Custom session handler implementation?
195 views
Skip to first unread message
Daum
Sep 4, 2015, 10:44:39 AM9/4/15
to simpleSAMLphp
In the docs it mentions that you can now build custom session handlers. I right now have users already logging into my application directly. We're now integrating so that it is an IdP and connecting to multiple SPs.
I integrated everything so far with the simpleSAMLphp library as a standalone. I've set up the External Auth, and am at the part of the getUser() override. For this I need to go into the database of my main application, and pull the users session and data from there. I saw that the docs say I can create a custom handler, but don't go much into how to do that. I need to set that up so that it reads the data in from my main application, and then can do as it sees fit.
What is the best way to create the custom session handler so that I can have it load/read/write data from my main applications database's session table.
Thanks!
Daum
Peter Schober
Sep 4, 2015, 11:10:09 AM9/4/15
to simpleSAMLphp
* Daum <mat...@gmail.com> [2015-09-04 16:44]:
It seems to me you're conflating two separate mechanisms in SSP:
One is the session storage layer, which is about storing
*SimpleSAMLphp* sessions in:
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_2
Besides PHP sessions, memcache and an SQL layer you could write your
own (e.g. some NoSQL storage system), but this is still for storing
SimpleSAMLphp data.
The other is externalising authentication by creating your own custom
authsource:
https://simplesamlphp.org/docs/stable/simplesamlphp-authsource
I don't know what "read the data in from my main application" means,
but typically you'd pull the data from the persistence layer the
application uses for itself, e.g. an RDBMS.
-peter
One is the session storage layer, which is about storing
*SimpleSAMLphp* sessions in:
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_2
Besides PHP sessions, memcache and an SQL layer you could write your
own (e.g. some NoSQL storage system), but this is still for storing
SimpleSAMLphp data.
The other is externalising authentication by creating your own custom
authsource:
https://simplesamlphp.org/docs/stable/simplesamlphp-authsource
I don't know what "read the data in from my main application" means,
but typically you'd pull the data from the persistence layer the
application uses for itself, e.g. an RDBMS.
-peter
Daum
Sep 4, 2015, 11:22:39 AM9/4/15
to simpleSAMLphp, peter....@univie.ac.at
Understood - this is a Symfony2 application. We're using the PDOSession handler for sessions.
My thought here is that the Symfony2 application already (or will have) the user logged in on it. We need someway to load the users session from that database, making sure their session is still valid, and getting whatever their user is then from the database (for example to get their email/first name).
Will the SimpleSAMLphp session completely wipe out any other data in the session other than its own data? My original thoughts were something like this process:
1. User is logged into the application, PHP session id: 1
2. SP on our IdP (simpleSAMLphp).
3. We already have the External Auth setup for everything except the getUser. It redirects to the applications login page if there is no user attributes from the getUser.
So in step three in the External Auth getUser function is where I'd need to get the users session from the main application. Perhaps I've just missed a step here. Since the simpleSAMLphp is completely separate from our main application the sessions (and related data) are completely separate. I just need a way to figure out if in the main application the user is authenticated and which user they are.
Peter Schober
Sep 4, 2015, 12:07:14 PM9/4/15
to simpleSAMLphp
* Daum <mat...@gmail.com> [2015-09-04 17:22]:
authentication provide, is totally irrelevant here.
E.g. it could be an Apache httpd mod_auth_* module protecting a
certain path, which could be using any kind of storage layer or API,
and might be written in C, not PHP.
The only thing that counts for an authsource is that you can bootstrap
a SimpleSAMLphp session from an existing session in another system.
In the above example you would get the authenticated subject's
username from e.g. $_SERVER['REMOTE_USER'] -- by protecting part of
the authsource code with Apache httpd, which will then set REMOTE_USER
after authN -- then use that value as a key to look up additional
profile data from the application's persistence layer (e.g. an RDBMS).
Does that help?
-peter
> Understood - this is a Symfony2 application. We're using the PDOSession
> handler for sessions.
How you handle sessions in your application, i.e. in the external
> handler for sessions.
authentication provide, is totally irrelevant here.
E.g. it could be an Apache httpd mod_auth_* module protecting a
certain path, which could be using any kind of storage layer or API,
and might be written in C, not PHP.
The only thing that counts for an authsource is that you can bootstrap
a SimpleSAMLphp session from an existing session in another system.
In the above example you would get the authenticated subject's
username from e.g. $_SERVER['REMOTE_USER'] -- by protecting part of
the authsource code with Apache httpd, which will then set REMOTE_USER
after authN -- then use that value as a key to look up additional
profile data from the application's persistence layer (e.g. an RDBMS).
Does that help?
-peter
Daum
Sep 7, 2015, 8:30:38 AM9/7/15
to simple...@googlegroups.com
Peter -
Thanks I think my question is how to do the bootstrapping of the
SimpleSAMLphp session? Since these are more or less two separate
applications its not clear to me how I would get to a point where I can put
something into the PHP environment that SimpleSAMLphp could see? How would
I get it so that the SimpleSAMLphp knows what "user" for example it is that
is logged in in the main application? Is there a way from the main
applications code that I could put something like "Bootstrap this session
with user id = 123" as an API call? I understand as soon as I know that
the user is a specific user id the logic of looking everything up from the
applications RDBMS. I just am not clear on how I'd get SimpleSAMLphp to
know what the users id is since the two applications are completely
separate.
To be clear on right now how I have it setup:
mydomain.com/saml/* is SimpleSAMLphp. Then everything else outside of that
folder gets redirected through the application. I didn't see how to
include the SimpleSAMLphp components inside the application itself so I
could get access to the user's id for example. Perhaps I've just set it up
incorrectly?
Thanks I think my question is how to do the bootstrapping of the
SimpleSAMLphp session? Since these are more or less two separate
applications its not clear to me how I would get to a point where I can put
something into the PHP environment that SimpleSAMLphp could see? How would
I get it so that the SimpleSAMLphp knows what "user" for example it is that
is logged in in the main application? Is there a way from the main
applications code that I could put something like "Bootstrap this session
with user id = 123" as an API call? I understand as soon as I know that
the user is a specific user id the logic of looking everything up from the
applications RDBMS. I just am not clear on how I'd get SimpleSAMLphp to
know what the users id is since the two applications are completely
separate.
To be clear on right now how I have it setup:
mydomain.com/saml/* is SimpleSAMLphp. Then everything else outside of that
folder gets redirected through the application. I didn't see how to
include the SimpleSAMLphp components inside the application itself so I
could get access to the user's id for example. Perhaps I've just set it up
incorrectly?
-peter
--
You received this message because you are subscribed to a topic in the Google Groups "simpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/QFcQtbB0nRM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages