I'm not sure what I am about to ask is possible, but here goes. Currently we use SSP with the idp as hosted, and the auth source is ldap. No issues and we have multiple external accounts working this way. Log in, taken to a portaly-type page on the same servers as SSP with links to google, our SIS software, blackboard etc. Or if you try to login directly to those services, you hit our SSP login page. All as expected.
I have a mandate to implement dual factor authentication. My thinking is to do this without paying for Duo or OneLogin is... possible. I think.
My plan was to implement Google as the idp instead of as a sp. We sync with them daily and on demand as we use Google Workspace for our students. Then I could turn on two-factor in our Workspace admin account.
Here is my problem. I am really struggling with creating the idp and getting it to work with the auth source properly. here is my idp code:
'contacts' => [],
'metadata-set' => 'saml20-idp-remote',
'expire' => 1679336760,
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
],
],
'SingleLogoutService' => [],
'ArtifactResolutionService' => [],
'NameIDFormats' => [
'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
],
'keys' => [
[
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '[blanked out]',
],
],
];
when i disable ldap in authsources.php, all i end up with is a white screen. Here is the code i have in authsources.php:
'google' => [
'saml:SP',
'privatekey' => 'test.edu.pem',
'certificate' => 'test.edu.crt',
'entityID' => null,
'discoURL' => null,
],
even though i commented out the idp-hosted file completely, it seems to log me in via ldap, still using the loginuserpass.
I'm clearly missing something here and am probably going about this whole dual factor thing wrong. any advice/help is appreciated.