Hi Adam,
Let me see if I understand your setup and what you want to achieve. You have a service provider (Jive) that you want to delegate authentication for. You have SimpleSAMLphp in a different host, acting as an IdP for this service provider. And finally, you have an application that you have written yourself, which holds the user accounts, stored in some backend. Then you have created an authentication source for SSP that delegates authentication to your custom application, and the problem is that SSP does not know if users have been logged into your application previously or not. Am I right?
The way you describe it, it also looks like users write their credentials at the SSP login page, and your custom auth source performs authentication on their behalf against the custom application. That’s a bad idea, and if this is what you are trying to do, I don’t think you can.
The IdP (SSP) should not be delegating authentication to your custom app. Then it wouldn’t be an IdP, but a proxy. Your IdP should be the only one authenticating your users, regardless of where they are trying to access to. So if you have a backend where you store your user accounts, what you need to do is to connect SSP to that backend, and use a standard auth source to authenticate (provided that your backend is something common like a database or an LDAP server). Now you can stop authenticating users at your custom application, and make it a service provider, just as Jive is. If it’s written in PHP, you can very easily use SSP to accomplish that.
By the way, using a load balancer handling SSL does not imply the need for a SQL backend to store sessions. You would only need that if you have more than one server running your SSP IdP.
Of course, if I’m assuming something wrong or I misunderstood something, just tell me!
--
Jaime Pérez
UNINETT / Feide
mail:
jaime...@uninett.no
xmpp:
ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost