为php应用实现SSO的步骤
[英]Steps to implement SSO for php application
问题描述
I am a newbie in SSO implementation.
我是 SSO 实施的新手。 We are looking at implementing SSO for a client that uses a php application (supported by us), for their employees to login to the application.我们正在考虑为使用 php 应用程序(由我们支持)的客户端实现 SSO,以便他们的员工登录到该应用程序。 We are in the process of setting up Simple SAML for this .. I have been reading articles on SSO, many of which are helpful.我们正在为此设置 Simple SAML .. 我一直在阅读有关 SSO 的文章,其中许多文章很有帮助。 Pardon me for asking this, I know it is dumb.请原谅我问这个,我知道这是愚蠢的。 In this scenario, who is the IDP and who will be the service provider.在这种情况下,谁是 IDP,谁将是服务提供者。 The client apparently uses SSO for other applications as well.客户端显然也将 SSO 用于其他应用程序。 Can someone throw some light on what all I need to setup from our end.. I will research on how to do each of them..could someone please help by mentioning the things that need to be implemented.有人可以从我们的角度了解我需要设置的所有内容..我将研究如何做每个..有人可以通过提及需要实施的事情来提供帮助。
2 个解决方案
解决方案1
8 已采纳 2017-05-14 17:22:17
who is the IDP and who will be the service provider.
IDP (Identity Provider) is the one who creates, stores, maintains and authenticates the identity of the user or principal in saml terms. IDP(身份提供者)是用 saml 术语创建、存储、维护和验证用户或委托人身份的人。 So in your case it is the clients application.因此,在您的情况下,它是客户端应用程序。
SP (Service Provider) is the one who provides the service or resource to a user (authenticated by IDP) so in your case it is your application. SP(服务提供商)是向用户(由 IDP 验证)提供服务或资源的人,因此在您的情况下,它是您的应用程序。
could someone please help by mentioning the things that need to be implemented.
As you can see in the above diagram when user will try to access a resource on your site you will have to redirect them to IDP to confirm whether this user is authenticated and if you should return them the resource/response they are looking for.正如您在上图中看到的,当用户尝试访问您站点上的资源时,您必须将他们重定向到 IDP 以确认此用户是否已通过身份验证,以及您是否应该向他们返回他们正在寻找的资源/响应。 The SSO url and other details are exchanged between IDP and SP through Metadata. SSO url 和其他详细信息通过元数据在 IDP 和 SP 之间交换。
Once IDP has authenticated the user it will POST a response on your application url.一旦 IDP 对用户进行了身份验证,它将在您的应用程序 url 上发布响应。 This response contains an assertion through which you will know user details and whether user is authenticated or not.此响应包含一个断言,通过它您将了解用户详细信息以及用户是否已通过身份验证。 You will have to parse this response (xml).您必须解析此响应 (xml)。 Also, these assertions are generally signed with certificate and are encoded base 64.此外,这些断言通常用证书签名,并以 base 64 编码。
You will also have to think about SLO so when a user clicks on logout in your site you might have to clear their session from your application and redirect them to the IDP so they get logged out from there as well.您还必须考虑 SLO,因此当用户单击您站点中的注销时,您可能必须从您的应用程序中清除他们的会话并将其重定向到 IDP,以便他们也从那里注销。
As suggested by smartin you can use some library which will make it easier to implement SAML.正如 smartin 所建议的那样,您可以使用一些库来更轻松地实现 SAML。 I am also learning about SAML as we are working on converting our current application into IDP :)我也在学习 SAML,因为我们正在努力将我们当前的应用程序转换为 IDP :)
I found this SAML official documentation and some of the diagrams very helpful.我发现这个 SAML 官方文档和一些图表非常有帮助。 http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html
解决方案2
5 2017-05-11 23:54:16
Your app is the SP, and the customer will provide to you the IdP metadata to register on your SP.您的应用程序是 SP,客户将向您提供 IdP 元数据以在您的 SP 上注册。
In order to add SAML support to a PHP application, you have 2 alternatives:为了向 PHP 应用程序添加 SAML 支持,您有两种选择:
All of them are well documented, you will need to spend some time reading/learning.所有这些都有很好的文档记录,您需要花一些时间阅读/学习。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.