Google as the IDP

[Thomas de Jesus]

I'm not sure what I am about to ask is possible, but here goes. Currently we use SSP with the idp as hosted, and the auth source is ldap. No issues and we have multiple external accounts working this way. Log in, taken to a portaly-type page on the same servers as SSP with links to google, our SIS software, blackboard etc. Or if you try to login directly to those services, you hit our SSP login page. All as expected.

I have a mandate to implement dual factor authentication.  My thinking is to do this without paying for Duo or OneLogin is... possible. I think.

My plan was to implement Google as the idp instead of as a sp. We sync with them daily and on demand as we use Google Workspace for our students. Then I could turn on two-factor in our Workspace admin account.

Here is my problem. I am really struggling with creating the idp and getting it to work with the auth source properly. here is my idp code:

$metadata['https://accounts.google.com/o/saml2?idpid=blanked out'] = [

'entityid' => 'https://accounts.google.com/o/saml2?idpid=blanked out',

'contacts' => [],

'metadata-set' => 'saml20-idp-remote',

'expire' => 1679336760,

'SingleSignOnService' => [

[

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

'Location' => 'https://accounts.google.com/o/saml2/idp?idpid= blanked out  ',

],

[

'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

'Location' => 'https://accounts.google.com/o/saml2/idp?idpid=blanked out',

],

],

'SingleLogoutService' => [],

'ArtifactResolutionService' => [],

'NameIDFormats' => [

'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',

],

'keys' => [

[

'encryption' => false,

'signing' => true,

'type' => 'X509Certificate',

'X509Certificate' => '[blanked out]',

],

],

];

when i disable ldap in authsources.php, all i end up with is a white screen. Here is the code i have in authsources.php:

'google' => [

'saml:SP',

'privatekey' => 'test.edu.pem',

'certificate' => 'test.edu.crt',

'entityID' => null,

'idp' => 'https://accounts.google.com/o/saml2?idpid=[blanked out]',

'discoURL' => null,

],

even though i commented out the idp-hosted file completely, it seems to log me in via ldap, still using the loginuserpass.

I'm clearly missing something here and am probably going about this whole dual factor thing wrong. any advice/help is appreciated.

[pat...@cirrusidentity.com]

The pattern you are trying to adopt is often referred to as a SAML proxy.  Your various SPs will send authentication requests to your IdP, which will then make an authentication request to Google. That is how our own IdP operates.

If you are getting a white screen you likely have a php compilation error in your config file. Look in your apache logs.

In regards to "even though i commented out the idp-hosted file completely, it seems to log me in via ldap, still using the loginuserpass."   what is "it"?  Are you on the test authsources page? Those are independent of IdP functionality.

- Patrick

[Thomas de Jesus]

Ok, I'm following that. mostly.

If the authsources are independent, and the only idp i have set up is the remote one for google, then when i log in, am I using google (as in the above code) as my identity provider? if so, how can i test that to be certain? even with no idp page set up, but with ldap enabled in my authsource, I'm logging in. That also makes sense to me, but I cannot wrap my head around either making google the idp or perhaps making google the auth source. If google is the auth source is that how I'd enable two factor auth? That seems logical, but then again, i've talked in circles on this subject for the last two weeks.

[pat...@cirrusidentity.com]

Your IdP, the one you define in saml20-idp-hosted.php has an authsource configured. Set that authsource to be the name of 'google' authsource key (which is 'google' in your example).

When you say "when i log in",  it is hard to know to what you are referring.  SSP admin's interface,  the test authsources page, your SAML IdP?

- Patrick

[Thomas de Jesus]

Sorry about that. I mean the test authsources page.

I think I approached this wrong, thinking google had to be the identity provider. I think i actually need them as the authentication source so i can use their Workspace MFA features. I should be able to continue using everything as is if i can get that working.