website user auth - SimpleSAMLphp - Facebook Workplace

266 views
Skip to first unread message

Володимир Олійник

unread,
Oct 17, 2017, 3:50:50 AM10/17/17
to SimpleSAMLphp


Hi


I need to realize synchronous user account authorization of our website and "Facebook Workplace"  service (FBWP).


I need do it via SSO SAML.


I have a FBWP SSO config page and installed SimpleSAMLphp in subfolder of our website.


How I must configure SimpleSAMLphp for FBWP for synchronous authorization of accounts (Case: user do authorization at our website and via SimpleSAMLphp must be authorized on FBWP)?


Where I can get "SAML URL", "SAML Issuer URI" from SimpleSAMLphp for FBWP, and how use "Audience URL", "Recipient URL", "ACS (Assertion Consumer Service) URL" urls from FBWP for SimpleSAMLphp configuration files.


For our case , SimpleSAMLphp must be as a Service Provider (SP) or must be as  an Identity Provider (IdP) ?


Thank you.

screenshot with FBWP configuration page:



Jaime Perez Crespo

unread,
Oct 17, 2017, 8:57:11 AM10/17/17
to simple...@googlegroups.com
Hi,
On 17 Oct 2017, at 09:50 AM, Володимир Олійник <volodymyr.o...@gmail.com> wrote:
> I need to realize synchronous user account authorization of our website and "Facebook Workplace" service (FBWP).

What does “synchronous user account authorization” mean? Can you describe what you want to do?

> I need do it via SSO SAML.

Be aware that SAML is designed for very specific purposes (delegating authentication to third parties), so it might not be what you need depending on what you want to do.

> I have a FBWP SSO config page and installed SimpleSAMLphp in subfolder of our website.

What is “your website” here? In any case, SimpleSAMLphp should not be installed in a folder of a third party application, but in an independent location. Make sure to follow the installation instructions and create an alias in the web browser, pointing to the “www” directory of the SimpleSAMLphp installation. **Never** give access to your SimpleSAMLphp installation directory through the web server, access is needed **only** to the “www” subdirectory.

> How I must configure SimpleSAMLphp for FBWP for synchronous authorization of accounts (Case: user do authorization at our website and via SimpleSAMLphp must be authorized on FBWP)?

Ok, so if I understand correctly, your website holds user accounts, and you want it to authenticate (not authorize, those are different things) users for FBWP (whatever that is). Is that right?

> Where I can get "SAML URL", "SAML Issuer URI" from SimpleSAMLphp for FBWP, and how use "Audience URL", "Recipient URL", "ACS (Assertion Consumer Service) URL" urls from FBWP for SimpleSAMLphp configuration files.

Read the documentation:

https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7

> For our case , SimpleSAMLphp must be as a Service Provider (SP) or must be as an Identity Provider (IdP) ?

"Facebook Workplace” is the Service Provider, since it provides a service. You are the Identity Provider, since you provide the identity of the users.

Now, you need to install and configure SimpleSAMLphp as an IdP. According to what you say you want, you would need to tell SimpleSAMLphp to ask your application for authentication. However, since your application won’t likely support any standard mechanism or protocol for that, you would need to implement that yourself as a module for SimpleSAMLphp. Considering that you haven’t even able to identify who’s the SP and the IdP here, I think that’ll be a rather cumbersome task for you. Instead, you could:

- Install SimpleSAMLphp on its own (maybe even its own virtual host).
- Configure it as an IdP, using your backend (database? LDAP?).

Assuming your website is your own code and you can modify it:
- Install SimpleSAMLphp also for your website.
- This time, configure it as a Service Provider.
- Modify your application to stop authenticating users, and call SimpleSAMLphp’s API instead. Refer to the documentation.

- Exchange metadata between your new IdP and your new SP.
- Configure “Facebook Workplace” with the information needed from your IdP.
- Add a remote SP for “Facebook Workplace” to your IdP, with the information they provided you with.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

Володимир Олійник

unread,
Oct 18, 2017, 8:33:56 AM10/18/17
to SimpleSAMLphp
Thank you

> I need to realize synchronous user account authorization of our website and "Facebook Workplace"  service (FBWP). 

What does “synchronous user account authorization” mean? Can you describe what you want to do? 

I want do next:
- If user login to our website (Drupal 7) via website login form, user automatically logged to "Workplace by Facebook" service. (user have D7 website account and have "Workplace by Facebook" service account with same email)

Володимир Олійник

unread,
Oct 18, 2017, 8:44:04 AM10/18/17
to SimpleSAMLphp
I want do next:
- If user login to our website (Drupal 7) via website login form, user automatically logged to "Workplace by Facebook" service. (user have D7 website account and have "Workplace by Facebook" service account with same email)
 
is it possible with SimpleSAMLphp  ?
 

Peter Schober

unread,
Oct 18, 2017, 9:40:00 AM10/18/17
to SimpleSAMLphp
* Володимир Олійник <volodymyr.o...@gmail.com> [2017-10-18 14:34]:
> If user login to our website (Drupal 7) via website login form, user
> automatically logged to "Workplace by Facebook" service.

Well, SSP could use the data store from Drupal as an authsource
(re-using the Drupal credentials to log in to SSP) and act as an
IDP/OP for the "Workplace by Facebook" RP.
Or you could create your own custom authentication source so that by
logging in to Drupal itself one also get's a SSP session (much more
complex).

Logging in to SSP (or Drupal) wouldn't magically log them in to
"Workplace by Facebook" too, though, that only happens after
/something/ sends a protocol message of some kind with their data to
Facebook.

If you can access "Workplace by Facebook" directly and it will send
you to your IDP for authentication then that's what you'd use.

If they don't support that (which wouldn't surprise me) you'd have to
host a link somewhere else that would perform IDP-initiated SSO at
your SSP instance and will send people on to "Workplace by Facebook"
immediately afterwards. People would then need to click that link
instead when they want to access "Workplace by Facebook" via your
local/Drupal authentiaction.

> (user have D7 website account and have "Workplace by Facebook"
> service account with same email)

If "Workplace by Facebook" uses email addresses as unique identifier
(think primary key for a person) then that could work.
-peter
Message has been deleted

Володимир Олійник

unread,
Oct 20, 2017, 6:00:37 AM10/20/17
to SimpleSAMLphp

"Workplace by Facebook" Test SSO button:


"SSO Not Authenticated
The SAML Response was invalid. Please check that all fields are correct and try again."


How I can debug this response, and how should it look?


I need correct response example.


Thank you


screenshot


Володимир Олійник

unread,
Oct 20, 2017, 7:02:18 AM10/20/17
to SimpleSAMLphp
Is it possible configure SimpleSAMLphp for : Drupal7(idp,user login form here) - SimpleSAMLphp - "Workplace by Facebook"(SP) without SimpleSAMLphp custom module for "Workplace by Facebook" Auth, or I need write SimpleSAMLphp custom module for "Workplace by Facebook" Auth ?

thari...@gmail.com

unread,
Nov 8, 2017, 8:17:40 AM11/8/17
to SimpleSAMLphp
Hi,

I faced the same issue and got it fixed. I wrote the blog post [1] with all the steps for configuring this using WSO2 Identity Server as the IDP. In the blog post, I've added a separate section called "Troubleshooting". There I have mentioned few points and also sample SAML response for references.

I hope it'll be useful to you.

[1] http://www.securityinternal.com/2017/11/using-wso2-identity-server-as-saml.html

Regards,
Tharindu Edirisinghe

Tim van Dijen

unread,
Nov 8, 2017, 9:33:53 AM11/8/17
to SimpleSAMLphp
The clue for the original poster is probably in the NameIdFormat:
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote#section_2
Reply all
Reply to author
Forward
0 new messages