Checking saml session

1,170 views
Skip to first unread message

Raj

unread,
Jun 9, 2010, 9:55:04 AM6/9/10
to simpleSAMLphp, rmohana...@sirahu.com
Hi All,

For a client project we are implementing SimpleSAMLPHP for forums and
blogs.

We followed the standard implementation , and SSO works on multiple
sites.

For example,

site1 : blogs.site1.com
site2: blogs.site2.com

we are passing both the urls in relaystate while user login from one
site, and this create saml session on both sites.

Now we want, while user logs from site1, he need to authenticate for
site1 and when user hits site2, we need to check whether saml already
exists for this sp/idp, if yes we need to authenticate the site2.

The reason is as of now it is 2 sites and loading / authenticating 2
sites every time is fine. But on going forward, we will be having 50
sites to share SSO and when user logs in from one site, it will load
all 50 sites url for authenticating.

Thanks in Advance.

Olav Morken

unread,
Jun 10, 2010, 1:41:37 AM6/10/10
to simple...@googlegroups.com, rmohana...@sirahu.com
On Wed, Jun 09, 2010 at 06:55:04 -0700, Raj wrote:
> Hi All,
>
> For a client project we are implementing SimpleSAMLPHP for forums and
> blogs.
>
> We followed the standard implementation , and SSO works on multiple
> sites.
>
> For example,
>
> site1 : blogs.site1.com
> site2: blogs.site2.com
>
> we are passing both the urls in relaystate while user login from one
> site, and this create saml session on both sites.

I assume that you have an relaystate parameter that sends the user to
site2 after logging into site1, so that site2 also authenticates the
user.

> Now we want, while user logs from site1, he need to authenticate for
> site1 and when user hits site2, we need to check whether saml already
> exists for this sp/idp, if yes we need to authenticate the site2.
>
> The reason is as of now it is 2 sites and loading / authenticating 2
> sites every time is fine. But on going forward, we will be having 50
> sites to share SSO and when user logs in from one site, it will load
> all 50 sites url for authenticating.

I assume you want the user to automatically be logged into the site if
a session already exists on the IdP. In that case you can try to use
passive authentication requests to the IdP. This allows you to
authenticate the user if it wouldn't require any user interaction (i.e.
password entry).


--
Olav Morken
UNINETT / Feide

Raj

unread,
Jun 10, 2010, 1:52:26 AM6/10/10
to simpleSAMLphp, Rajkumar
Thanks Alav.

Yes as you told, we can use passive authentication to authenticate
with existing session without passing login credentials.

Where as our issue, is we need to know whether there is already a
simplesaml session exists or not.

I can brief you with example.

We have 2 sites blogs.site1.com and blogs.site2.com. Both uses the
simplesaml SSO for authentication.

The user signed into blogs.site1.com and a valid session is created
(only site1 is passed in relaystate and no info to SSO regarding
site2), now the user access the blogs.site2.com .we have a sso already
there and i need to check whether there is a simplesaml session
exists. If session exists, i need to create SSO session for site2 and
use it. Else i can proceed the site2 as non-logged in user as log user
tries to sign in from site2.
>  smime.p7s
> 3KViewDownload

Olav Morken

unread,
Jun 10, 2010, 7:10:05 AM6/10/10
to simple...@googlegroups.com, Rajkumar
On Wed, Jun 09, 2010 at 22:52:26 -0700, Raj wrote:
> Thanks Alav.
>
> Yes as you told, we can use passive authentication to authenticate
> with existing session without passing login credentials.
>
> Where as our issue, is we need to know whether there is already a
> simplesaml session exists or not.
>
> I can brief you with example.
>
> We have 2 sites blogs.site1.com and blogs.site2.com. Both uses the
> simplesaml SSO for authentication.
>
> The user signed into blogs.site1.com and a valid session is created
> (only site1 is passed in relaystate and no info to SSO regarding
> site2), now the user access the blogs.site2.com .we have a sso already
> there and i need to check whether there is a simplesaml session
> exists. If session exists, i need to create SSO session for site2 and
> use it. Else i can proceed the site2 as non-logged in user as log user
> tries to sign in from site2.

Issue a passive request to the IdP. If it fails, continue as an
unauthenticated user?

Raj

unread,
Jun 10, 2010, 10:32:06 AM6/10/10
to simpleSAMLphp
Hi Olav,

I could not do the passive authentication. Im using simplesaml version
1.4.

I would be very thankful if you give me a guide / link to any code
snippet.
>  smime.p7s
> 3KViewDownload

Olav Morken

unread,
Jun 11, 2010, 2:21:14 AM6/11/10
to simple...@googlegroups.com
On Thu, Jun 10, 2010 at 07:32:06 -0700, Raj wrote:
> Hi Olav,
>
> I could not do the passive authentication. Im using simplesaml version
> 1.4.
>
> I would be very thankful if you give me a guide / link to any code
> snippet.

First of all, you should upgrade to a more recent version of
simpleSAMLphp. Then you can do something like this:

<?php
session_start();
require_once('....../lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
if (!$as->isAuthenticated() && !isset($_SESSION['passiveAttempted'])) {
$as->login(array(
'isPassive' => TRUE,
'ErrorURL' => 'https://.../passive_failed.php?ReturnTo=' .
urlencode(/* The URL of the current page. */),
));
} elseif($as->isAuthenticated()) {
/* We have an authenticated user. */
} else {
/*
* We have an unauthenticated user, but passive authentication
* has failed.
*/
}

You must also create a page to handle the failed logins. It should
probably look something like this:

<?php
if (!isset($_REQUEST['ReturnTo'])) {
die('Missing ReturnTo URL.');
}

session_start();
$_SESSION['passiveAttempted'] = TRUE;
header('Location: ' . (string)$_REQUEST['ReturnTo']);

Reply all
Reply to author
Forward
0 new messages