URL directly to federated IDP.
55 views
Skip to first unread message
Seth Linn
Jun 10, 2024, 2:29:18 PM6/10/24
to SimpleSAMLphp
Hello, the problem I am trying to solve is this: I have a website for the visually impaired. On the login page there are large buttons/icons
linking to the differnt IDPs that can be used to log in. On the old page we used Shibboleth links that looked like this
https://mysite.org/Shibboleth.sso/Login?SAMLDS=1&target=https://mysite.org/&entityID=https://idp.someuniversity.org/idp
This would take the user directly to the IDP login page. I am trying to do the same thing using simplesamlphp and a federation(eduGAIN). I am having trouble
making a URL that would take them through simplsaml SP and directly to the IDP itself. One of the problems is a parameter called AuthID which seems
to change every X hour. I am open to other solutions as well.
I have already read this discussion but it doesn't cover federations.
https://groups.google.com/g/simplesamlphp/c/OoOcArCEGgs
Any help would be appriciated. Thanks.
linking to the differnt IDPs that can be used to log in. On the old page we used Shibboleth links that looked like this
https://mysite.org/Shibboleth.sso/Login?SAMLDS=1&target=https://mysite.org/&entityID=https://idp.someuniversity.org/idp
This would take the user directly to the IDP login page. I am trying to do the same thing using simplesamlphp and a federation(eduGAIN). I am having trouble
making a URL that would take them through simplsaml SP and directly to the IDP itself. One of the problems is a parameter called AuthID which seems
to change every X hour. I am open to other solutions as well.
I have already read this discussion but it doesn't cover federations.
https://groups.google.com/g/simplesamlphp/c/OoOcArCEGgs
Any help would be appriciated. Thanks.
Peter Schober
Jun 10, 2024, 3:30:31 PM6/10/24
to simple...@googlegroups.com
Seth Linn <seth...@gmail.com> [2024-06-10 20:29 CEST]:
was recently added:
https://github.com/simplesamlphp/simplesamlphp/pull/2073
It just doesn't seem to be available in a release, yet.
(Then you should be able to use this in a similar fashion you've been
using the Shibboleth SP software, at least for the parameters defined
in that OASIS standard.)
I recall that SimpleSAMLphp has its own proprietary request parameters
to achieve the same thing, but I can't find anything on that atm.
Tim will know, I'm sure.
-peter
> I am having trouble making a URL that would take them through
> simplsaml SP and directly to the IDP itself. One of the problems is
> a parameter called AuthID which seems to change every X hour. I am
> open to other solutions as well.
AFAIU the long-missing support for the SP Request Initiation Protocol
> simplsaml SP and directly to the IDP itself. One of the problems is
> a parameter called AuthID which seems to change every X hour. I am
> open to other solutions as well.
was recently added:
https://github.com/simplesamlphp/simplesamlphp/pull/2073
It just doesn't seem to be available in a release, yet.
(Then you should be able to use this in a similar fashion you've been
using the Shibboleth SP software, at least for the parameters defined
in that OASIS standard.)
I recall that SimpleSAMLphp has its own proprietary request parameters
to achieve the same thing, but I can't find anything on that atm.
Tim will know, I'm sure.
-peter
Tim van Dijen
Jun 11, 2024, 3:40:27 AM6/11/24
to SimpleSAMLphp
Actually, I don't know .. I'm really only familiar with SimpleSAMLphp as an IdP...
I'm not sure if/how the Request Initiation PR would help Seth to get automatically proxied ..
Op maandag 10 juni 2024 om 21:30:31 UTC+2 schreef Peter Schober:
Peter Schober
Jun 11, 2024, 6:03:38 AM6/11/24
to simple...@googlegroups.com
Tim van Dijen <tvd...@gmail.com> [2024-06-11 09:40 CEST]:
I understood the question to be: How does the URL for SimpleSAMLphp
look like where I can pass in an IDP's entityID to initiate SSO with?
One literal answer would be to use the newly added (but not included
in a released version, AFAICT) support for the SPRIP protocol.
I guess the original problem statement could be generalised to read:
How to I use SSP to create custom login links for a bunch of IDPs?
I would have expected the SSP PHP API to provide this but I can't find
any method that would accept an IDP's entityID to initiate SSO with it?
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api.html
(I must be looking in the wrong place.)
The only place I can find this atm is in the saml:SP authsource but I
wouldn't want to create a separate authsource for each IDP I want to
be offering a login link (for the same SAML SP!).
Again I would hope that you/Tim would know the answer! :)
-peter
> I'm not sure if/how the Request Initiation PR would help Seth to get
> automatically proxied ..
Seems one of us misread the OP's request, then. ;)
> automatically proxied ..
I understood the question to be: How does the URL for SimpleSAMLphp
look like where I can pass in an IDP's entityID to initiate SSO with?
One literal answer would be to use the newly added (but not included
in a released version, AFAICT) support for the SPRIP protocol.
I guess the original problem statement could be generalised to read:
How to I use SSP to create custom login links for a bunch of IDPs?
I would have expected the SSP PHP API to provide this but I can't find
any method that would accept an IDP's entityID to initiate SSO with it?
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api.html
(I must be looking in the wrong place.)
The only place I can find this atm is in the saml:SP authsource but I
wouldn't want to create a separate authsource for each IDP I want to
be offering a login link (for the same SAML SP!).
Again I would hope that you/Tim would know the answer! :)
-peter
monk...@gmail.com
Jun 12, 2024, 8:23:49 PM6/12/24
to SimpleSAMLphp
Hi,
One of the use cases I saw for the SP Request Initiation Protocol addition was being able to email out links to people which would have preselected an IdP. This seemed handy if there was a service that could use many IdP but an organization (perhaps the one running the IdP) wanted to direct users to that IdP. For example a university that was using a service provided by another organization wanting to email their students with information about using that service. Using SPRIP the university could preselect themselves as IdP and users would not be bothered by seeing a list of universities as their IdP but just taken to their university IdP directly before returning to that service.
Looking at the target and entityID in the example login URL this seems very much like the SPRIP case.
There may be another way to do this in an SSP specific way. Unfortunately I am still coming up to speed with the code base so do not know it off hand.
monk...@gmail.com
Jun 13, 2024, 12:48:58 AM6/13/24
to SimpleSAMLphp
Another thought after some research I found this post by Tim:
In this case perhaps on your login page with the large button/icons couldn't you have the button call back to your php code sending the name of the idp you want to use. Then you could use the php code from the above linked post (replicated below) to redirect the user to a specific idp... Obviously needing some sanity checking to make sure that only a nominated set of IdP can be chosen from to protect from curious minds.
$auth = new \SimpleSAML\Auth\Simple('default-sp');
$auth->requireAuth(['saml:idp' => '<entityID>']);
The requireAuth will not return to your code but the user will instead be viewing that IdP for login.In this case what is wanted is some way to easily allow the user to
select an IdP from a page of your design and have them redirected to
that choice. I fell into the trap of thinking that the links to make
that happen should be able to be recorded, but those links themselves
are not interesting. The links could be made with SPRIP but we don't need to send those out for this case.
Sorry if I have misunderstood the problem. I assume you are the SP and wish to allow the user to easily select from a some IdP for authentication.
Peter Schober
Jun 13, 2024, 8:01:43 AM6/13/24
to simple...@googlegroups.com
Peter Schober <peter....@univie.ac.at> [2024-06-11 12:03 CEST]:
"theme" for a SAML IDP Discovery Service -- because that's effectively
what you're building: creating a "mapping" from human-understandable
IDP display name (for users to select an IDP to log in with) to a
machine-understandable IDP entityID (the globally unique identifier
SSP needs in order to initate SSO with the chosen IDP).
Did you look at styling any of the existing SAMLDS variants
differently so that they better suits your purpose?
The SAMLDS protocol[1] is also rather simple, so building an external
(to the SimpleSAMLphp software) SAMLDS that works/looks just the way
you want should also be easily possible. Co-locating that on the same
web server your protected resource (and SSP instance) runs on may be
good enough without having to implement this within SimpleSAMLphp
itself.
The upside of approaching this as a SAMLDS issue is that it would
automatically work for any IDP your SSP instance has metadata
available, i.e., you wouldn't have to create those links to IDPs
yourself/manually!
HTH,
-peter
[1] https://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile
> I understood the question to be: How does the URL for SimpleSAMLphp
> look like where I can pass in an IDP's entityID to initiate SSO with?
> One literal answer would be to use the newly added (but not included
> in a released version, AFAICT) support for the SPRIP protocol.
>
> I guess the original problem statement could be generalised to read:
> How to I use SSP to create custom login links for a bunch of IDPs?
> I would have expected the SSP PHP API to provide this
Another way to frame that problem is to just look at it as a different
> look like where I can pass in an IDP's entityID to initiate SSO with?
> One literal answer would be to use the newly added (but not included
> in a released version, AFAICT) support for the SPRIP protocol.
>
> I guess the original problem statement could be generalised to read:
> How to I use SSP to create custom login links for a bunch of IDPs?
> I would have expected the SSP PHP API to provide this
"theme" for a SAML IDP Discovery Service -- because that's effectively
what you're building: creating a "mapping" from human-understandable
IDP display name (for users to select an IDP to log in with) to a
machine-understandable IDP entityID (the globally unique identifier
SSP needs in order to initate SSO with the chosen IDP).
Did you look at styling any of the existing SAMLDS variants
differently so that they better suits your purpose?
The SAMLDS protocol[1] is also rather simple, so building an external
(to the SimpleSAMLphp software) SAMLDS that works/looks just the way
you want should also be easily possible. Co-locating that on the same
web server your protected resource (and SSP instance) runs on may be
good enough without having to implement this within SimpleSAMLphp
itself.
The upside of approaching this as a SAMLDS issue is that it would
automatically work for any IDP your SSP instance has metadata
available, i.e., you wouldn't have to create those links to IDPs
yourself/manually!
HTH,
-peter
[1] https://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile
Peter Schober
Jun 13, 2024, 8:49:56 AM6/13/24
to simple...@googlegroups.com
monk...@gmail.com <monk...@gmail.com> [2024-06-13 02:23 CEST]:
https://github.com/simplesamlphp/simplesamlphp/issues/174
provides an actual (and more practical/realistic, IMO) use-case for
this, i.e., library systems hosting institution-specific links to
protected resources that encode the institution within the link and so
avoid IDP Discovery at the SP.
See https://wugen.ukfederation.org.uk/ for a tool that aims to help
the creation of such links.
That's just yet another way to make it easier for subjects to get
frictionless access to institutionally licensed resources, of course:
The SP still needs to provide a proper SAMLDS to allow deep-linking
into protected resources (e.g. as a result from a web searche) and
starting the SSO process at the SP.
Also subjects moving between institutions (common in academia due to)
will often directly access protected ressources (nature.com is always
at nature.com) instead of trying to remember where the instiutional
library portal was in order to find that institution-specific link to
nature.com.
-peter
> One of the use cases I saw for the SP Request Initiation Protocol
> addition was being able to email out links to people which would have
> preselected an IdP.
The original issue
> addition was being able to email out links to people which would have
> preselected an IdP.
https://github.com/simplesamlphp/simplesamlphp/issues/174
provides an actual (and more practical/realistic, IMO) use-case for
this, i.e., library systems hosting institution-specific links to
protected resources that encode the institution within the link and so
avoid IDP Discovery at the SP.
See https://wugen.ukfederation.org.uk/ for a tool that aims to help
the creation of such links.
That's just yet another way to make it easier for subjects to get
frictionless access to institutionally licensed resources, of course:
The SP still needs to provide a proper SAMLDS to allow deep-linking
into protected resources (e.g. as a result from a web searche) and
starting the SSO process at the SP.
Also subjects moving between institutions (common in academia due to)
will often directly access protected ressources (nature.com is always
at nature.com) instead of trying to remember where the instiutional
library portal was in order to find that institution-specific link to
nature.com.
-peter
Seth Linn
Jun 15, 2024, 10:28:32 AM6/15/24
to SimpleSAMLphp
Thanks for all the options. For me the most promising is
https://github.com/simplesamlphp/simplesamlphp/pull/2073 but I will investigate the others also. If I find a better solution I will post it here.
- Seth-
Reply all
Reply to author
Forward
0 new messages