0

I'm trying to make a Client portal (IdP) in PHP.

That portal links to several SP's (like Magento, Google Analytics and Wordpress)

Seeing how this needs to works my IdP needs to initiate authentication. when clicked on a link to an SP the authentication needs to start.
So it needs an IdP first application. I try to set it up with SimpleSAML, the only problem is the initial explanation on the simpleSAML website isn't clear enough for me (https://simplesamlphp.org/docs/stable/simplesamlphp-idp) can someone give me some better or in depth explanation about IdP first?

this is a new client portal but the clients already have accounts with the mentioned sites and other sites, sometimes more than 1 account. Is it possible to connect those accounts without doing it myself but let the clients connect them?

If there are better solutions than SAML to this problem please don't hesitate to mention them

Wouter
  • 465
  • 2
  • 7
  • 24
  • in depth explanation of what? Setting up IDP in general? – Stefan Rasmusson Apr 30 '15 at 08:10
  • About IDP initiated. I always recommend using SP initiated SAML for cases like this too. In this case, you would just have a link to the SP, the SP sees that the user is not authenticated and starts the authentication with IDP – Stefan Rasmusson Apr 30 '15 at 08:12
  • So user goes to google -> google sees he's not authenticated -> starts authentication with my IdP? To answer the first question: Setting up an IdP first portal – Wouter Apr 30 '15 at 08:37
  • 1
    Yep sp initiated is what I recommend. Its easy to implement and idp initiated comes with some problems, like csrf, deeplinking and inoperability problems – Stefan Rasmusson Apr 30 '15 at 19:20
  • but should i make my application the sp or the idp? – Wouter May 01 '15 at 08:14
  • Well, in your question you say that you going to implement a idp... – Stefan Rasmusson May 01 '15 at 15:17
  • Okay how do I initiate the authentication from the SP if i don't make the SP and i still want it to start when i go to the site(let's say google) and not when i'm on google and need to authenticate – Wouter May 07 '15 at 12:01
  • 1
    You dont initiate it, the SP recognizes the need for auth on the page the user is sent and initiates auth – Stefan Rasmusson May 07 '15 at 14:47

1 Answers1

0

4.5 IdP initiated login

If you use a simpleSAMLphp IdP, and you want users to be able to bookmark the login page, you need to test IdP initiated login. To test IdP initiated login from a simpleSAMLphp IdP, you can access:

https://.../simplesaml/saml2/idp/SSOService.php?spentityid=<entity ID of your SP>&RelayState=<URL the user should be sent to after login>

Note that the RelayState parameter is only supported if the IdP runs version 1.5 of simpleSAMLphp. If it isn't supported by the IdP, you need to configure the RelayStateoption in the authentication source configuration.

As for account linking, it's my understanding that simple doesn't do this (it's getting out of the simple realm). To use it, you'll have to clean up accounts.

[edit]Actually, I suppose you could - though you'd have to build a structure to do it. You would need to somehow build a mapping of accounts from the corporate ID to the SP accounts at Wordpress, Google, etc.

Community
  • 1
  • 1
Andrew K.
  • 3,240
  • 12
  • 23
  • Most commercial products would have this functionality, I would think - I know PingFederate does. I'm not sure about Okta or OneLogin. – Andrew K. Apr 30 '15 at 11:40