在多租户应用程序中使用SimpleSAMLphp
[英]Using SimpleSAMLphp in a multi-tenant app
问题描述
Tenants of our app have their own subdomain, eg customer1.domain.com, although it's one code base. 
我们的应用程序的租户有自己的子域名,例如customer1.domain.com,虽然它是一个代码库。 Some tenants want SP initiated SSO with SAML. 一些租户希望SP发起SSO与SAML。
What's the best approach for making this happen? 实现这一目标的最佳方法是什么?
- SimpleSAMLphp on a static shared subdomain, eg sso.domain.com/saml/ 静态共享子域上的SimpleSAMLphp,例如sso.domain.com/saml/
- SimpleSAMLphp as part of the tenant, eg customer1.domain.com/saml/ SimpleSAMLphp作为租户的一部分,例如customer1.domain.com/saml/
If we go for option 1, how would we know what tenant an incoming SAML request is for? 如果我们选择选项1,我们如何知道传入SAML请求的租户是什么?
If we go for option 2, how would you recommend configuring SimpleSAMLphp for metadata/authsources as it only seems to support hardcoded files. 如果我们选择选项2,您会如何为元数据/ authsources配置SimpleSAMLphp,因为它似乎只支持硬编码文件。
Thanks 谢谢
2 个解决方案
解决方案1
0 2015-09-08 17:06:25
At one of my ex-employers we had a setup similar to option 2 and it worked well for us. 在我的一个前雇主,我们有一个类似于选项2的设置,它对我们很有用。 The only difference being the domain was unique for each client and they posted the SAML to /index.php 唯一的区别是域名对于每个客户端都是唯一的,他们将SAML发布到/index.php
client 1 客户1
client1.com/index.php client1.com/index.php
client2 客户端2
client2.com/index.php client2.com/index.php
We used a listener for each client to trigger the processing of the SAML payload. 我们为每个客户端使用了一个侦听器来触发SAML有效负载的处理。
We had to configure the keys and source name (source name is unique for each client) in authsources.php for each client. 我们必须在authsources.php中为每个客户端配置密钥和源名称(源名称对于每个客户端是唯一的)。 We also used different keys for each client, you can also use one key pair for all clients also but it less secure 我们还为每个客户端使用了不同的密钥,您也可以为所有客户端使用一个密钥对,但安全性较低
We also had to configure fingerprint in the saml20-idp-remote.php for each client. 我们还必须在每个客户端的saml20-idp-remote.php中配置指纹。
解决方案2
0 2015-09-09 08:32:50
We ended up going for option 2 and it's working well. 我们最终选择了选项2并且运行良好。 SimpleSAMLphp is installed on the multi-tenant app in the form: customer1.domain.com/saml/ SimpleSAMLphp以以下形式安装在多租户应用上:customer1.domain.com/saml/
In SimpleSAMLphp, authsources.php is configured as per below: 在SimpleSAMLphp中,authsources.php配置如下:
$_SERVER['HTTP_HOST'] => array(
'saml:SP',
'entityID' => 'https://'.$_SERVER['HTTP_HOST'],
...etc
This means there's a unique entityID for each tenant in the form of their domain name with us, eg https://customer1.domain.com 这意味着我们的域名形式为每个租户提供了唯一的实体ID,例如https://customer1.domain.com
When performing the SP initiated SSO, we specify the IdP specific for this tenant, otherwise they'd see the discovery page and a list of all IdP's from other tenants: 在执行SP发起的SSO时,我们会为此租户指定特定的IdP,否则他们会看到发现页面以及其他租户的所有IdP列表:
if (!$as->isAuthenticated()) {
$params = array(
'saml:idp' => $samlEntityID
);
$as->login($params);
}
So far it's working very smoothly with metadata stored in the database. 到目前为止,它可以非常顺利地存储在数据库中的元数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.