Central login with SAML and making site to work as identity provider

Question

So my scenario goes like :

I have two sites a.com and site b.com and one authentication server cauth.com.

what client wants is ...

When user lands on a.com or b.com user fills in the login form on respective site , but the action of form will be on cauth.com (cauth.com/authenticate). when user is authenticated on cauth he is loggined on the both sites.

I am thinking to implement SAML to achieve the same and flow is like after authentication iDP(cauth.com) will send SAML response to the both the service providers and user will be given access to both the sites .

I am novice in SAML and unable to get proper documentation and comprehension for the same.

What I want to know is :

Is my solution to the problem worth implementation ?
Is it possible to make site (cauth.com) as identity provider.I have looked at thread Making your PHP website into SAML Identity Provider but not able to get proper solution.

Have you checked out the [php-saml](https://github.com/onelogin/php-saml) project? — alexw, Jun 03 '15 at 16:36
@alexw I have checked simplesaml library and since I am not that good with saml php-saml library seems too hard to me to implement — alwaysLearn, Jun 04 '15 at 04:34
I'm not sure I understand. You want to implement SAML as an identity provider, right? Then it will be a lot easier to work from someone else's implementation versus trying to write it all from scratch. Otherwise, you could see if your client would be open to OAuth/OpenID, or some alternative identity provider, depending on their needs. [This question](http://stackoverflow.com/questions/2837553/saml-vs-federated-login-with-oauth) has some good answers. — alexw, Jun 04 '15 at 15:51
Does cauth.com already exist as an IDP? If so, what protocols does it support? — rbrayb, Jun 04 '15 at 19:31

chad_ · Accepted Answer · 2015-06-04T19:46:20.217

2

SimpleSamlPHP should be pretty easy to set up. You'll want to make a copy of the folder modules/exampleauth/ and then alter the file modules/<yournewmodule>/lib/Auth/Source/External.php to work for your site. The documentation is good though and it's definitely the easiest thing for your need, and the right one.

I should add that following the instructions to set up SimpleSamlPHP should give you a basic understanding of which metadata files are most important and where they live and how things interact.

edited Jun 04 '15 at 19:46

answered Jun 04 '15 at 19:40

chad_

3,749
2
22
22

I should also add that I think you could achieve this with just two servers. You could run simpleSamlPhp on **a.com** and build a login for **a.com** then build a simplesamlphp module to load the **a.com** login in a frame on **b.com**. – chad_ Jun 04 '15 at 19:49
Thanks .. I implemented login as required but now I want to logout from saml session as well as from the site for which it was loggined ? In short I want to destroy the session on the cauth.com from a.com.Any suggestions on how this can be done ? – alwaysLearn Jun 13 '15 at 06:11
Please see http://stackoverflow.com/questions/30816127/implement-single-logout-in-simplesamlphp – alwaysLearn Jun 13 '15 at 07:21

score 2 · Answer 2 · answered Jun 05 '15 at 11:10

I am not sure which technology you are using for your application. If you are free to switch to JAVA then I can suggest you Spring-Saml because its very easy to implement and fulfill your requirement. Spring-Saml has good documentation and online support as well being it as open-source project. You can refer this link for Spring-saml and for code-repo use this link

You can integrate spring-saml in your abc.com and xyz.com application to make it Service provider(SP) and you can deploy it on different domain as well. Then you need to have one IDP (identity provider server) for your SPs. So you can use either ADFS with Active directory or LDAP to act as IDP.

We had similar requirement for our customer. I recently integrated spring-saml in my project.

Please let me know for any help

score 1 · Answer 3 · answered Jun 05 '15 at 11:30

A federated Single Sign On (SSO) mechanism like SAML or OpenID Connect will give you what you want.

This comes with the important distinction that the login form would not be presented on a.com or b.com but those sites would rather redirect to cauth.com and the user would authenticate there. cauth.com would then send a verifiable "assertion" to a.com and b.com that the user has authenticated successfully. This constitutes one of the major goals of federated SSO, namely that the user credentials should not be presented/stored-by foreign websites and makes the means of authentication independent from the target websites ("Relying Parties").

So what you should be looking for is a suitable implementation of SAML or OpenID Connect for your platform (don't write it yourself!) and leverage that.

score 0 · Answer 4 · answered Jun 06 '15 at 03:30

Shibboleth is open source and one of the most popular SSO solutions. It includes a SAML Identity Provider which you can download here: https://shibboleth.net/downloads/identity-provider/latest/ .

If your client is willing, one approach would be to use a cloud SSO provider like Okta which has a developer program and could make things easier.

score 0 · Answer 5 · answered Jun 08 '15 at 23:32

I think there is a subtle misunderstanding in your description. For SAML authentication, if a user at site a.com either clicks a login link/button or tries to access a secure page, that user will receive an http 305 redirect to cauth.com. There the user will enter their credentials, and the user will be redirected back to a.com. If that user then goes to site b.com and tries to access secure content, b.com sends the user to cauth.com with the same http 305 redirect. This time, as there is an active session for the user's browser at cauth.com, the user does NOT see the credential form. Instead, the IDP returns the user with a successful authentication to b.com. It appears to the user that they are automatically logged on to site b, but in truth a SAML authentication flow has occurred.

Hans Z's answer elides the fact the that IDP only sends the assertions on the request of a or b (the Relying parties or RPs, also known as Service Providers or SPs). It is not a broadcast to all RPs.

I'll reinforce that SAML does NOT support a.com receiving the credentials from the user and then passing them to the authentication engine. This is a pattern one may be familiar with from LDAP.

Take a look at the sequence diagram in the wikipedia entry on SAML.

amba patel · Answer 6 · 2017-11-25T09:52:55.093

-2

Follow below instruction to get SAML implimentation with PHP.

SAML login setup is very easy in php.
First register on onelogin server https://www.onelogin.com/signup and create demo app on it. After it follow all instruction to set Idp (Identity provider setting ) and sp (service provider setting) to settings.php https://developers.onelogin.com/saml/php

It worked perfect for me with CI and and php

edited Nov 25 '17 at 09:52

answered Nov 25 '17 at 09:47

amba patel

384
1
5
16

Central login with SAML and making site to work as identity provider

6 Answers6

Linked