SimpleSAMLphp Integration with Existing PHP Applications

694 views

Skip to first unread message

mcclunej

unread,

May 23, 2017, 3:27:28 PM5/23/17

to SimpleSAMLphp

Hello Everyone,

This might be a simple question, but I'm having a hard time trying to get an existing PHP application integrated with SimpleSAMLphp. I know there is this example on SimpleSAMLphp's website:

Example code:

We start off with loading a file which registers the SimpleSAMLphp classes with the autoloader.

require_once('../../lib/_autoload.php');

We select our authentication source:

$as = new SimpleSAML_Auth_Simple('default-sp');

We then require authentication:

$as->requireAuth();

And print the attributes:

$attributes = $as->getAttributes();
print_r($attributes);

Each attribute name can be used as an index into $attributes to obtain the value. Every attribute value is an array - a single-valued attribute is an array of a single element.

We can also request authentication with a specific IdP:

$as->login(array(
    'saml:idp' => 'https://idp.example.org/',
));

Other options are also available. Take a look in the documentation for the SP module for a list of all parameters.

If we are using PHP sessions in SimpleSAMLphp and in the application we are protecting, SimpleSAMLphp will close any existing session when invoked for the first time, and its own session will prevail afterwards. If you want to restore your own session after calling SimpleSAMLphp, you can do so by cleaning up the session like this...

However, my SimpleSAMLphp IdP is on another system. Here is what I'm trying to accomplish:

1.) Centralizing several PHP-based network monitoring applications into one system

2.) Using SimpleSAMLphp as an IdP. Eventually, I want to use the login on SimpleSAMLphp as a "centralized portal" where you login and start an IdP initiated SSO. The SSO will be for the network monitoring applications.

Is there an example of using SimpleSAMLphp as an IdP for PHP applications (on other systems)? Do you have to install SimpleSAMLphp on the SP's too? I can provide metadata information if it is requested. I'm still very new to the concept of SAML. If I am asking for something SimpleSAMLphp cannot do, I apologize. Again, I also apologize if I'm asking stupid questions. Any help is much appreciated! Thanks.

Peter Schober

unread,

May 23, 2017, 5:10:44 PM5/23/17

to SimpleSAMLphp

* mcclunej <mccl...@norwalktruckers.net> [2017-05-23 21:27]:
> *This might be a simple question, but I'm having a hard time trying

> to get an existing PHP application integrated with SimpleSAMLphp.

Then what you install and configure is a SAML Service Provider (SP).

> However, my SimpleSAMLphp IdP is on another system.

Irrelevant. SAML IDPs (Identity Providers) and SPs communicate by
exchanging SAML protocol messages. So...

1. It's perfectly fine (and makes up the vast majority of deployments)
to have the IDP on a different system than the protected resource.
2. Since SP and IDP communicate via standardized SAML protocol
messages the implementation of each role (IDP, SP) is
irrelevant. It could be SimpleSAMLphp on the one side, and
Shibboleth on another (or whatever).

That's why standardized network protocols exist, so that you can have
interop between different software, systems and implementations.

> Here is what I'm trying to accomplish:
>
> 1.) Centralizing several PHP-based network monitoring applications into one
> system

An SSO system won't "centralize applications into one system", per se.
It will allow Single Sign-On, i.e., ease access to many separate
systems and servers. Maybe that's enough for you. (It is for us.)

> 2.) Using SimpleSAMLphp as an IdP. Eventually, I want to use the login on
> SimpleSAMLphp as a "centralized portal" where you login and start an IdP
> initiated SSO. The SSO will be for the network monitoring applications.

"IDP-initiated" is a misnomer, really, you're merely replacing a SAML
2.0 standard-defined request with an implementation-specific,
proprietary request. That's nothing to aspire to.

> Is there an example of using SimpleSAMLphp as an IdP for PHP
> applications (on other systems)?

Yes, and you've already seen the documentation for exactly that.
No idea what gave you the impression SAML and SimpleSAMLphp was only
for having the protected resource and the SSO-providing IDP on the
same system. That would be pointless.

> Do you have to install SimpleSAMLphp on the SP's too?

You can only have SAML WebSSO to a SAML SP. If the SAML SP is not on
the machine hosting the protected resource the SAML SP cannot protect
the resource. (D'oh!)
So you might use something else to protect the resource, but that only
creates the problem of how to tie the SAML SP to the "something else"
you're using to protect the resource.
In short: yes.
Slightly less short: No, but a suitable SAML SP implementation,
whether SSP or Shibboleth or something else is another question.
(Adding even more confusion: Just because the protected resource is a
PHP application does't mean you have to use SimpleSAMLphp. You can, if
course, but there are also alternatives. The beauty of standard
protocols.)

> If I am asking for something SimpleSAMLphp cannot do, I
> apologize.

You're not, and there's no reason for any apologies when asking stuff.

-peter

Reply all

Reply to author

Forward

0 new messages