Integrating SimpleSAMLphp into existing login process
clyps...@gmail.com
Let's say I have a site with a login and that login is handled via a non simplesamlphp process that sets a user's data to session variables. Site A.
I also have a number of other sites, B - D, with similar login processes. In an attempt to make things easier for the users, i attempt to establish a single sign on with Site A being the target.
If I understand how simplesamlphp works, i would set up Site A as an IdP and B - D as SPs. Lets also say I've copied the exampleauth:External module to a myauth:External module and changed everything to make it work the same.
At this point, I can log in through the SimpleSAMLphp authpage.php form and everything is great.
But what can I do if someone has logged in through the non-simplesamlphp process?
So far I've been unable to carry over or insert non-simplesamlphp into the SimpleSAMLphp process. I understand that the process destroys and remakes the session, but is there no way for SimpleSAMLphp to set a user as having been authenticated based on session data that exists outside of the SimpleSAMLphp session?
I apologize if any of the terminology I'm using is vague or incorrect, and any help is appreciated.
clyps...@gmail.com
Should be:
"So far I've been unable to carry over or insert non-simplesamlphp session data into the SimpleSAMLphp process."
Tom Scavo
>
>Let's say I have a site with a login...
support all of your users.
> In an attempt to make things easier for the users, i attempt to establish a single sign on with Site A being the target.
>
> If I understand how simplesamlphp works, i would set up Site A as an IdP and B - D as SPs.
which are potential SPs.
> At this point, I can log in through the SimpleSAMLphp authpage.php form and everything is great.
>
> But what can I do if someone has logged in through the non-simplesamlphp process?
eliminate the local login process at each site in favor of a single
federated login process. That is, you need to deploy an IdP and then
integrate each SP with that IdP.
Tom
mildred.ro...@gmail.com
Thanks for your response. Unfortunately, the user base is not consistent across all sites. It is also not very likely that we would be able to get rid of the current login processes.
Can you think of any way I can accomplish what i need to do?
Tom Scavo
>
> Unfortunately, the user base is not consistent across all sites.
Tom
clyps...@gmail.com
Thanks again for your quick response. The reason why SSO is a requirement is because I want the users on B - D to have the option to be able to log in with credentials from Site A, but also have the option to log in with an account they've created on B - D.
Tom Scavo
>
> Thanks again for your quick response. The reason why SSO is a requirement is because I want the users on B - D to have the option to be able to log in with credentials from Site A, but also have the option to log in with an account they've created on B - D.
component and an SP component (independent of the other sites). Site A
users still log into Site A with the same username/password, they just
use a SAML flow to do it. If done properly, that should be an easy
migration.
Once your Site A users are happily using the new IdP, you can start
migrating the other sites.
Those are my initial thoughts at least. Maybe someone else on the list
has other ideas.
Tom