Application viability questions
20 views
Skip to first unread message
urban
Nov 12, 2021, 10:03:49 AM11/12/21
to SimpleSAMLphp
Hi and thank you for any input.
I have two Drupal9 sites and a PHPBB3 forum on the same shared hosting installation on a Lightspeed server running on a CentOS server.
I'm interested in constructing a single sign-on feature for repeat visitors wishing to participate in all three sites. I would like registered visitors to have a single sign-on / logout provisions.
I'm seeing indications Drupal may act as a SAML2 provider if SimpleSAMLphp is installed. It appears there is SAML2 support for PHPBB as well.
Does anyone have any experience or comments on making this work using the SimpleSAMLphp support?
Thanks in advance,
Mike
Peter Schober
Nov 12, 2021, 10:45:48 AM11/12/21
to SimpleSAMLphp
* urban <mi...@engineered-solutions.us> [2021-11-12 16:03]:
https://www.phpbb.com/community/viewtopic.php?f=14&t=2302466
Seems PHPBB3 was EOL'ed 6 years ago.
(Adding security software to that seems akin to what Americans may
call "putting lipstick on a pig".)
> I'm interested in constructing a single sign-on feature for repeat visitors
> wishing to participate in all three sites. I would like registered
> visitors to have a single sign-on / logout provisions.
Sure.
(Logout with SSO protocols is fraught with issues in general, though.)
> I'm seeing indications Drupal may act as a SAML2 provider if
> SimpleSAMLphp is installed.
Yes, but it seems unmaintained as per the comment on
https://www.drupal.org/project/saml_idp
so probably not a good basis for a new deployment.
You might get a way with running SimpleSAMLphp alone (without the
integration code offered by the project referenced above) and
hand-configure SSP to use your existing Drupal database for
authentification and user data/profile lookup.
> It appears there is SAML2 support for PHPBB as well.
Leaving aside the abandoned nature of PHPBB3 itself there's some
discussion here
https://www.phpbb.com/community/viewtopic.php?t=2377386 with the code
at https://github.com/noud/phpbb-saml2 being the last word as per July
2018.
Again this is integration code that allows PHPBB to use SimpleSAMLphp
for the actual protocol support. I.e., you'd have SSP as the IDP
(using Drupal's DB) and SSP as SP. All on the same server.
The only way this makes any sense is if you must use completely
different DNS domains for all services.
If OTOH those services (the drupal sites and the PHPBB forum) share
(or can be changed to share) a common DNS domain I probably wouldn't
use a SSO protocol to make them accessible, but something much easier,
based on a shared cookie.
HTH,
-peter
> I have two Drupal9 sites and a PHPBB3 forum on the same shared
> hosting installation on a Lightspeed server running on a CentOS
> server.
It seems you have some upgrading and possibly migrating to do, then:
> hosting installation on a Lightspeed server running on a CentOS
> server.
https://www.phpbb.com/community/viewtopic.php?f=14&t=2302466
Seems PHPBB3 was EOL'ed 6 years ago.
(Adding security software to that seems akin to what Americans may
call "putting lipstick on a pig".)
> I'm interested in constructing a single sign-on feature for repeat visitors
> wishing to participate in all three sites. I would like registered
> visitors to have a single sign-on / logout provisions.
(Logout with SSO protocols is fraught with issues in general, though.)
> I'm seeing indications Drupal may act as a SAML2 provider if
> SimpleSAMLphp is installed.
https://www.drupal.org/project/saml_idp
so probably not a good basis for a new deployment.
You might get a way with running SimpleSAMLphp alone (without the
integration code offered by the project referenced above) and
hand-configure SSP to use your existing Drupal database for
authentification and user data/profile lookup.
> It appears there is SAML2 support for PHPBB as well.
discussion here
https://www.phpbb.com/community/viewtopic.php?t=2377386 with the code
at https://github.com/noud/phpbb-saml2 being the last word as per July
2018.
Again this is integration code that allows PHPBB to use SimpleSAMLphp
for the actual protocol support. I.e., you'd have SSP as the IDP
(using Drupal's DB) and SSP as SP. All on the same server.
The only way this makes any sense is if you must use completely
different DNS domains for all services.
If OTOH those services (the drupal sites and the PHPBB forum) share
(or can be changed to share) a common DNS domain I probably wouldn't
use a SSO protocol to make them accessible, but something much easier,
based on a shared cookie.
HTH,
-peter
urban
Nov 12, 2021, 1:38:28 PM11/12/21
to SimpleSAMLphp
Thanks Peter,
I should have been more precise.
PHPBB is at 3.3.5, Oct, 21 as apparently current which is the version I'm on.
I think you're right that app level integration is a hail Mary, likely not very secure.
If I can do this on the existing server by cross reference it would seem better.
The top domain is a virtual (non registered) domain from the shared hosting server.
Public Html home is set against that domain.
PHPBB 3.3.5 sits below there as a stand alone
Under that I placed a drupal structure which was then further extended to multisite method.
The multisite relate by symlink as two registered domains to the two active Drupal 9 sites.
The drupal 9 installs are independent (but same common server) .com and .org, with common DNS provisions at the registrar.
All three have their own MySql database, no shared tables.
On this model, it sounds like you're saying I might be able to cross reference authentication by cookie management?
Are you aware of any references that might give guidance on a method to accomplish integrated auth?
I'm 15 years out of touch until landing in this application a month ago.
I've never worked on authentication applications, let alone integrated so I'm sorry if I seem newbile, I pretty much am.
Again, much thanks for the wisdom / guidance provided.
Mike
Reply all
Reply to author
Forward
0 new messages