Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need Help Setting Up Communication Between IDP and SP on Separate Servers #207

Open
bglevon opened this issue Aug 31, 2023 · 0 comments
Open

Need Help Setting Up Communication Between IDP and SP on Separate Servers #207

bglevon opened this issue Aug 31, 2023 · 0 comments

Comments

@bglevon
Copy link

bglevon commented Aug 31, 2023

Hello everyone,

I am currently working on a project that requires the implementation of a Single Sign-On (SSO) system between an Identity Provider (IDP) and a Service Provider (SP). The IDP is hosted on a server accessible via the Internet, while the SP is also hosted on a different server with a distinct URL.

I am facing challenges in configuring the communication between the IDP and the SP, considering their locations on separate servers. I have consulted the SSO documentation, but I still find it complex to understand how to configure metadata and endpoints to establish secure and successful communication between the two parties.

I am reaching out to the community for assistance with the following:

How to configure the metadata of the IDP and the SP so that they can properly recognize and authenticate each other?
What are the endpoints to configure on both sides to enable a secure connection?
Are there any specific considerations to keep in mind when configuring communication between an IDP and an SP on separate servers?
If you have experience working on a similar configuration or if you possess expertise in setting up Single Sign-On between separate servers, I would greatly appreciate any advice, guidance, or configuration examples you can provide.

Additionally, to better illustrate my situation, here are the details and some code examples I am currently using:

hslavich_onelogin_saml:
sp:
entityId: 'https://test.elium.com/login/saml2/metadata'
assertionConsumerService:
url: 'https://test.elium.com/login/saml2/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
url: 'https://test.elium.com/login/saml2/sls'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
NameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:identifiant'
idp:
entityId: 'https://127.0.0.1:8000/saml/metadata'
singleSignOnService:
url: 'https://127.0.0.1:8000/saml/login'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
singleLogoutService:
url: 'https://127.0.0.1:8000/saml/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: '%kernel.project_dir%/config/saml2/idp-public-cert.pem'
x509certMulti:
signing: ['%kernel.project_dir%/config/saml2/idp-private-key.pem']

https://127.0.0.1:8000 or https://test-site.com

security.yaml

security:
enable_authenticator_manager: true
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'

providers:
    app_user_provider:
        entity:
            class: App\Entity\api\ApiUtilisateur
            property: username
    saml_provider:
        saml:
            user_class: App\Entity\utilisateur\Utilisateurs
            default_roles: [ 'ROLE_USER' ]

firewalls:
    app:
        pattern: ^/saml
        #            saml_provider: saml_provider
        saml:
            provider: saml_provider
            # Match SAML attribute 'uid' with username.
            # Uses getNameId() method by default.
            username_attribute: 'identifiant'
            # Use the attribute's friendlyName instead of the name
            use_attribute_friendly_name: true
            check_path: saml_acs
            login_path: saml_login
        logout:
            path: saml_logout
    login:
        pattern: ^/api/login
    #            stateless: true
    api:
        pattern: ^/(api(?!/(%app.supported_locales%)/docs)(?!/register))
        stateless: true
        provider: app_user_provider
        guard:
            authenticators:
                - App\Security\JwtAuthenticator
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main:
        lazy: true
        provider: app_user_provider
        form_login:
            login_path: login
        logout:
            path: app_logout
            invalidate_session: true

# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
    - { path: ^/test, roles: ROLE_USER }
    - { path: ^/slogin, roles: ROLE_USER }
    - { path: ^/saml/login, roles: PUBLIC_ACCESS }
    - { path: ^/saml/metadata, roles: PUBLIC_ACCESS }

    - { path: ^/, role: ROLE_USER }

Thank you very much for your time and valuable assistance.

Best regards,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bglevon