Use of simplesamlphp in Zend

700 views
Skip to first unread message

Pratik

unread,
Mar 18, 2010, 10:28:36 PM3/18/10
to simpleSAMLphp
Hi,

I am making an application in Zend Framework and using simplesamlphp
for SSO authentication. I am able to call the SP and IdP from the
application and able to authenticate the user by using the login form
at the IdP end. I am using oracle-groups to authenticate the user. My
SP and IdP are on two different machines.

Requirement -
To have a form at the SP end and sending username and password details
and just call the IdP for authentication purpose only.

Issue -
I was able to check the login using hard-coded values in the
handleLogin method of the UserPassBase.php at the IdP end but what i
do not know is how to send the username and password from the SP to
the IdP as they are on different machines?

If i have to use session, then let me know where and how to set the
session so that i can access the values from the session at the IdP
end as well...

Awaiting your response.


Thanks and Regards,
Pratik Jindal

Olav Morken

unread,
Mar 19, 2010, 2:31:38 AM3/19/10
to simple...@googlegroups.com
On Thu, Mar 18, 2010 at 19:28:36 -0700, Pratik wrote:
> Requirement -
> To have a form at the SP end and sending username and password details
> and just call the IdP for authentication purpose only.
>
> Issue -
> I was able to check the login using hard-coded values in the
> handleLogin method of the UserPassBase.php at the IdP end but what i
> do not know is how to send the username and password from the SP to
> the IdP as they are on different machines?

The SAML protocol does not transfer the username and password from the
SP to the IdP. The typical behaviour is that the SP sends the user to
the IdP with an authentication request. The user then enters the
username and password at the IdP. The IdP will then verify the
credentials, and send a response back to the SP with some information
about the user (e.g. the users name, email address, +++).

--
Olav Morken
UNINETT / Feide

Pratik

unread,
Mar 20, 2010, 1:22:54 AM3/20/10
to simpleSAMLphp
Thanks for the response but if there are different applications and
also have their own login page then how to go about it?
That is why i require a login page at SP end and send the
authentication details to IdP.

Can we modify the typical behavior of SAML protocol?

When we send the details to the IdP we send an AuthState parameter in
the url, just let me know where it is set so that i can try to write
the code to send username and password as well as session variable.

Thanks
Pratik

>  smime.p7s
> 3KViewDownload

Niels van Dijk

unread,
Mar 20, 2010, 8:16:07 AM3/20/10
to simple...@googlegroups.com
Hi

Pratik wrote:
> Thanks for the response but if there are different applications and
> also have their own login page then how to go about it?
>

Offer twe login's? One for 'local accounts', one for accounts that login
at the IdP


> That is why i require a login page at SP end and send the
> authentication details to IdP.
>
>

That will never ever work with simplesaml as the whole idea of using it
is to leave the username and password login over at the IdP -which the
users can trust- and not at the SP -which the user cannot trust.
Username and especially password are *never ever* send to the SP.

> Can we modify the typical behavior of SAML protocol?
>
>

Not very likely...

Peter Schober

unread,
Mar 20, 2010, 9:37:34 AM3/20/10
to simpleSAMLphp
* Pratik <pratik...@gmail.com> [2010-03-20 06:23]:

> Can we modify the typical behavior of SAML protocol?

Use LDAP instead of SAML?
-peter

Pratik

unread,
Mar 22, 2010, 7:05:16 AM3/22/10
to simpleSAMLphp
Thanks for the reply.

Also tell me one thing, can we change the label (Username) to some
other text? If yes then in which page this can be done?
Also can different themes be applied on same screen based on some
conditions?

Awaiting response asap.

Thanks
Pratik Jindal

On Mar 20, 6:37 pm, Peter Schober <sp+lists.simples...@univie.ac.at>
wrote:
> * Pratik <pratikjin...@gmail.com> [2010-03-20 06:23]:

Peter Schober

unread,
Mar 22, 2010, 7:08:02 AM3/22/10
to simpleSAMLphp
* Pratik <pratik...@gmail.com> [2010-03-22 12:05]:

> Also tell me one thing, can we change the label (Username) to some
> other text? If yes then in which page this can be done?
> Also can different themes be applied on same screen based on some
> conditions?

What label, on what screen?
-peter

Pratik

unread,
Mar 22, 2010, 8:05:42 AM3/22/10
to simpleSAMLphp
that i have resolved... thanks...

can we apply different header and footer on the login page based on
some condition?

Thanks
Pratik Jindal

On Mar 22, 4:08 pm, Peter Schober <sp+lists.simples...@univie.ac.at>
wrote:
> * Pratik <pratikjin...@gmail.com> [2010-03-22 12:05]:

Olav Morken

unread,
Mar 22, 2010, 8:09:16 AM3/22/10
to simple...@googlegroups.com
On Mon, Mar 22, 2010 at 05:05:42 -0700, Pratik wrote:
> that i have resolved... thanks...
>
> can we apply different header and footer on the login page based on
> some condition?

Only by replacing the templates and checking for the condition
in those. The templates are located in templates/includes/.

If you want to do it somewhat cleanly, you should override the
templates in a custom theme. See:

http://simplesamlphp.org/docs/1.5/simplesamlphp-theming

Reply all
Reply to author
Forward
0 new messages