if the other thing acts as a SAML SP. (SPs don't talk to SPs,
only to IDPs.)
> Also from sandstorm doc:
>
> > Your SAML IDP should be configured to return a persistent nameID. In
> > addition, if you are not using Active Directory, you must configure
> > your IDP to provide two extra attributes, email and displayName.
I don't understand how the LDAP server being Microsoft's Active
Directory implementation would mean you do /not/ need to send email
and displayName, but whatever.
> So,again, afaiu the authentication will relay on the SSP server, right?
Yes, authentication should not happen at the SP.
> I'm asking this since the login for sandstorm is currently very
> comfortable for the sake of users (they only have to insert their mail
> address and a token will be emailed, no passwords)
I'd rather just click "login" on the SP website and then experience
SSO from my IDP (or, if I haven't yet established an SSO session, be
sent to my IDP and log in with username and password) than enter my
full email every time I want to log in there, and then go to my Mail
User Agent and click on some URL (hoping it's not a phishing one).
> and I'll like to keep it this process as clean as possible to users
> but also I'll like to add 2FA. Since it's not supported natively
> the option to go seems like setup a SAML server and integrate with
> other services from there. But if I set SAML I'll lose too the
> passwordless SSO?
That all depends on how the service is built, but if using your own
SAML IDP is presented as an alternative by the service provider then
it probably is that way: Then all authentication and attribute
resolving will (need to) happed at your IDP.
There is SSP documentation for all the parts you'll need to configure,
ask specific questions should you get stuck or should anything be
unclear.
-peter
> I have a sandstorm instance which,afaiu, acts like SP. It has the option
> to provide metadata on my.host.com/_saml/config/default and provides a
> Service URL and also a Service Logout URL. Sandstorm asks for a
>
> * SAML provider entry point URL
That's probably the URL from your IDP's SingleSignOnService/@Location
> to provide metadata on my.host.com/_saml/config/default and provides a
> Service URL and also a Service Logout URL. Sandstorm asks for a
>
> * SAML provider entry point URL
in SAML 2.0 Metadata. The SSP admin UI will show you the metadata of
your IDP.
(Let's just assume the SP supports the Redirect binding for authn requests.)
> * SAML provider logout URL (optional)
SAML protocol messages, but for orinary "give us a URL end end up at"
redirects.
> * SAML cert for above provider
metadata/saml20-idp-hosted.php
Note that that's not a legal entityID: Those need to be URIs and a URI
at least has a (registered) schema. "https://my.host.com" would be
legal value, though.
> So as far as I understand SSP only needs to be set up as a IdP and
> Sandstorm will serve as a SP? I don't have to set up simpleSAMLphp
> as SP?
only to IDPs.)
> Also from sandstorm doc:
>
> > Your SAML IDP should be configured to return a persistent nameID. In
> > addition, if you are not using Active Directory, you must configure
> > your IDP to provide two extra attributes, email and displayName.
Directory implementation would mean you do /not/ need to send email
and displayName, but whatever.
> So,again, afaiu the authentication will relay on the SSP server, right?
> I'm asking this since the login for sandstorm is currently very
> comfortable for the sake of users (they only have to insert their mail
> address and a token will be emailed, no passwords)
SSO from my IDP (or, if I haven't yet established an SSO session, be
sent to my IDP and log in with username and password) than enter my
full email every time I want to log in there, and then go to my Mail
User Agent and click on some URL (hoping it's not a phishing one).
> and I'll like to keep it this process as clean as possible to users
> but also I'll like to add 2FA. Since it's not supported natively
> the option to go seems like setup a SAML server and integrate with
> other services from there. But if I set SAML I'll lose too the
> passwordless SSO?
SAML IDP is presented as an alternative by the service provider then
it probably is that way: Then all authentication and attribute
resolving will (need to) happed at your IDP.
There is SSP documentation for all the parts you'll need to configure,
ask specific questions should you get stuck or should anything be
unclear.
-peter
Reply all
Reply to author
Forward
0 new messages