Multiple SP for single iDP

[CIsSharp]

Hi,

I am trying to use multiple sites to use single idp. I have identity provider setup correctly in saml20-idp-remote.php and I have a entry for service provider in authsources.php. Now if I want to add new service provider using same idp. Is this possible? If yes, which files are required to change. Also can multiple SPs can be from different domain (I am guessing it is not possible as this might cause problem with cookies)?

Thank you in advance.

CIsSharp

[Juan Manuel Palacios]

I have a SimpleSAMLphp-based local test IdP that currently has two service providers hooked into it, both coming from completely different domains (one a different subdomain from my IdP's main domain, and the other being sp.testshib.org).

I describe my IdP in a standalone file that gets loaded into metadata/saml20-idp-hosted.php, and the SPs it recognizes into standalone files that get loaded into metadata/saml20-sp-remote.php. As far as I know, it's pretty straight forward to configure SimpleSAMLphp like that, wether you load standalone files for each service's description at runtime like I do, or straight up use the files provided by SimpleSAMLphp itself.

As for the SPs themselves, that depends on who's going to host them. If it's a 3rd party, then you only need to ask them for their metadata and transform it into what I describe above. If it's also going to be you hosting them, then you gotta hook the individual resources that you want to protect with SSO into SimpleSAMLphp's (assuming that's what you're going to be using on that side of the equation) 'authsources' facility.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Juan Palacios

Senior Software Architect

135 W. 26th St |12th Fl | NY, NY 10001

Tel: 212.675.9234 | Fax: 646.217.3677
Cell: +58 414.307.00.23

Register for our upcoming webinar: 

Innovative Approaches to School-Based Suicide Prevention — Notes from the Field

 

Connect with us! 

Twitter I Linkedin I Facebook I YouTube

[CIsSharp]

Hi Juan,

I am kind of new with simplesamlphp. I have saml20-idp-remote.php which uses certificate and other metadata from third party sso provider. I also have authsource.php entry with idp pointing to the entry of saml20-idp-remote.php. However, I have not used any saml2-idp-hosted.php as we are using sso service from others. While doing metadata exchange we share our metadata file (/simplesaml/module.php/saml/sp/metadata.php/default-sp) with sso provider. If we need to put another entry I guess we need to share another metadata with them. 

Could you share in details how to configure multiple sp in this scenario? Is there any way that I can create a proxy so that we can avoid sharing metadata for every different site protection? 

Thanks,

CIsSharp

On Thursday, August 31, 2017 at 10:43:53 AM UTC-4, Juan Manuel Palacios wrote:

I have a SimpleSAMLphp-based local test IdP that currently has two service providers hooked into it, both coming from completely different domains (one a different subdomain from my IdP's main domain, and the other being sp.testshib.org).

I describe my IdP in a standalone file that gets loaded into metadata/saml20-idp-hosted.php, and the SPs it recognizes into standalone files that get loaded into metadata/saml20-sp-remote.php. As far as I know, it's pretty straight forward to configure SimpleSAMLphp like that, wether you load standalone files for each service's description at runtime like I do, or straight up use the files provided by SimpleSAMLphp itself.

As for the SPs themselves, that depends on who's going to host them. If it's a 3rd party, then you only need to ask them for their metadata and transform it into what I describe above. If it's also going to be you hosting them, then you gotta hook the individual resources that you want to protect with SSO into SimpleSAMLphp's (assuming that's what you're going to be using on that side of the equation) 'authsources' facility.

On Thu, Aug 31, 2017 at 9:22 AM, CIsSharp <pr.p...@gmail.com> wrote:

Hi,

I am trying to use multiple sites to use single idp. I have identity provider setup correctly in saml20-idp-remote.php and I have a entry for service provider in authsources.php. Now if I want to add new service provider using same idp. Is this possible? If yes, which files are required to change. Also can multiple SPs can be from different domain (I am guessing it is not possible as this might cause problem with cookies)?

Thank you in advance.

CIsSharp

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Juan Manuel Palacios]

When you say "SSO provider", that can either be a "service provider", i.e. the SP, or an "identity provider", i.e. the IdP. Both of those can be either local or remote, and that in turn is orthogonal to wether you're hosting/managing either of them. You need to think about in terms of who's emitting or receiving a request:

-) A *local* SP, i.e. some site that's being protected with SSO, emits a sign on request to a  *remote* IdP. You can be hosting/managing either of these two services yourself, like I do for testing purposes.

-) The *local* IdP that receives this sign on request views the SP as *remote*. Again, you can be hosting/managing either of these two services yourself, and that doesn't change who's the local or remote counterpart in this handshake.

So, when you load data into saml20-idp-remote.php, presumably what you're doing is configuring a *local* SP to use a *remote* IdP, and it's up to the manager of the latter to decide what user authentication source (i.e. the "authsource" in SimpleSAMLphp speak) that service uses, not up to the manager of the *local* SP; the local SP only needs to know what remote IdP to use.

But adding to the confusion, though, the *local* SP hooks into SimpleSAMLphp through an "authsource" of its own, which is what points it at the *remote* IdP to use through the 'idp' setting.

Does that help? Hopefully this depiction of how I organize my configurations will make it a little clearer:

-> ls authsources/

(...)

someLocalSPIdentifier.php --> this is what my application to be protected with SSO loads through SimpleSAML_Auth_Simple->requireAuth(), and it points at someRemoteIdPIdentifier.php through the 'idp' setting.

(...)

-> ls providers/identity/saml20-idp-remote/

(...)

someRemoteIdPIdentifier.php

(...)

And that's what's generated by the metadata sent by the *remote* IdP. Naturally, then, what's in that directory is what I feed into metadata/saml20-idp-remote.php. In turn, the metadata generated by someLocalSPIdentifier.php is what I send to the *remote* IdP (and how they decide to manage and organize that, it's not my concern).

But when it comes to hosting/managing my own *local* IdP, i.e. the one that's going to be receiving *remote* SPs metadata and  providing IdP services to them, this is how I organize it:

-> ls providers/identity/saml20-idp-hosted/

myLocalIdPIdentifier.php --> this can use any number of "authsources" where to pull user credentials from, e.g. an LDAP-based authsource, e.g. devLDAPdb.php

-> ls authsources/

(...)

devLDAPdb.php --> how you configure this to actually talk to your LDAP server, that's a different question.

(...)

The metadata that's generated by that *local* IdP is what I send to the *remote* SPs, so that they know how to talk to it, and then in turn I add them (the remote SPs) back when they send me their own metadata in order to recognize them as authorized to talk to my local IdP:

-> ls providers/service/saml20-sp-remote/

(...)

someRemoteSPIdentifier.php

(...)

So, naturally, the content of providers/identity/saml20-idp-hosted/ is what I load into metadata/saml20-idp-hosted.php, and the contents of providers/service/saml20-sp-remote/ into metadata/saml20-sp-remote.php

You'll notice that there's no metadata/saml20-sp-hosted.php file in SimpleSAMLphp... why? Because, as I hope is clear from the above explanation, those are your local applications that you want to protect with SSO and hook into SimpleSAMLphp though an "authsource" entry (e.g. someLocalSPIdentifier.php) that's configured to talk to a *remote* IdP.

Clearer, hopefully? Or worse?

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Peter Schober]

* CIsSharp <pr.p...@gmail.com> [2017-08-31 15:23]:

> I am trying to use multiple sites to use single idp. I have identity
> provider setup correctly in saml20-idp-remote.php and I have a entry for
> service provider in authsources.php.

Then you're setting up an SP on that system, with as many (including
only one) IDPs in saml20-idp-remote.php. ("Remote" as in "not here".)

For an IDP you set up its authentcation mechanism in authsources.php
(e.g. LDAP) and configure as many SPs as you want in
saml20-sp-remote.php.

If you just read the documentation and follow the steps for each role
(IDP, SP) you can't go wrong.

-peter

[Peter Schober]

* CIsSharp <pr.p...@gmail.com> [2017-08-31 17:39]:

> I am kind of new with simplesamlphp. I have saml20-idp-remote.php
> which uses certificate and other metadata from third party sso

> provider. [...]

> However, I have not used any saml2-idp-hosted.php as we are using
> sso service from others.

So you're not the IDP (i.e., you're not providing
identities/credentials to subjects and you're not the one performing
the authentication), and you're not the SP?
In SAML IDPs only talk to SPs (and vice versa), so you'd need to be
more specific what exactly you want to achieve, e.g. with a user
story ("Person A calls application X hosted by company Y,
authenticates at system 1 run by company a" etc.) detailing clearly
what role and function the SimpleSAMLphp instance you're trying to set
up should have.

It is possible to configure an instance of SimpleSMALphp as both an
IDP and SP, so that it acts as IDP towards all your SPs, and acts as
SP to the "third party sso provider" (assuming that can act as a SAML
IDP). But you should probably first be competent in configuring and
running it in each role alone, I think.
-peter

[CIsSharp]

I am sorry for my little knowledge on simplesamlphp. Let me try to explain our scenario.

Scenario:

Third party hosts SSO service. We have local service provider (http://ourserviceprovider/simplesaml), we went through all process of generating certificates modifying config.php and authsources.php and which shares metadata with them.  And we also have website (http://ourwebsiteone) which needs protection and uses service provider for implementing authentication. Now we want to add authentication for our new website (http://ourwebsitetwo). Usually what we do is we again contact third party and exchange metadata and so on. But I want to know if I can avoid exchanging metadata for every new website we have and just use our existing service provider. 

Is this possible?

Best regards,

CIsSharp

[CIsSharp]

Third party hosts SSO service. We have local service provider (http://ourserviceprovider/simplesaml), we went through all process of generating certificates modifying config.php and authsources.php and which shares metadata with them.  = Third party hosts SSO service. We have local service provider (http://ourserviceprovider/simplesaml), we went through all process of generating certificates modifying config.php and authsources.php and shared metadata with them. 

[Jaime Perez Crespo]

Hi ClsSharp,

On 1 Sep 2017, at 00:58 AM, CIsSharp <pr.p...@gmail.com> wrote:
> I am sorry for my little knowledge on simplesamlphp. Let me try to explain our scenario.
>
> Scenario:
>
> Third party hosts SSO service. We have local service provider (http://ourserviceprovider/simplesaml), we went through all process of generating certificates modifying config.php and authsources.php and which shares metadata with them. And we also have website (http://ourwebsiteone) which needs protection and uses service provider for implementing authentication. Now we want to add authentication for our new website (http://ourwebsitetwo). Usually what we do is we again contact third party and exchange metadata and so on. But I want to know if I can avoid exchanging metadata for every new website we have and just use our existing service provider.

1 application = 1 service provider

> Is this possible?

You need a service provider for each application you want to protect. Now, if you have all the apps you want to protect in the same server, all of them on subdomains of a common domain, then it might be possible to share one SimpleSAMLphp installation for all of them. Otherwise, you’ll need to install SimpleSAMLphp for each application.

In any case, you should always exchange the metadata of the service provider protecting each application with the IdP.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Peter Schober]

* CIsSharp <pr.p...@gmail.com> [2017-09-01 00:58]:

> But I want to know if I can avoid exchanging metadata for every new
> website we have and just use our existing service provider.
>
> Is this possible?

Yes, in a way I already explained.

-peter