User already logged in thru existing custom application, want to not force user to login again when being redirected by SP

[Adam Bodnar]

I'm fairly new to SSP, but I've got it setup as an idp and written a module that uses the authentication for my application. When the user goes to the SP(Jive), they are redirected to SSP and asked to login. But what I haven't been able to figure out is what I need to add so that if the user is already logged into my application so that they won't be forced to enter their login and password again. I've been able to test in the constructor of my module that the user is logged into my application. I know that SSP is looking for a session, just need to know what I can do to have that generated.

Thanks.

[Adam Bodnar]

Ok, so I've been googling around and haven't found anything truly answered my issue. But one thing I found was the suggestion of adding SimpleSAML_Session::getSession() to my custom application during login. I've also switched from using phpsessions to sql due to SSP running on a different server then where the custom app lives.(This is necessary due to the use of a load balancer that handles the SSL instead of configuring Apache to do it).

However, I'm still not able to get SSP to allow a user to bypass the SSP login when a user is already logged in to the custom application.

Does anyone have any ideas?

[Jaime Perez Crespo]

Hi Adam,

Let me see if I understand your setup and what you want to achieve. You have a service provider (Jive) that you want to delegate authentication for. You have SimpleSAMLphp in a different host, acting as an IdP for this service provider. And finally, you have an application that you have written yourself, which holds the user accounts, stored in some backend. Then you have created an authentication source for SSP that delegates authentication to your custom application, and the problem is that SSP does not know if users have been logged into your application previously or not. Am I right?

The way you describe it, it also looks like users write their credentials at the SSP login page, and your custom auth source performs authentication on their behalf against the custom application. That’s a bad idea, and if this is what you are trying to do, I don’t think you can.

The IdP (SSP) should not be delegating authentication to your custom app. Then it wouldn’t be an IdP, but a proxy. Your IdP should be the only one authenticating your users, regardless of where they are trying to access to. So if you have a backend where you store your user accounts, what you need to do is to connect SSP to that backend, and use a standard auth source to authenticate (provided that your backend is something common like a database or an LDAP server). Now you can stop authenticating users at your custom application, and make it a service provider, just as Jive is. If it’s written in PHP, you can very easily use SSP to accomplish that.

By the way, using a load balancer handling SSL does not imply the need for a SQL backend to store sessions. You would only need that if you have more than one server running your SSP IdP.

Of course, if I’m assuming something wrong or I misunderstood something, just tell me!

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Adam Bodnar]

Thanks for replying Jaime.

Yes, that sounds right. I was not using the SSP login page for my custom application. I was hoping/trying to initiate the SSP session when they logged into my application so that when they attempted to go to Jive and it routed thru SSP, that it would not present the login page since they are already authenticated. But from my own googling and trying, I don't believe this is possible.

I've come to the same conclusion that I would need to use SSP as my idp and then change my app to be an SP.

Yeah, I would be using multiple servers in my instance.