I'm not claiming to understand your use-case (how much of that is
inventing SSO protocols and matching software, how much is merely
about deploying standard SAML, etc.), but anyway:
* Rodrigo Santiago <
trump...@gmail.com> [2016-08-28 00:54]:
> Is there a way to handle logins (authenticate) from external, i
> mean, not from browsers (request protocol), but from a internal API
> code, once the user is already logged in another system ?
If the browser is not present at the (SimpleSAMLphp) IDP how should
SimpleSAMLphp know for whom to assert what data?
So if you're talking about using SimpleSAMLphp as a SAML Identity
Provider implementing the OASIS SAML Web Browser SSO Profile then the
browser will need to be present at the IDP at some point, in order to
present *something* to SimpleSAMLphp in exchange for a SAML assertion
that the browser then can relay to the SP, as per the specification.
Ordinarily that "something" is some form of credential (such as a
username and password) but it could also be any other mechanism (a
custom auth source, e.g. checking for the presence of a custom cookie
or whatever) that allows to clearly identify the subject.
SSP can certainly be used as an IDP in a transparent fashion (i.e., no
visible UI interaction) if it's being used as "downstream" client to
an "upstream" SSO protocol/system. But you can't replace
"authenticating the subject present in a browser" with "nothing".
If all you want is some code that generates xmldsig-sigend XML as per
the SAML specs -- triggered by custom code of your own, fully
unrelated to the SAML protocol -- you're free to salvage parts of the
SimpleSAMLphp code base, of course, as long as you adhere to its
licence requirements.
-peter