Steps to implement SSO for php application

Mvc Learner picture Mvc Learner · May 11, 2017 · Viewed 9k times · Source

I am a newbie in SSO implementation. We are looking at implementing SSO for a client that uses a php application (supported by us), for their employees to login to the application. We are in the process of setting up Simple SAML for this .. I have been reading articles on SSO, many of which are helpful. Pardon me for asking this, I know it is dumb. In this scenario, who is the IDP and who will be the service provider. The client apparently uses SSO for other applications as well. Can someone throw some light on what all I need to setup from our end.. I will research on how to do each of them..could someone please help by mentioning the things that need to be implemented.

Answer

Vbp picture Vbp · May 14, 2017

who is the IDP and who will be the service provider.

IDP (Identity Provider) is the one who creates, stores, maintains and authenticates the identity of the user or principal in saml terms. So in your case it is the clients application.

SP (Service Provider) is the one who provides the service or resource to a user (authenticated by IDP) so in your case it is your application.

SSO workflow

could someone please help by mentioning the things that need to be implemented.

As you can see in the above diagram when user will try to access a resource on your site you will have to redirect them to IDP to confirm whether this user is authenticated and if you should return them the resource/response they are looking for. The SSO url and other details are exchanged between IDP and SP through Metadata.

Once IDP has authenticated the user it will POST a response on your application url. This response contains an assertion through which you will know user details and whether user is authenticated or not. You will have to parse this response (xml). Also, these assertions are generally signed with certificate and are encoded base 64.

You will also have to think about SLO so when a user clicks on logout in your site you might have to clear their session from your application and redirect them to the IDP so they get logged out from there as well.

As suggested by smartin you can use some library which will make it easier to implement SAML. I am also learning about SAML as we are working on converting our current application into IDP :)

I found this SAML official documentation and some of the diagrams very helpful. http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html