0

I'm building a SAAS web app in PHP that needs to integrate SSO. We'll have multiple client organizations, each that have their own Identity Provider (Active Directory). While researching possibilities, I came across SimpleSAMLphp, but I'm not sure it will fulfill my requirements and would like feedback on best approach for implementation. Seems like SAML or Kerberos is the way to go, but I have limited experience in this area.

Need these abilities:

  1. Client Admins should be able to add and remove access to our app via AD.
  2. Authenticate user with their respective AD Server (flexibility for authenticating with others a big plus) - Other than depending on static IPs how can I know which Identity Provider to check?
  3. Users of organizations that do not have an Identity Provider should be able to login through the existing authentication method (hashed pass in mysql).

Additional info: I'm planning to host the PHP app on a CentOS server. We do have the capability of connecting a site-to-site VPN if required...Added this question over on stackoverflow, no responses there, hoping some server admins here might have some insight.

UPDATE: Also, we'll have an IONIC hybrid app (ios/android) that will need to have SSO - at this point I have no idea how that will tie in. The mobile app will be communicating through a REST api, developed in PHP.

webaholik
  • 123
  • 7

1 Answers1

1

What you need to do is integrate ADFS with SimpleSAML. You need to activate ADFS in ActiveDirectory for that.

  1. You will need to send group membership as claim rules for that, or something similar.

  2. You can definitely use any number of SAML (ADFS) providers. You will just need to store the info for each of them and have the trust relation established with each.

  3. Even if you implement SAML (based on ADFS), you will still need to store user information in your database, otherwise you would not be able to put relations in the application based on them. So you can just add another flag field to the users table to specify if it is a local or remote user. If you want to keep consistency, you would also install your own local SAML server and just use it like a separate SAML provider.

For easier implementation, you might also want to take a look at WSO2 Identity Server which you can use to federate login to multiple SAML (and other types) of endpoints. A big advantage would be that you could also use it to store your local users. Using this, you could just implement a single endpoint in your application and WSO2 deals with all the rest. Of course, you would still need to establish the trust between WSO2 and each AD.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
  • I just added to my question, sorry for that. Do you have any experience with mobile Apps? We'll also have a mobile app developed on the IONIC framework that will need to have SSO, wondering if I'd authenticate through REST API still or how that process would work. Hoping for a solution that can accommodate both web app and the mobile app - if possible. – webaholik Dec 04 '15 at 01:17
  • WSO2 can Federate OAuth2 too. OAuth2 is way more mobile friendly than SAML. – Florin Asăvoaie Dec 04 '15 at 07:11