5

Tenants of our app have their own subdomain, e.g. customer1.domain.com, although it's one code base. Some tenants want SP initiated SSO with SAML.

What's the best approach for making this happen?

  1. SimpleSAMLphp on a static shared subdomain, e.g. sso.domain.com/saml/
  2. SimpleSAMLphp as part of the tenant, e.g. customer1.domain.com/saml/

If we go for option 1, how would we know what tenant an incoming SAML request is for?

If we go for option 2, how would you recommend configuring SimpleSAMLphp for metadata/authsources as it only seems to support hardcoded files.

Thanks

Marcus
  • 9,011
  • 10
  • 45
  • 65

2 Answers2

0

At one of my ex-employers we had a setup similar to option 2 and it worked well for us. The only difference being the domain was unique for each client and they posted the SAML to /index.php

client 1

client1.com/index.php

client2

client2.com/index.php

We used a listener for each client to trigger the processing of the SAML payload.

We had to configure the keys and source name (source name is unique for each client) in authsources.php for each client. We also used different keys for each client, you can also use one key pair for all clients also but it less secure

We also had to configure fingerprint in the saml20-idp-remote.php for each client.

Jeetendra Pujari
  • 1,286
  • 2
  • 17
  • 31
0

We ended up going for option 2 and it's working well. SimpleSAMLphp is installed on the multi-tenant app in the form: customer1.domain.com/saml/

In SimpleSAMLphp, authsources.php is configured as per below:

$_SERVER['HTTP_HOST'] => array(
    'saml:SP',
    'entityID' => 'https://'.$_SERVER['HTTP_HOST'],
    ...etc

This means there's a unique entityID for each tenant in the form of their domain name with us, e.g. https://customer1.domain.com

When performing the SP initiated SSO, we specify the IdP specific for this tenant, otherwise they'd see the discovery page and a list of all IdP's from other tenants:

if (!$as->isAuthenticated()) {
    $params = array(
        'saml:idp' => $samlEntityID
    );
    $as->login($params);
}

So far it's working very smoothly with metadata stored in the database.

Marcus
  • 9,011
  • 10
  • 45
  • 65