Multiple IDPs on same domain

[Mark Kaulertz]

Hello everyone!

What I am trying to do?

I already have a corporate SAML proxy configured and running with a lot of IDPs and SPs in place. Now I want to join a federation as IDP which restricts the accounts we are allowed to release to the AAI. So some Users should be able to access corporate services while not having access to the federations services at all. As far as I know there are not any modules able to handle these kinds of restrictions.
I came up with the idea to setup a dedicated federation IDP which uses the same authsource (SAML 2.0 SP) as my first proxy IDP.

What have I done so far?

Since SimpleSAMLphp does not seem to provide the capability to configure multiple IdPs on the same host name my first attempt was to setup another IDP on a subdomain (aai.login.local.dev instead of login.local.dev).
This attempt failed because I was not able to pin the host name of the proxy SP which adapted to the new subdomain and I effectively had 2 separate SPs.

After reading https://groups.google.com/g/simplesamlphp/c/-6PrbWEBAWc/m/2dtJnw7-W2AJ I tried to implement a very similar approach to be able to configure multiple IDPs on the same domain. After a few smaller changes in a PoC environment this already works like a charm.

 

I am aware that this change is just a PoC and currently breaks compatibility with some functionalities.

Before investing additional time I would like to discuss this approach and determine whether this has a chance to be merged to the upstream repository.

Do you have any objections or ideas on this approach or my problem?

 

Best regards

Mark

[Tim van Dijen]

Hi Mark,

It's perfectly possible to have multiple IDPs on the same hostname!
just add another entry to the saml20-idp-hosted file, and instead of __DYNAMIC:1__ as the array key you use the desired entityID for the second IDP.

- Tim

Op maandag 15 maart 2021 om 15:57:16 UTC+1 schreef mkau...@googlemail.com:

[pat...@cirrusidentity.com]

> I already have a corporate SAML proxy configured and running with a lot of IDPs and SPs in place. Now I want to join a federation as IDP which restricts the accounts we are allowed to release to the AAI. So some Users should be able to access corporate services while not having access to the federations services at all. As far as I know there are not any modules able to handle these kinds of restrictions. 
I came up with the idea to setup a dedicated federation IDP which uses the same authsource (SAML 2.0 SP) as my first proxy IDP

Hi Mark,

You can use the metarefresh module and the authorize module to achieve your goal.

In the metarefresh module you define how to get the metadata from your federation, and you can add a template with an authproc filter that will be added to all the SPs from that federation.

Your authproc filter can invoke the authorize module for performing authorization decisions for federation SPs based on a user's attributes.

- Patrick

[Mark Kaulertz]

Hi Patrick,

thanks for your suggestion.

>You can use the metarefresh module and the authorize module to achieve your goal.

>In the metarefresh module you define how to get the metadata from your federation, and you can add a template with an authproc filter that will be added to all the SPs from that federation.

>Your authproc filter can invoke the authorize module for performing authorization decisions for federation SPs based on a user's attributes.

I am not very fond of having my authproc filter configuration scattered across several configuration files but this is a good approach using existing functionalities.

Nevertheless I would like to discuss an approach of being able to configure multiple dedicated IDPs on the same hostname.

Are there any technical contradictions to the SAML protocol (I briefly checked the docs but could not find any) or the vision of SimpleSAMLphp?

- Mark

[Tim van Dijen]

Hi Mark,

Have you missed my earlier mail? As said, it's perfectly possible to run multiple IDPs on the same hostname..

- Tim

Op dinsdag 16 maart 2021 om 09:10:20 UTC+1 schreef mkau...@googlemail.com:

[kmu...@nmu.edu]

Mark,

I run multiple IDP instances on a single server.  My environment is linux/apache. 

My apache configuration has a separate Alias & Directory block for each instance. 

e.g. 

Alias /simplesaml /var/simplesaml/simplesamlphp/www
<Directory /var/simplesaml/simplesamlphp/www>

...

Alias /testsaml /var/simplesaml/testsaml/www
<Directory /var/simplesaml/testsaml/www>

....

So i end up with multiple copies of the software installed in the different folders.  

In reality the /var/simplesaml/simplesamlphp folder shown in the apache Directory directive is actually a softlink to a versioned copy of the latest release of the software.

a ls command in my /var/simplesaml folder shows:

lrwxrwxrwx  1 xxx group    36 Jan  9 07:51 simplesamlphp -> /var/simplesaml/simplesamlphp-1.18.8
drwxr-xr-x 25 xxx group 4096 May 27  2020 simplesamlphp-1.18.7
drwxrwxr-x 25 xxx group 4096 Jan  9 07:47 simplesamlphp-1.18.8
lrwxrwxrwx  1 xxx group   31 Oct  8 13:30 testsaml -> /var/simplesaml/testsaml-1.18.8
drwxr-xr-x 25 xxx group 4096 May 21  2020 testsaml-1.18.7
drwxrwxr-x 25 xxx group 4096 Oct  8 13:27 testsaml-1.18.8

this allows me to easily migrate forward (and back if necessary) when a new release comes out, without changing the apache config, or stopping and starting apache 

with each release i just have to migrate the config, certs, and metadata folders from the previous release

each idp instance has it's own config folder obviously, and within the config.php i alter the values of the following: baseurlpath, tempdir, secretsalt, auth.adminpassword, logging.processname, session.cookie.name, session.phpsession.cookiename, session.authtoken.cookiename 

(hopefully that is the full list) then i alter any of the other config information that I want different.