please help some clue for make module authentication for g suite education.

[dh...@esqbs.ac.id]

Dear all member

please help me and give me some clue for make module authentication for g suite education. somehow until now i dont understand how to make custom auth module for supporting SSO method on IDP third party at G suite education.

i had try follow from https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps, but i stop at the https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps#section_5 til https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps#section_7_2 . on that sections, they explain about make example_auth. and on my thougt, how i can make custom auth module for my to get SSO to my G-Suite education SSO?!! 

this is my sso link https://sso.esq165.co.id/saml/module.php/core/frontpage_welcome.php, still raw script, coz im just new on SSO world.

thank you for helping me

best regards

[Peter Schober]

* dh...@esqbs.ac.id <dh...@esqbs.ac.id> [2017-09-28 18:59]:

> please help me and give me some clue for make module authentication
> for g suite education. somehow until now i dont understand how to
> make custom auth module for supporting SSO method on IDP third party
> at G suite education.

If you want SimpleSAMLphp to function as an IDP it needs to be able to
authenticate people, i.e., the IDP needs access to a service that can
verify credentials.

The most common and useful thing to do here is to use the same
authentication services with the IDP as your existing applications and
services are using, e.g. LDAP (or maybe RADIUS). Then the IDP will be
yet another LDAP client, like all your other applications.

> i had try follow
> from https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps, but i
> stop at
> the https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps#section_5
> til https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps#section_7_2
> . on that sections, they explain about make example_auth. and on my thougt,
> how i can make custom auth module for my to get SSO to my G-Suite education
> SSO?!!

That documentatation does not say you have to create a custom auth
module. It says an IDP needs an authentication source of some kind,
e.g. LDAP or something else (including making up your own) -- how else
are you going to authenticate subjects and send them on to the Service
Provider (Google, here)?

So if you want the IDP to provide authentication and SAML assertions
for SAML Service Providers you will need to configure an authsource in
the IDP that is able to do that. I.e., if I try to log in to your IDP
with username "user" and password "pass" what specifically should the
IDP do, how should it determine whether that's correct or not?

This is what you need to find out first.
-peter

[Peter Schober]

* <dh...@esqbs.ac.id> [2017-09-28 18:59]:
> https://sso.esq165.co.id/saml/module.php/core/frontpage_welcome.php,

You seem to have enabled a SAML SP auth source here. Why?
From what you said (you want to log in to some Google service using
your own local accounts) you only need a SAML IDP, not (also) a SAML
SP. The SAML SP is the Google service here.
-peter

[dh...@esqbs.ac.id]

Hi peter 

 

if i dont have any ldap on my local IDP, because i just depend on user email from google that i have create it earlier. how come for this case can resolve?

 

So if you want the IDP to provide authentication and SAML assertions
for SAML Service Providers you will need to configure an authsource in
the IDP that is able to do that. I.e., if I try to log in to your IDP
with username "user" and password "pass" what specifically should the
IDP do, how should it determine whether that's correct or not?

this authsouce i wanna talking about. in autsource.php there are some example auth method, and i read there is google auth but it was using openid to synch, after i read from other on this group. google doesn't support that anymore. and how come i can make custom auth for my sso to get in google?!

[Peter Schober]

* <dh...@esqbs.ac.id> [2017-09-29 01:52]:

> if i dont have any ldap on my local IDP, because i just depend on
> user email from google that i have create it earlier. how come for
> this case can resolve?

[...]

> this authsouce i wanna talking about. in autsource.php there are
> some example auth method, and i read there is google auth but it was
> using openid to synch, after i read from other on this group. google
> doesn't support that anymore. and how come i can make custom auth
> for my sso to get in google?!

You'll need to stop playing "How to do X with Y" and step away from
the technology for a momment. Instead clearly state what it is you
want to achieve?

In your subject line and first post you seemed to say that you want to
use Google Apps as a Service Provider/Relying Party (providing the
service) and therefore the only role for SimpleSAMLphp left here is
that of the IDP (Identity Provider), i.e. performing authentication
for your subjects and issuing protocol messages (possibly SAML or
maybe OIDC) to the SP/RP.

Now above you're saying you don't have local user accounts (AFAIU) and
again that you want Google to perform the authentication, for a Google
service.

If both the IDP is Google and the SP/RP is Google then you should
probably just use Google and forget about SimpleSAMLphp.
Or start explaining why you think SimpleSAMLphp is needed here.

-peter

[Peter Schober]

* dh...@esqbs.ac.id <dh...@esqbs.ac.id> [2017-10-02 11:18]:
> thank you for replying, here in my case...i dont have ldap or local
> account. so i just depend on my college google account.

If you want to use services from Google and have people authenticate
using Google's credentials, there's nothing to do for you and no role
for SimpleSAMLphp here.

If Google doesn't allow you to use their own services with their own
accounts/passwords I'd be surprised but have no advise to offer (this
is not a Google services support group).

> i just following from
> https://simplesamlphp.org/docs/stable/simplesamlphp-googleapps.

That's for when you want/need to provide authentication to Google
services from an existing, local user database of some sorts. If you
don't have user accounts you're not an IDP and it doesn't apply.

-peter

[Juan Manuel Palacios]

G Suite does allow you to configure Google as an IdP, and you can configure a local SP to use that. I did it here as one of my early tests for my SimpleSAMLphp/SSO infrastructure.

Thing is:

1) You need admin credentials on G Suite, which I don't have, so I don't know the exact details on how the configuration is done. And,...

2) I do remember from my supervisor (the admin on G Suite) that it's incredibly painful to get going, among other things because the Google dashboard has no facility to consume SP metadata, you have to enter every single integration detail manually in a form.

But, other than that, I can vouch for a SAML integration with G Suite as IdP working with SimpleSAMLphp as local SP.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Juan Palacios
Senior Software Architect

135 West 26th St l 12th Floor l NY, NY 10001
212.675.9234 l 646.217.3677 

Register for our upcoming webinar with The Healthy Minds Network and AUCCCD: 
Trends in Higher Education Mental Health: Research Highlights

Connect with us!