SimpleSamlPHP SP & IDP for different clients

226 views
Skip to first unread message

Alex S

unread,
Nov 10, 2017, 1:48:57 PM11/10/17
to SimpleSAMLphp
What are you trying to do?

I currently have simplesamlphp set up on my server where I am the SP for several different IdPs. These are fully functional and in active use.

I now need to set myself up as an IdP for currently 1 SP, possibly more in the future, without messing up or altering anything in my SP set up.

What have you done?

I have yet to implement anything with the IdP set up. I have read through the documentation. I have a full installation of Simplesamlphp on a freebsd server with apache, mysql, and php. I have 2 different connections to IdPs as the SP. One is AFSD 2.0 and the other is idk I guess normal. 

Is there anything you don't understand?

This is where my question lies. Can my server have 1 installation of simplesamlphp and be both an IdP and SP separately ? Is my IdP set up going to alter or effect my SP set up ?

I have been looking around and I can't seem to find an answer. I do not want to start the set up to only find out I messed up my SP's and I currently don't have a "working" server with simplesamlphp set up the same way to try and test it. So I'm asking here first before setting one up.

Let me know what you think and any tips/advice you might have about setting up and IdP with a MYSQL database would be appreciated too.

Thanks !


Juan Manuel Palacios

unread,
Nov 10, 2017, 5:58:22 PM11/10/17
to SimpleSAMLphp
Hi Alex,

You can definitely setup a single SimpleSAMLphp installation to be both SP & IdP at the same time, even multiple different SPs and IdPs if you like, as long as you access each of those services through separate FQDNs, and configure SimpleSAMLphp itself to issue cookies correctly for each.

My setup currently consists of a single SimpleSAMLphp installation into which I feed separate PHP "definition" files for each of the services that I host, e.g. 'sp-foo.php', 'idp-bar.php', loading each of them into the corresponding authsource.php, saml20-sp-remote.php, saml20-idp-hosted.php, etc, files as appropriate, with each "definition" file of course containing the correct information to make its service work under the correct FQDN.

As for making the IdP work with MySQL, I'm not too sure what you mean; are you referring to session cookie storage? or user credentials storage? For example, my IdP service is currently configured to provide user authentication to its registered SPs off of an LDAP local source also hosted by the same SimpleSAMLphp installation, among a pool of multiple local auth sources I could use; then the 'auth' key of the IdP service is just configured to use that one auth source.

So for MySQL you could do some like the following in authsources/some-authsource-id.php

$config['some-authsource-id'] =
[
    'sqlauth:SQL',
    'dsn' => 'mysql:host=theServer;port=thePort;dbname=theDb',
    'username' => 'theUser',
    'password' => 'thePassword',
    'query' => 'theQuery'
];

And then configure your IdP service to use that authsource id, simple as that.

But configuring that authentication source is no different from configuring any other SQL auth source, so reading its documentation should provide you with all of the information that you need.

HTH!

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Juan Palacios
Senior Software Architect

135 West 26th St l 12th Floor l NY, NY 10001
212.675.9234646.217.3677 

5th Kognito Simulation Added to SAMHSA's National Registry of Evidence-based Programs and Practices. Learn more

Connect with us!
      

Peter Schober

unread,
Nov 11, 2017, 8:18:43 AM11/11/17
to SimpleSAMLphp
* Alex S <vail...@gmail.com> [2017-11-10 19:49]:
> I currently have simplesamlphp set up on my server where I am the SP for
> several different IdPs. These are fully functional and in active use.
>
> I now need to set myself up as an IdP for currently 1 SP, possibly more in
> the future, without messing up or altering anything in my SP set up.

Then install another instance of SSP on another server and use that as
your IDP. (Or use another SAML implementation of your choice. That's
what standard protocols are for.)

An IDP handles authentication and should therefore be separate from
SPs and other services (that expose more surface to being hacked,
which would affect the security of your IDP negatively).

If there are reasons why you can't or don't want to do install SSP on
another server you can provide them. I'm not going to make them up for
you.

-peter
Reply all
Reply to author
Forward
0 new messages