Hi,
On 17 Oct 2017, at 09:50 AM, Володимир Олійник <
volodymyr.o...@gmail.com> wrote:
> I need to realize synchronous user account authorization of our website and "Facebook Workplace" service (FBWP).
What does “synchronous user account authorization” mean? Can you describe what you want to do?
> I need do it via SSO SAML.
Be aware that SAML is designed for very specific purposes (delegating authentication to third parties), so it might not be what you need depending on what you want to do.
> I have a FBWP SSO config page and installed SimpleSAMLphp in subfolder of our website.
What is “your website” here? In any case, SimpleSAMLphp should not be installed in a folder of a third party application, but in an independent location. Make sure to follow the installation instructions and create an alias in the web browser, pointing to the “www” directory of the SimpleSAMLphp installation. **Never** give access to your SimpleSAMLphp installation directory through the web server, access is needed **only** to the “www” subdirectory.
> How I must configure SimpleSAMLphp for FBWP for synchronous authorization of accounts (Case: user do authorization at our website and via SimpleSAMLphp must be authorized on FBWP)?
Ok, so if I understand correctly, your website holds user accounts, and you want it to authenticate (not authorize, those are different things) users for FBWP (whatever that is). Is that right?
> Where I can get "SAML URL", "SAML Issuer URI" from SimpleSAMLphp for FBWP, and how use "Audience URL", "Recipient URL", "ACS (Assertion Consumer Service) URL" urls from FBWP for SimpleSAMLphp configuration files.
Read the documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
> For our case , SimpleSAMLphp must be as a Service Provider (SP) or must be as an Identity Provider (IdP) ?
"Facebook Workplace” is the Service Provider, since it provides a service. You are the Identity Provider, since you provide the identity of the users.
Now, you need to install and configure SimpleSAMLphp as an IdP. According to what you say you want, you would need to tell SimpleSAMLphp to ask your application for authentication. However, since your application won’t likely support any standard mechanism or protocol for that, you would need to implement that yourself as a module for SimpleSAMLphp. Considering that you haven’t even able to identify who’s the SP and the IdP here, I think that’ll be a rather cumbersome task for you. Instead, you could:
- Install SimpleSAMLphp on its own (maybe even its own virtual host).
- Configure it as an IdP, using your backend (database? LDAP?).
Assuming your website is your own code and you can modify it:
- Install SimpleSAMLphp also for your website.
- This time, configure it as a Service Provider.
- Modify your application to stop authenticating users, and call SimpleSAMLphp’s API instead. Refer to the documentation.
- Exchange metadata between your new IdP and your new SP.
- Configure “Facebook Workplace” with the information needed from your IdP.
- Add a remote SP for “Facebook Workplace” to your IdP, with the information they provided you with.
--
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost