2

We want to use SSO for a group of apps (this will include GitLab, probably Drupal and a bunch of small apps I will write in Symfony for various tasks). We would like to currently use Google accounts to authenticate all apps, but because there are limits (I know you can increase them) on how many apps you can have and Google sometimes change what features are free, it would be good to have the option of using our own login down the track if needed.

I have used SimpleSAMLphp in the past with GitLab (using a database to store credentials) and it worked well. Is there a way that I can use the Google Auth as an IDP and have SimpleSAMLphp record the email address to link the accounts etc and allow me to add things like groups etc in to send down to the app when a login happens? I would put a password field in the login table in the database as well so that if we decide to move away from Google we can generate random passwords and continue without too many issues.

The information I find online is for using SimpleSAMLphp as the IDP for gsuite etc (we will be using general Google accounts, not ones in gsuite) and not the other way around. I also couldn't see any Authentication Modules for Google authentication. Are there any tutorials or instructions anywhere on this?

MicWit
  • 655
  • 12
  • 31

1 Answers1

0

You can accomplish what you are asking fairly easily. Instead of integrating your SPs with Google directly, integrate them with an SSP idP you control, then set up your authentication page (i.e. the page redirected to by your authsource module) to be an SP for Google. Here's what that looks like:

vendor sp -> your SSP idP -> your login app -> your SSP SP -> google idP

This way you end up with only a single Google integration configured for all your vendor integrations. There are numerous benefits to this approach:

  • You aren't affected by # of integration constraints imposed by google
  • Since your vendor SP integrations are controlled on your own server, you can easily move to a different cloud-based idP for authentication in the future without having to re-integrate all your SPs
  • You can easily give your users alternate sign-in choices if you want.
  • You aren't constrained to SAML or protocols supported by Google. Many vendors still use proprietary token based authentication. These can easily be supported with this setup.

Happy to help with implementation details if you need it.

huwiler
  • 915
  • 9
  • 9
  • Awesome, thanks for that. I won't have a chance in the next few days to test this out, but that's what I am looking for. Do you know if there are and tutorials with code examples anywhere? – MicWit Aug 05 '20 at 20:44
  • There's no tutorial as far as I know, but the process is fairly straightforward: Explore /modules/exampleauth/lib/Auth/Source/External.php; copy it and use it as a general guide to build your own custom auth source (see https://simplesamlphp.org/docs/development/simplesamlphp-customauth#section_1). Get that working first. Once that's working, replace your local sign-in form with code required to convert it to an SP to Google by following https://simplesamlphp.org/docs/stable/simplesamlphp-sp. If you run into trouble, let me know! – huwiler Aug 06 '20 at 02:13