Blog Post‎ > ‎

Implement SAML Single Sign-On Solution

posted May 21, 2016, 7:38 PM by Julian Zhu   [ updated Jun 10, 2016, 9:16 PM ]
This blog provides an over-simplified overview of SAML/SSO implementation. 

SSO/SAML Architecture Overview

Let's review some basics. 

A Single Sign-On Solution typically involves three architecture components: 
  • A User: who wants to access a system (in this case: the resource a Service Provider provides)
  • A Service Provider: manages a business application for a user to access information or functionalities
  • An Identity Provider: an infrastructure component that is responsible for validating user's identity 
The following diagram illustrates the overall work flow on how the SAML/SSO works. 

In the context of SAML/SSO, here is a list of obvious but key architecture info you should understand: 
  • Service Provider and Identity Provider need to know each other in order for the solution to work. 
  • Service Provider will redirect request to Identity Provider (when user has not been authenticated)
  • Identity Provider will post info back to Service Provider (so that Service Provider receives user attribute data to use)
  • The protocol and message format used for the communication: SAML (Security Assertion Markup Language)

SAML/SSO: Context Diagram

Functional Scenario: Implement Identity Provider

There are different scenarios you may design for SSO implementation. 
This tutorial shows how to implement one SAML/SSO scenario: 
  • Identity Provider: We implement an SAML Identity Provider using SimpleSAMLPHP
    • We create a MYSQL database table to store user identity information and attributes
    • We configure SAML settings for this hosted IDP. 
  • Service Provider: We configure Google Security to use our Identity Provider to provide Single Sign-On for Google Mail application. 
Once we implement this, we will able to allow user to input their user name and password (stored in our Identity Provider system) to access Google Mail (enabled to work with our Identity Provider). 

Here it the demo: 

Julian Zhu | OSC Technologies


How to Implement

Step 1. Implement Identity Provider 

(In our example, we use SimpleSAMLPhp. We have a reference implementation using Java as well. )

Implement auth data source (e.g. MySQL database/table as user identity repository)
Download & Install SimpleSAMLphp
Configure SAML2.0-idp-host information (for accessing user identity authsources
Configure SAML2.0-sp-remote information (for Google)

Implement MySQL user identity data store

 Field Name Description
 id Primary key
 user_name user name used for authentication
 password password used for authentication
 uid Could be email address as an attribute mapping to Google account id (email address)

Edit config\authsources.php
This defines what identity data source to use for authenticating user

    'my_google_sso' => array(
        'google_auth:login',
        'dsn => 'mysql:host=127.0.0.1;dbname=my_SSO_database',
        'username' => 'my_sso_db_user',
        'password' => '*&*)[1@39!xxxx',
    ), 

Edit metadata\saml2.0-idp-hosted.php
This tells Identity Provider where to look for authentication source for user identity data. 
    
    'auth' => 'my_google_sso',

Edit metadata\saml2.0-sp-remote.php
This defines service provider meta data - where/how to communicate with the Service Provider. 

$metadata['google.com'] = array(
        'AssertionConsumerService' => 'https://www.google.com/a/you_google_domain.com/acs',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        'simplesaml.nameidattribute' => 'uid',
        'simplesaml.attributes' => FALSE,
)


OSC Identity Provider - Reference Implementation (Java or PHP)


Step 2. Configure Google (As Service Provider)


Login to google admin console where you can manage the Security settings for Google (as service provider): 




Select "Set up single sign-on (SSO)"


Specify the Identity Provider information: 
This requires information from Identity Provider including a few key URLs for SAML communication, as well as an Identity Provider digital certificate used for data encryption purpose. 



Congratulations

Now you have a complete SAML/SSO solution. 

To extend/customize your own solution, you have choices of implementing technology including Java Open SAML. There are quite a few hosted cloud services that can be worked as Identity Provider to make job easier. However, to select right one for your business may not be that straightforward given IT investment and technology standards  you already have in house. Contact me if you have any question or comment. 

Comments