When do we need saml20-idp-remote metadata
136 views
Skip to first unread message
Manilal K M
Nov 25, 2016, 4:04:30 AM11/25/16
to simple...@googlegroups.com
Hello all,
I'm extremely sorry for asking such a basic question, but I'm slightly
confused with the various use cases of SimpleSAMLphp and trying to
confirm whether I'm in the right track.
I have a SimpleSAMLphp instance which acts as an Identity Provider for
Google Apps. Everything works fine and I'm able to login to Google
Apps using my credentials in LDAP.
Now I would like to add a custom PHP application developed on PHP Zend
Framework which should be authenticated from SimpleSAMLphp. The PHP
application and SimpleSAMLphp is installed on the same server
(Linux/Apache). Someone suggested that I need to have metadata in
saml20-idp-remote.php to complete authentication. Do I need to add
metadata in saml20-idp-remote to get this work
My understanding was that we need saml20-idp-remote only if we are
authenticating from an external authentication provider and it's not
needed when integrating an application on the same server. Please
correct me if this is wrong.
Thanks & regards
--
Manilal K M | മണിലാല് കെ എം.
http://libregeek.blogspot.com
I'm extremely sorry for asking such a basic question, but I'm slightly
confused with the various use cases of SimpleSAMLphp and trying to
confirm whether I'm in the right track.
I have a SimpleSAMLphp instance which acts as an Identity Provider for
Google Apps. Everything works fine and I'm able to login to Google
Apps using my credentials in LDAP.
Now I would like to add a custom PHP application developed on PHP Zend
Framework which should be authenticated from SimpleSAMLphp. The PHP
application and SimpleSAMLphp is installed on the same server
(Linux/Apache). Someone suggested that I need to have metadata in
saml20-idp-remote.php to complete authentication. Do I need to add
metadata in saml20-idp-remote to get this work
My understanding was that we need saml20-idp-remote only if we are
authenticating from an external authentication provider and it's not
needed when integrating an application on the same server. Please
correct me if this is wrong.
Thanks & regards
--
Manilal K M | മണിലാല് കെ എം.
http://libregeek.blogspot.com
Nate Klingenstein
Nov 25, 2016, 4:30:57 PM11/25/16
to simple...@googlegroups.com
Manilal,
It's alright. You should think of the IdP and the SP parts of
simpleSAMLphp as being distinct here.
You are currently operating an identity provider. Google Apps
operates a service provider. That doesn't change.
Your PHP application will need a service provider. You could use the
same installation of simpleSAMLphp, a different installation of
simpleSAMLphp, or another SAML implementation entirely.
For now, it might be simpler to think of your application as a
completely separate SP with a separate implementation. The specific
internal architecture and protocol choices can be made later.
Hope this helps,
Nate.
It's alright. You should think of the IdP and the SP parts of
simpleSAMLphp as being distinct here.
You are currently operating an identity provider. Google Apps
operates a service provider. That doesn't change.
Your PHP application will need a service provider. You could use the
same installation of simpleSAMLphp, a different installation of
simpleSAMLphp, or another SAML implementation entirely.
For now, it might be simpler to think of your application as a
completely separate SP with a separate implementation. The specific
internal architecture and protocol choices can be made later.
Hope this helps,
Nate.
Peter Schober
Nov 26, 2016, 9:53:36 AM11/26/16
to simple...@googlegroups.com
* Manilal K M <libr...@gmail.com> [2016-11-25 10:04]:
and SP on the same vhost is not currently possible (as has been
pointed out to me recently, when I couldn't get exactly that to work).
So make sure you create separate vhosts for the IDP and SP side of
things.
Also I'd question whether using a single SSP instance as both an IDP
and SP actually makes things easier (to understand and to maintain,
going forward).
-peter
> Now I would like to add a custom PHP application developed on PHP
> Zend Framework which should be authenticated from SimpleSAMLphp. The
> PHP application and SimpleSAMLphp is installed on the same server
> (Linux/Apache).
Note that the SSP documentation mentions somewhere that running an IDP
> Zend Framework which should be authenticated from SimpleSAMLphp. The
> PHP application and SimpleSAMLphp is installed on the same server
> (Linux/Apache).
and SP on the same vhost is not currently possible (as has been
pointed out to me recently, when I couldn't get exactly that to work).
So make sure you create separate vhosts for the IDP and SP side of
things.
Also I'd question whether using a single SSP instance as both an IDP
and SP actually makes things easier (to understand and to maintain,
going forward).
-peter
Manilal K M
Nov 28, 2016, 12:23:26 AM11/28/16
to simple...@googlegroups.com
On 26 November 2016 at 03:00, Nate Klingenstein <n...@sudonym.me> wrote:
> Manilal,
>
> It's alright. You should think of the IdP and the SP parts of
> simpleSAMLphp as being distinct here.
>
> You are currently operating an identity provider. Google Apps
> operates a service provider. That doesn't change.
I completely understands this point.
> Manilal,
>
> It's alright. You should think of the IdP and the SP parts of
> simpleSAMLphp as being distinct here.
>
> You are currently operating an identity provider. Google Apps
> operates a service provider. That doesn't change.
>
> Your PHP application will need a service provider. You could use the
an identity provider.
> same installation of simpleSAMLphp, a different installation of
> simpleSAMLphp, or another SAML implementation entirely.
>
> For now, it might be simpler to think of your application as a
> completely separate SP with a separate implementation. The specific
> internal architecture and protocol choices can be made later.
>
> Hope this helps,
> Nate.
>
Thanks & regards,
Jaime Perez Crespo
Nov 28, 2016, 2:26:02 AM11/28/16
to simple...@googlegroups.com
Hi Manilal,
On 28 Nov 2016, at 06:23 AM, Manilal K M <libr...@gmail.com> wrote:
>> Your PHP application will need a service provider. You could use the
> This is something confusing to me. I thought the PHP application needs
> an identity provider.
A service provider is the subject that “offers the service”, and therefore, the one that “delegates authentication to the identity provider”. So technically speaking, it is your service provider the one who needs an identity provider.
Now, your application doesn’t know anything about SAML, identity providers, or anything else. This means you need some “glue” between the SAML protocol and your application, allowing your application to use SAML to delegate authentication. That “glue” is the service provider.
So you will need to make your application to get along with SimpleSAMLphp by using the API provided, and then you can delegate authentication without needing to implement SAML yourself.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 28 Nov 2016, at 06:23 AM, Manilal K M <libr...@gmail.com> wrote:
>> Your PHP application will need a service provider. You could use the
> This is something confusing to me. I thought the PHP application needs
> an identity provider.
Now, your application doesn’t know anything about SAML, identity providers, or anything else. This means you need some “glue” between the SAML protocol and your application, allowing your application to use SAML to delegate authentication. That “glue” is the service provider.
So you will need to make your application to get along with SimpleSAMLphp by using the API provided, and then you can delegate authentication without needing to implement SAML yourself.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Manilal K M
Nov 28, 2016, 3:06:58 AM11/28/16
to simple...@googlegroups.com
On 28 November 2016 at 12:55, Jaime Perez Crespo <jaime...@uninett.no> wrote:
> Hi Manilal,
>
> On 28 Nov 2016, at 06:23 AM, Manilal K M <libr...@gmail.com> wrote:
>>> Your PHP application will need a service provider. You could use the
>> This is something confusing to me. I thought the PHP application needs
>> an identity provider.
>
> A service provider is the subject that “offers the service”, and therefore, the one that “delegates authentication to the identity provider”. So technically speaking, it is your service provider the one who needs an identity provider.
>
> Now, your application doesn’t know anything about SAML, identity providers, or anything else. This means you need some “glue” between the SAML protocol and your application, allowing your application to use SAML to delegate authentication. That “glue” is the service provider.
>
So this is the reason why I need saml20-idp-remote metadata to work
> Hi Manilal,
>
> On 28 Nov 2016, at 06:23 AM, Manilal K M <libr...@gmail.com> wrote:
>>> Your PHP application will need a service provider. You could use the
>> This is something confusing to me. I thought the PHP application needs
>> an identity provider.
>
> A service provider is the subject that “offers the service”, and therefore, the one that “delegates authentication to the identity provider”. So technically speaking, it is your service provider the one who needs an identity provider.
>
> Now, your application doesn’t know anything about SAML, identity providers, or anything else. This means you need some “glue” between the SAML protocol and your application, allowing your application to use SAML to delegate authentication. That “glue” is the service provider.
>
with my PHP application, right?
this should be my last question. :) Thanks for explaining it in detail.
regards,
Manilal
Nate Klingenstein
Nov 29, 2016, 8:05:35 PM11/29/16
to simple...@googlegroups.com
Manilal,
You need saml20-idp-remote to tell your SP how to talk to IdP's. You
need something else to attach your SP to your application. Those are
the two interfaces. This page might help.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
Thanks,
Nate.
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
You need saml20-idp-remote to tell your SP how to talk to IdP's. You
need something else to attach your SP to your application. Those are
the two interfaces. This page might help.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
Thanks,
Nate.
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
Manilal K M
Nov 30, 2016, 1:32:36 AM11/30/16
to simple...@googlegroups.com
Nate, Peter & Jaime,
Thanks for your detailed reply. I think now I have a better
understanding of how all these work. I will get back to you if I have
any further questions.
regards,
Manilal
Thanks for your detailed reply. I think now I have a better
understanding of how all these work. I will get back to you if I have
any further questions.
regards,
Manilal
Reply all
Reply to author
Forward
0 new messages