使用 PHP 的 SAML 2.0 身份验证
[英]SAML 2.0 Authentication Using PHP
问题描述
We have a website create in PHP and MySQL where users can register and login.
我们有一个用 PHP 和 MySQL 创建的网站,用户可以在其中注册和登录。 Recently my client gave me some 3rd party service/website which also required users to login to access their services.最近我的客户给了我一些 3rd 方服务/网站,它也要求用户登录才能访问他们的服务。 Now, my client wants that if users is already logged-in to our site and when we redirect user to other/3rd party site it should not ask for the password or login again.现在,我的客户希望如果用户已经登录到我们的站点,并且当我们将用户重定向到其他/第 3 方站点时,它不应该要求输入密码或再次登录。 When I talked to 3rd party site to provide solution for this, they ask me to implement/use SAML 2.0 SSO option to achieve this feature.当我与 3rd 方站点交谈以为此提供解决方案时,他们要求我实施/使用 SAML 2.0 SSO 选项来实现此功能。 Though, I heard about auth0 and SAML but I have no idea from where should I start from.虽然,我听说过 auth0 和 SAML,但我不知道应该从哪里开始。
- Do I have to add something on our website?我是否必须在我们的网站上添加一些内容? Like auth0 service?喜欢 auth0 服务?
- Do I have to ask something from them to implement this?我是否必须向他们提出要求才能实现这一点? What changes do I need to make ?我需要做哪些改变?
- What will be the steps involve in this, When we redirect user to 3rd party site it will be auto logged-in or something?这将涉及哪些步骤,当我们将用户重定向到 3rd 方站点时,它将自动登录或其他什么?
2 个解决方案
解决方案1
3 2018-07-10 22:33:28
It seems that your customer want you to be a "Identity Provider", so that when the users are loggued to your website, they will autolog to the other 3rs party customer's website.您的客户似乎希望您成为“身份提供者”,这样当用户登录到您的网站时,他们将自动登录到其他 3rs 方客户的网站。
Technical Solution : MiniOrange技术方案:MiniOrange
I recently did this, connecting my PHP/MySQL app to external customer's intranets with "MiniOrange" SAML Solution.我最近这样做了,使用“MiniOrange”SAML 解决方案将我的 PHP/MySQL 应用程序连接到外部客户的内部网。
- more informations here : https://www.miniorange.com/ and https://idp.miniorange.com/更多信息在这里: https : //www.miniorange.com/和https://idp.miniorange.com/
- support : I had many free hours of Skype Support, they are very good, they helped me until it worked !支持:我有很多免费的 Skype 支持时间,他们非常好,他们一直帮助我直到成功!
- installating/pricing : I paid for having an onsite licence (they installed this on my server at zero cost), but you can use the Cloud version (start from 10$/month), and they have Wordpress and other CMS plugins...安装/定价:我支付了现场许可证(他们以零成本将其安装在我的服务器上),但您可以使用云版本(每月 10 美元起),并且他们有 Wordpress 和其他 CMS 插件...
Answers to your questions :回答您的问题:
- 1) Do I have to add something on our website? 1) 我必须在我们的网站上添加一些东西吗? Like auth0 service?喜欢 auth0 服务? : :
yes, your website must be a identity provider...是的,您的网站必须是身份提供者...
- 2) Do I have to ask something from them to implement this? 2)我是否必须向他们提出要求才能实现这一点? What changes do I need to make ?我需要做哪些改变?
Yes, they have to install and configure a "Service Provider" connector, that will automatically connect to the Identity Provider (your website) with JSON Web Tokens (JWT) for example, check if the user is already connected to your website (if yes, your website return a token, and then the user autologs to the 3rd party website, if not, he's redirected to the SAML login form for instance)...all this process will be invisible for the user.是的,他们必须安装和配置一个“服务提供商”连接器,例如,它将使用 JSON Web 令牌 (JWT) 自动连接到身份提供商(您的网站),检查用户是否已经连接到您的网站(如果是) ,您的网站返回一个令牌,然后用户自动登录到第 3 方网站,如果没有,他将被重定向到 SAML 登录表单,例如)......所有这个过程对用户来说都是不可见的。
- 3) What will be the steps involve in this, When we redirect user to 3rd party site it will be auto logged-in or something? 3)这将涉及哪些步骤,当我们将用户重定向到第 3 方站点时,它会自动登录还是什么?
The process will be like this :过程将是这样的:
the user goes to the 3rd party site
用户转到第 3 方站点the "service provider" connector installed in this 3rd party site checks if the user is connected to this 3rd party site.
安装在此 3rd 方站点中的“服务提供商”连接器会检查用户是否已连接到此 3rd 方站点。 If yes, nothing to do, the user is already connected.如果是,无事可做,用户已经连接。If not connected, then the user is redirected to your website's login form.
如果未连接,则用户将被重定向到您网站的登录表单。 The user types his login/password, then is redirected to the 3rd party website.用户输入他的登录名/密码,然后被重定向到第 3 方网站。the 3rd party website (in which the user isn't yet loggued) ask to his "service provider" module to call the "Identity Provider" (ie your website) with JWT Json Web Tokens for example (the communication between the IDP identity provider and the SP Service Provider is invisible for the user in the browser, but if you install "SAML DevTools extension" Chrome extension, you'll see the tokens exchanged between the Identity Provider and the Service Provider)
3rd 方网站(用户尚未登录)要求他的“服务提供者”模块使用 JWT Json Web 令牌调用“身份提供者”(即您的网站),例如(IDP 身份提供者之间的通信)并且 SP 服务提供者在浏览器中对用户不可见,但如果您安装“SAML DevTools 扩展”Chrome 扩展,您将看到身份提供者和服务提供者之间交换的令牌)As you are connected to your website (being the "identity provider"), then the Identity Provider returns a SAML Response token, that allows the user to automatically connect to the 3rd party website...And that's done, the user is auto-loggued !
当您连接到您的网站(即“身份提供者”)时,身份提供者会返回一个 SAML 响应令牌,该令牌允许用户自动连接到第 3 方网站......完成后,用户将自动-登录!
解决方案2
2 2018-07-10 19:00:33
Some confusion here.这里有些混乱。
Auth0 is an Identity as a Service product, not part of SAML. Auth0 是身份即服务产品,而不是 SAML 的一部分。 You've tagged OAuth but that has nothing to do with SAML either.您已经标记了 OAuth,但这也与 SAML 无关。 It's a completely different protocol.这是一个完全不同的协议。
What you need is a SAML client-side stack.您需要的是 SAML 客户端堆栈。 As you are using PHP, use simpleSAMLphp .使用 PHP 时,请使用simpleSAMLphp 。
As you are the client, you need to implement the SP mode.由于您是客户端,因此您需要实现 SP 模式。
If you were intending to use Auth0, use this sample .如果您打算使用 Auth0,请使用此示例。
Then use Auth0 to do the SAML connection to the SAML IDP.然后使用 Auth0 与 SAML IDP 建立 SAML 连接。
So the path is:所以路径是:
PHP application --> Auth0 --> SAML protocol --> SAML IDP PHP 应用程序 --> Auth0 --> SAML 协议 --> SAML IDP
Just to be clear, use either simpleSAMLphp or Auth0.只是要清楚,使用simpleSAMLphp或Auth0。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.