SAML SP as part of multi-tenant app
442 views
Skip to first unread message
MarcF
May 21, 2015, 7:12:43 AM5/21/15
to simple...@googlegroups.com
Hello
IdP initiated login now works, however when I do SP initiated login, the discovery service appears asking me to select the IdP. Obviously customers should not be able to choose another customer's IdP and I want to ensure it's secure so only the IdP for one customer can login to that customer's system.
Many thanks!
I'm configuring simpleSAMLphp as a Service Provider in our multi-tenant app for both IdP and SP initiated SSO. I'm having trouble with SP initiated login as it's showing users the discovery service when I want to direct them to the specific IdP.
Each tenant has their own subdomain, e.g. customer1.myapp.com. Customers should be able to configure SAML themselves, by telling us their SSO URL, SLO URL and certificate (fingerprint). The first hurdle was finding a way of loading this from the database, so I'm using an open pull request which has a PDO metadata provider.
I've configured one dynamic SP in authsources.php by setting the name/entityID to be the hostname (e.g. customer1.myapp.com) so each customer has their own Assertion URL:
$_SERVER['HTTP_HOST'] => array( 'saml:SP', 'entityID' => $protocol.$_SERVER['HTTP_HOST'],
...
IdP initiated login now works, however when I do SP initiated login, the discovery service appears asking me to select the IdP. Obviously customers should not be able to choose another customer's IdP and I want to ensure it's secure so only the IdP for one customer can login to that customer's system.
How do I initiate a login to a specific IdP? I've tried the following with no luck:
$as = new SimpleSAML_Auth_Simple($_SERVER['HTTP_HOST']);
if (!$as->isAuthenticated()) { $params = array( 'ErrorURL' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", 'ReturnTo' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", 'idp' => $samlEntityID, //$samlEntityID is the IdP's entityID for this customer - looked up in the database for the subdomain ); $as->login($params);}
$attributes = $as->getAttributes();Many thanks!
Peter Schober
May 21, 2015, 11:58:58 AM5/21/15
to simple...@googlegroups.com
* MarcF <marcus....@gmail.com> [2015-05-21 13:12]:
> Obviously customers should not be able to choose another customer's
> IdP
Well, of you were not equating hostname with customer (probably in
order to avoid discovery in the first place, by making it impossible
for your customers to just access a well-known service URL and let
them login from there), and again equating IDP selection with
authorization in the application, this issue wouldn't exist.
> How do I initiate a login to a specific IdP?
> I've tried the following with no luck:
>
> $as = new SimpleSAML_Auth_Simple($_SERVER['HTTP_HOST']);
>
> if (!$as->isAuthenticated()) {
> $params = array(
> 'ErrorURL' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]",
> 'ReturnTo' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]",
> 'idp' => $samlEntityID, //$samlEntityID is the IdP's entityID for this
> customer - looked up in the database for the subdomain
> );
> $as->login($params);
> }
The documentation (section 2, Parameters)
https://simplesamlphp.org/docs/stable/saml:sp
says it's "saml:idp". cf. Example 5.7 at the end.
-peter
> IdP initiated login now works, however when I do SP initiated login, the
> discovery service appears asking me to select the IdP.
That's the point of an IDP Discovery Service, of course.
> discovery service appears asking me to select the IdP.
> Obviously customers should not be able to choose another customer's
> IdP
order to avoid discovery in the first place, by making it impossible
for your customers to just access a well-known service URL and let
them login from there), and again equating IDP selection with
authorization in the application, this issue wouldn't exist.
> How do I initiate a login to a specific IdP?
> I've tried the following with no luck:
>
> $as = new SimpleSAML_Auth_Simple($_SERVER['HTTP_HOST']);
>
> if (!$as->isAuthenticated()) {
> $params = array(
> 'ErrorURL' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]",
> 'ReturnTo' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]",
> 'idp' => $samlEntityID, //$samlEntityID is the IdP's entityID for this
> customer - looked up in the database for the subdomain
> );
> $as->login($params);
> }
https://simplesamlphp.org/docs/stable/saml:sp
says it's "saml:idp". cf. Example 5.7 at the end.
-peter
MarcF
May 22, 2015, 4:26:51 AM5/22/15
to simple...@googlegroups.com, peter....@univie.ac.at
Hi Peter
I have one generic SP set up in authsources.php because this can't be taken from a database, therefore have not specified the IdP in authsources.php. Instead I want to specify the IdP in the parameters of the login method:
//start the SAML request$as = new SimpleSAML_Auth_Simple($_SERVER['HTTP_HOST']);
if (!$as->isAuthenticated()) { $params = array( 'ErrorURL' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", 'ReturnTo' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", 'idp' => $samlEntityID, //this is what I want to do - specify the IdP at time of login to the generic SP ); $as->login($params);}I'm not sure I understand the following, can you please explain?
Well, of you were not equating hostname with customer (probably in
order to avoid discovery in the first place, by making it impossible
for your customers to just access a well-known service URL and let
them login from there), and again equating IDP selection with
authorization in the application, this issue wouldn't exist.
Hope someone can help making SP initiated login work on a multi-tenant website!
Marcus
MarcF
May 22, 2015, 4:52:17 AM5/22/15
to simple...@googlegroups.com, peter....@univie.ac.at
I've stepped through the code and have a solution: the param key must be set as "saml:idp" instead of "idp".
Here is working code to specify a single IdP in the params when calling the login method:
$as = new SimpleSAML_Auth_Simple($_SERVER['HTTP_HOST']);
if (!$as->isAuthenticated()) { $params = array( 'ErrorURL' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", 'ReturnTo' => "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]", 'saml:idp' => $samlEntityID, //specify the IdP here ); $as->login($params);}Peter Schober
May 22, 2015, 4:59:59 AM5/22/15
to simple...@googlegroups.com
* MarcF <marcus....@gmail.com> [2015-05-22 10:52]:
end of the email), also pointing to the documentation.
-peter
> I've stepped through the code and have a solution: the param key must be
> set as "saml:idp" instead of "idp".
Which is exactly what I wrote to you in my previous reply (near the
> set as "saml:idp" instead of "idp".
end of the email), also pointing to the documentation.
-peter
MarcF
May 22, 2015, 5:26:48 AM5/22/15
to simple...@googlegroups.com, peter....@univie.ac.at
Thanks Peter, I was a little confused by that documentation due to the example under 5.2 which listed just as "idp".
Peter Schober
May 22, 2015, 5:31:30 AM5/22/15
to simple...@googlegroups.com
* MarcF <marcus....@gmail.com> [2015-05-22 11:26]:
"Here we will list some examples for this authentication source."
Whereas section 2:
"2 Parameters
These are parameters that can be used at runtime to control the
authentication. All these parameters override the equivalent option
from the configuration.
[...]
saml:idp
The entity ID of the IdP we should send an authentication request to."
-peter
> Thanks Peter, I was a little confused by that documentation due to the
> example under 5.2 which listed just as "idp".
Section 5 is for configuring the saml:sp authsource:
> example under 5.2 which listed just as "idp".
"Here we will list some examples for this authentication source."
Whereas section 2:
"2 Parameters
These are parameters that can be used at runtime to control the
authentication. All these parameters override the equivalent option
from the configuration.
[...]
saml:idp
The entity ID of the IdP we should send an authentication request to."
-peter
Reply all
Reply to author
Forward
0 new messages