integrating simplesaml IdP authentication into login existing login system
ikoseli
Is there any documentation on how to integrate simplesaml IdP into an
existing login system?
For example, say a Company has two products "Product A" and "Product
B".
"Product A" has the user tables along with permissions and provides
login interface.
Also, "Product A" can direct users to "Product B". "Product A" and
"Product B" live on separate servers.
This is what needs to happen: When the user enter their credentials
in the interface the login system needs to authenticate and generate
entityID.
When the users then clicks within "Product A" we need to seamlessly
transfer to "Product B".
"Product B" then requests permission info from "Product A" using "SAML
Request". Since the users were already validated in "Product A" we
have seamless transition.
Is this a good example at all?
Thanks
ikoseli
Olav Morken
> Hi,
> Is there any documentation on how to integrate simplesaml IdP into an
> existing login system?
> For example, say a Company has two products "Product A" and "Product
> B".
>
> "Product A" has the user tables along with permissions and provides
> login interface.
> Also, "Product A" can direct users to "Product B". "Product A" and
> "Product B" live on separate servers.
>
> This is what needs to happen: When the user enter their credentials
> in the interface the login system needs to authenticate and generate
> entityID.
You mean "generate SAML 2.0 assertion" or something like that, I assume?
> When the users then clicks within "Product A" we need to seamlessly
> transfer to "Product B".
>
> "Product B" then requests permission info from "Product A" using "SAML
> Request". Since the users were already validated in "Product A" we
> have seamless transition.
>
> Is this a good example at all?
It is not really how SAML 2.0 normally works. A way that it could work
is like the following:
A SAML 2.0 IdP is integrated with product A, so that it shares a user
session with that product. It can also retrieve information about the
user and permissions of the user from product A.
When the user clicks a link to product B from product A, the user is
sent to product B. Product B uses a SAML 2.0 SP to send an
authentication request to product A. Product A then authenticates the
user using the existing user session it has. It then sends an
authentication response back to product B. Product B then uses the data
from the authentication response to validate the user, and determine
the permissions of the user.
For an example of how a simpleSAMLphp IdP can be integrated into an
existing sites authentication session, you can take a look at the
source code and comments in the following files:
modules/exampleauth/lib/Auth/Source/External.php
modules/exampleauth/www/authpage.php
Regards,
Olav Morken
UNINETT / Feide
my koseli
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
my koseli
Olav Morken
> To follow up with this:
>
> Is there any documentation on how to send attribute request/response using
> simplesaml once the user is authenticated?
There is no real support for attribute queries in simpleSAMLphp. There
are some classes available that makes it possible to implement support
for it, but there is no support for it "out-of-the-box".
> I wanted to also find if it was possible to send user attributes along with
> other extra attributes along with the authen response?
Yes, you can add attributes through "authentication processing
filters". They run after authentication, before the response is sent,
and allows you to (amongst other things) add extra attributes to the
response. See:
http://simplesamlphp.org/docs/1.8/simplesamlphp-authproc
my koseli
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_3"my koseli
$as = new SimpleSAML_Auth_Omniture('example-external');
$as->isAuthenticated();
$state = array(
'ErrorURL' => 'https://test.url.com/SSO/module.php/core/authenticate.php?as=example-external',
'ReturnTo' => 'https://test.url.com/SSO/module.php/core/authenticate.php?as=example-external',
'SimpleSAML_Auth_State.restartURL' => 'https://test.url.com/SSO/module.php/core/as_login.php?AuthId=example-external',
'SimpleSAML_Auth_Default.id' => 'example-external',
..............
'SimpleSAML_Auth_State.id' => SimpleSAML_Utilities::generateID(),
);
SimpleSAML_Auth_Source::completeAuth($state);
SimpleSAML_Auth_Source::completeAuth($state);
Olav Morken
> Again, thank you for your response. If I can trouble you with few questions
> regarding the external module again.
>
> I now have a test system where a user logs in to product A and a session is
> created unique to product A. The user then proceeds to product B (the url
> of the product B contains the session info for the product). The product B
> sends a Authen request to IdP with session_id as the "identifier".
You are aware that this identifier is not supposed identify the user,
but rather the message?
> The IdP
> uses the session_id to validate the user.
So the IdP uses the SP to authenticate the user through a
non-standardized method involving a session identifier sent in the
message identifier field in the authentication request? Now you are
moving way outside of the SAML 2.0 protocol. Why are you even trying to
use SAML 2.0?
> One of the things that I am
> confused about the simplesaml is that it sets up a cookie in
> SessionHandlerCookie file at line (SessionHandlerCookie.php:54). If I use
> external class to authenticate do I need use this cookie handling?
Running without a session cookie (and thus without a session) is not
supported by simpleSAMLphp.
Olav Morken
> Hi not to confuse you by adding another question to this topic.
>
>
> I wanted to see if it is possible to instantiate IdP initiated login.
>
> So far I have this:
>
> When the user logs into product A I am trying to set cookies
> "SimpleSAML_Session" and "SimpleSAML_AuthToken" by doing something like
> this inside product A. All this happens once the user is validated and
> there is a session_id in GLOBAL scope.
[...]
> Is it possible to just redirect the user to regular product page because by
> the time "completeAuth" is called the user is already validated.
>
> Is the way I am approaching this a valid way of doing or am I completely
> going off the track?
Way off track. Have you looked at the "external authentication" example?
modules/exampleauth/lib/Auth/Source/External.php
modules/exampleauth/www/authpage.php
modules/exampleauth/www/resume.php
As far as I can tell, you are it the opposite direction of what that
one describes. Instead of trying to create a simpleSAMLphp session from
you external page, fetch the authentication session from within
simpleSAMLphp. You will then get support for both IdP initiated
authentication and SP initiated authentication for standard
SAML 2.0 SPs.
Regards,
Olav morken
UNINETT / Feide
my koseli
Olav Morken
> I am sorry about that.
> Does the following sound right then?
>
> User logs into product A
> We set a cookie (cookie called for example "user_id" where user session is
> stored and this session is also in a separate db)
>
> User then proceeds to product B
> Product B sends a samlRequest to product A.
> Product A uses the External.php to authenticate the user based uponuser_id
> found in the cookie. It then sends Assertion to productB
>
> I know that this doesnt create a simpleSAMLphp session that is supported by
> both IdP and SP
Actually, it does, so long as you implement everything as described in
External.php.
> but I wanted to see if this is maybe one of the way we
> could authenticate.
If you create your own version of the "exampleauth:External"
authentication source, it is probably possible to tie it into your
site's existing authentication framework as described above.
my koseli
my koseli
Olav Morken
> Hi,
> I had another question in this regard.
>
> I have the RelayState set for my SP. One problem I have currently is that
> once the IdP authenticates the user is not redirected to the SP. It sits in
> the IdP page showing user info.
What IdP page?
> I am using "example-auth:external" as the
> IdP. Is there anything I need to do to have IdP send the assertion to SP?
Are you triggering IdP-initiated SSO using SSOService.php? See:
http://simplesamlphp.org/docs/1.8/simplesamlphp-idp-more#section_4