Login page without redirection to Idp URL

1,550 views
Skip to first unread message

Maxime BUISSON

unread,
Jun 29, 2011, 6:10:31 AM6/29/11
to simpleSAMLphp
Hi,
I'm just testing simpleSAMLphp, and i think my question is a little
bit stupid.

I created two hosts :
- www.myIdp.local => Using simpleSAMLphp as a SAML Identity Provider
- www.mySp.local => Using simpleSAMLphp as a SAML Service Provider

When i run the example at "http://www.mysp.local/example-simple/
verysimple.php" , and i click on "login" I'm redirected on
"www.myIdp.local" for authentification.
The authentification works, it's great !

I would like to have a login page on my SP.
It is possible that the redirection to www.myIdp.local is invisible
for user ?

(sorry for my english :D )

Peter Schober

unread,
Jun 29, 2011, 7:29:34 AM6/29/11
to simpleSAMLphp
* Maxime BUISSON <maxime....@gmail.com> [2011-06-29 12:12]:

> I would like to have a login page on my SP.
> It is possible that the redirection to www.myIdp.local is invisible
> for user ?

No. The whole point of seperating these functions is that the SP does
not ever see the user's password.
If that is what you want, why bother with SAML in the first place?
Just perform the authentication in your application and be done with
it.
-peter

Søren Grønning Iversen

unread,
Jun 29, 2011, 7:31:11 AM6/29/11
to simple...@googlegroups.com
Hi,

I'm not sure what you wish to achieve - if you get redirected to your IdP at login and thereafter redirected to the SP, which allows you access, why would you need a login at the SP?

It could of course be a question of separate login pages for different SPs, but since I have no idea as to what you reasons you have for this, I'd stick to the SP -> IdP -> SP flow :)

/Søren

Maxime BUISSON

unread,
Jun 29, 2011, 7:51:01 AM6/29/11
to simpleSAMLphp
I want a SSO for several website, but i would like that the user
doesn't see the redirection.
It is not possible ?

On 29 juin, 13:31, Søren Grønning Iversen <s.groen...@gmail.com>
wrote:
> Hi,
>
> I'm not sure what you wish to achieve - if you get redirected to your
> IdP at login and thereafter redirected to the SP, which allows you
> access, why would you need a login at the SP?
>
> It /could/ of course be a question of separate login pages for different
> SPs, but since I have no idea as to what you reasons you have for this,
> I'd stick to the SP -> IdP -> SP flow :)
>
> /S�ren
>
> On 29/06/11 12.10, Maxime BUISSON wrote:
>
>
>
>
>
>
>
> > Hi,
> > I'm just testing simpleSAMLphp, and i think my question is a little
> > bit stupid.
>
> > I created two hosts :
> >   -www.myIdp.local=>  Using simpleSAMLphp as a SAML Identity Provider
> >   -www.mySp.local=>  Using simpleSAMLphp as a SAML Service Provider
>
> > When i run the example at "http://www.mysp.local/example-simple/
> > verysimple.php" , and i click on "login" I'm redirected on
> > "www.myIdp.local" for authentification.
> > The authentification works, it's great !
>
> > I would like to have a login page on my SP.
> > It is possible that the redirection towww.myIdp.localis invisible

Sixto Martin

unread,
Jun 29, 2011, 7:59:34 AM6/29/11
to simple...@googlegroups.com
If you don't want redirection you can' t use SAML2 as your Single Sign ON solution.

The user always must set credentials at the IdP login interface so all your services will redirect there to authenticate the user.

Check the SAML2 single sign on flow:
http://support.onelogin.com/attachments/token/qxrr49mulycnc8t/?name=saml-flow.png

Søren Grønning Iversen

unread,
Jun 29, 2011, 8:02:35 AM6/29/11
to simple...@googlegroups.com
-It wouldn't be SSO if you had to login every time you access a site ...

Once authenticated to your simpleSAMLphp IdP, your users will be
accepted at any SP that has knowledge of the metadata of your IdP. This
means that you'll get SSO after one(!) visit to the IdP.

The redirection bit of your question doesn't make much sense to me, but
if you fear the users' respone to the fact that they get redirected, why
notl just place a web page in between the web app (secured by the SP)
and the point of authentication, telling the user what's going ...

If it's just cosmetics, I'd live with it if I were you ;) -Two or more
different sites (SP and IdP) all secured by trusted SSL certificates
should not alarm your users either ...

-S�ren

On 29/06/11 13.51, Maxime BUISSON wrote:
> I want a SSO for several website, but i would like that the user
> doesn't see the redirection.
> It is not possible ?
>

> On 29 juin, 13:31, S�ren Gr�nning Iversen<s.groen...@gmail.com>


> wrote:
>> Hi,
>>
>> I'm not sure what you wish to achieve - if you get redirected to your
>> IdP at login and thereafter redirected to the SP, which allows you
>> access, why would you need a login at the SP?
>>
>> It /could/ of course be a question of separate login pages for different
>> SPs, but since I have no idea as to what you reasons you have for this,
>> I'd stick to the SP -> IdP -> SP flow :)
>>

>> /S�ren

Peter Schober

unread,
Jun 29, 2011, 8:10:02 AM6/29/11
to simpleSAMLphp
* Maxime BUISSON <maxime....@gmail.com> [2011-06-29 13:51]:

> I want a SSO for several website, but i would like that the user
> doesn't see the redirection.
> It is not possible ?

No. But you could design things so that it won't be noticed, e.g. by
having your IdP on the same vhost as your SP, and design your URL
space and HTML templates so that it closely matches your SP.
Then the redirect will only be from /some-application to /your-idp
for example.
Of course this won't work for other, actually federated SPs, esp if
you can't guarantee the order where people start their sessions.
So it all depends on your use-case.
-peter

Maxime BUISSON

unread,
Jun 29, 2011, 8:11:14 AM6/29/11
to simpleSAMLphp
Ok, it's very clear !
Thanks a lot for your reactivity !

On 29 juin, 14:02, Søren Grønning Iversen <s.groen...@gmail.com>
wrote:
Reply all
Reply to author
Forward
0 new messages