Service Provider - required? (SimpleSAMLphp migration)

Created on 24 November 2023, about 1 year ago
Updated 30 November 2023, about 1 year ago

I've got a dumb question as I am trying to start using this module: Is the Service Provider stuff required? In other words, if my IdP already provides SAML metadata about using them as a Service Provider, do I still need to do that part in Drupal, in order to use this module? Or can I use this module by skipping the Service Provider part and going straight to the Identity Provider part?

πŸ’¬ Support request
Status

Fixed

Version

3.0

Component

Documentation

Created by

πŸ‡ΊπŸ‡ΈUnited States brockfanning

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @brockfanning
  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    It depends on what this means:

    if my IdP already provides SAML metadata about using them as a Service Provider,

    I'm inclined to assume that this means: your IdP provides SAML metadata which should be used by the Service Provider (i.e. configured at the Service Provider's side). Which, yes, you need to do in Drupal because the Service Provider is integrated into Drupal, and Drupal exposes the configuration screen.

    If, instead, you are saying that your IdP provides both a set of IdP metadata and a set of Service Provider metadata, then... I'll need more information.

    Because there are defintely always two sides (the IdP and the SP) which are going to exchange information and SAML messages with each other. If both end of the communication line are set up at your IdP, then that would be news to me.

    I recently rewrote the module's README.md a bit - it's not included in the latest stable release yet. Maybe you can check the "Stage 1" section a bit, and see if that makes a little more sense. (It has more explicit wording about the "both sides".

  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Now that I read it again...

    if my IdP already provides SAML metadata about using them as a Service Provider,

    Maybe they are saying "you can use us as a SAML Idp or as a SAML SP" ?

    That's OK, but that's an "either-or", not an "and". If you use them as an SP, then I assume this implies the IdP is on your side. Which is a different use case (that we can ignore here).

  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Also, maybe I should include a reference to the "SAML login flow" documentation page β†’ in the README; maybe that makes a little clearer, what is happening.

  • πŸ‡ΊπŸ‡ΈUnited States brockfanning

    Sorry, I should have read up a bit more before posting. I'll read through these links. In the meantime here is some more info about my question:

    My goal is to be able to log into the Drupal site using our IdP. We're currently doing this with simplesamlphp_auth, but we're upgrading to Drupal 10 and need to replace this set up. In practice here is our workflow, from the user's perspective:

    1. User goes to /user of the Drupal
    2. User clicks a "Federated login" link
    3. User is redirected to a separate domain to complete the login process according to the IdP
    4. User is redirected back to /user but is now logged in

    As mentioned, we're currently doing this with simplesamlphp_auth, and we have the relevant bits from the IdP entered into simplesamlphp configuration files.

    My first attempt at migrating to samlauth was to take all of the metadata from our simplesamlphp config files and try to enter it into the samlauth admin form. However all of the stuff under "Service Provider" seems to be new (for us at least).

    Maybe this specific question might help me understand - in order to achieve the workflow described above, will I need to create a keypair?

    Thanks all for the responses, I really appreciate the support.

  • πŸ‡ΊπŸ‡ΈUnited States brockfanning

    Also, I realized that since our repo is public I can point you directly to our simplesamlphp config files, in case this is helpful: https://github.com/usdoj/foia-api/tree/8.1.0/simplesamlphp

  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    We're currently doing this with simplesamlphp_auth, but

    Ah. That means I can tune my explanation.

    So the SP was SimpleSAMLphp, and then your website was separate. You are migrating to a simpler setup ( some pictures might help β†’ ):
    The SP (technically a composer-installed PHP library, for which this Drupal module provides a configuration screen) is now integrated into the Drupal site. So you get rid of the separate SimpleSAMLphp application; Drupal itself replaces it, and there's no 'semi magic' Non-SAML-based communication between the SP (SimpleSAMLphp) and Drupal anymore, because they are the same thing. The Drupal login is immediately done when the SP authenticates the user, in the same HTML request.

    However all of the stuff under "Service Provider" seems to be new (for us at least).

    The main things shouldn't be new. They are just equivalent to your SimpleSAMLphp config. Currently you have the Entity ID / URLs / public key from SimpleSAMLphp configured at the IdP side; you need to replace that data with the URLs hardcoded by the samlauth module + Entity ID / public key that you configure in the module.

    Maybe this specific question might help me understand - in order to achieve the workflow described above, will I need to create a keypair?

    Either create a keypair and replace that public key in your current IdP config... or configure the current keypair that you are using in SimpleSAMLphp, in the samlauth module.

  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    By the way, now your initial message sounds to me, as if a third party is maintaining SimpleSAMLphp for you.

    That configuration isn't supported. This module does SAML communication; it does not do the "magic non-SAML backchannel communication" that is happening between SimpleSAMLphp and the Drupal site / simplesamlphp_auth module.

  • πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Blah. If I read your message again, you already know all I was saying about replacing simpesamlphp. If that is the case, here's a different answer:

    My first attempt at migrating to samlauth was to take all of the metadata from our simplesamlphp config files and try to enter it into the samlauth admin form. However all of the stuff under "Service Provider" seems to be new (for us at least).

    Some of the main things may seem new but aren't really:

    • This module has hardcoded URLs. SimpleSAMLphp had hardcoded URLs. These should just be replaced on the IdP's side.
    • In this module you need to configure an Entity ID. SimpleSAMLphp also has an Entity ID, I swear. So this isn't technically new. But maybe it was hardcoded in SimpleSAMLphp so you didn't notice it. (You have it configured on the Idp's side. Probably the Entity ID has the form of a URL like "http://simplesaml.domain/auth.php/blah". Technically, though, it's just a string value so you can keep it the same if you want. As long as the Drupal SP and your IdP have the same value configured.
    • This module needs a keypair. SimpleSAMLphp needed a keypair. Same thing. You can either keep using the same, if you want - or make a new one and replace the public key on the Idp side.
    • The rest of the samlauth "SP settings" are miscellaneous, and few. From the top of my head: just some caching options.
  • Status changed to Fixed about 1 year ago
  • πŸ‡ΊπŸ‡ΈUnited States brockfanning

    Thank you for all the clarification! I think my biggest missing link was the fact that simplesamlphp was actually a Service Provider. Also, I had no idea that simplesamlphp had a key/certificate. Anyway, thanks again, I will mark this as resolved.

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024