simpleSAMLphp and External Auth

  • Resolved dbrooke1007

    (@dbrooke1007)


    7 years, 8 months ago

    Hi,
    I have a working simpleSAMLphp installed at https://sso.<mydomain&gt;.com/simplesaml

    My test auth for that site validates to a 3rd party database, where I have connected via their proprietary API. That all works.

    I am now trying to hook up a handfull of WordPress sites for single-sign-on and am a bit lost in the devilish details. I came across your plug-in and thought I might ask some questions.

    I have sort of successfully used another plug-in, by mini orange, as an SP… but am a bit boxed in with that “solution” and am still lost in the details.

    My main issues are maybe too complicated for this support venue.

    So, I’ll ask a simple question here.. and then I’ll leave my email. I’m hoping you might consider contacting me so that I could ask you a couple questions. donovanb AT jonespublishing D O T com.

    Does your plug-in work with a remote install of simpleSAMLphp?

    Thanks! Donovan

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Thanks for using WP SAML Auth, @dbrooke1007.

    Does your plug-in work with a remote install of SimpleSAMLphp?

    It does, in fact. You can follow the configuration instructions for using WP SAML Auth with the bundled OneLogin SAML library.

    So, I’ll ask a simple question here… and then I’ll leave my email. I’m hoping you might consider contacting me so that I could ask you a couple of questions.

    Happy to take any further questions you have in this forum thread. Or, if you’re a Pantheon customer, you can open a Pantheon support ticket for additional configuration help. We try to keep open source support in public venues so it’s easily findable for the next person with the same question.

    Thread Starter dbrooke1007

    (@dbrooke1007)

    Daniel, thanks for getting back to me. At risk of making my/our brain/s hurt…

    I have some logic flow challenges. We are looking at implementing your plugin to around 20 or so wordpress sites, but I’ll limit the scope to the basics, with the goal of coming to a proof of concept.

    We 3 main components:
    1.) Our user / subscriber database (3rd party service with a gateway)
    No user/pass is kept here, only subscriber number and active / expired info)
    2.) SimpleSAMLphp install (basic working install)
    3.) WorPress Sites (some with forums).

    The main problem I can’t yet get my head around is the final logic flow, specifically regarding usernames / passwords… as I’m not even sure they are needed.

    With simpleSAMLphp, I am able to start a session with a user login by making the user type their subscriber number and another piece of information, such as their email. That is not really a user / pass, but it the only way I know how to log a user in right now with simpleSAMLphp.

    So, what do I do with that info? I can probably use a plugin such as yours to auto-login a user… but that means that the user would always have to type an 11 digit number and their email. I’m not sure that is user-friendly.

    Another complexity is the associated forums for these wordpress sites. Right now my idea is to port everything to Vanilla forums, which has both a wordpress connector, and a SAML connector. Some of these forums have a lot of current users already.. that contain username / passwords, and other info.

    So, some questions…
    – Does wordpress even need anything saved to the local user / pass?
    – Should I rather do all authentication remotely?

    My thought is to create a 4th component that is another “Web Users” database that replaces the current Authority of users for simpleSAMLphp, and to use the existing Authority of users as a ‘registration’ system… so, the basic process would be like:

    User wants to log into wordpress.
    Wordpress redirects to simpleSAMLphp.
    simpleSAMLphp checks user / pass, if exists, logs user in.
    if does not exist, user redirects to registration.
    user registers with 3rd party gateway, a user record is created in the 4th component.
    user then is prompted to create a username / pasword for that new record.
    Now user can log in.

    That is basically what I can come up with.. lots of work. :-). But, I thought I’d see what you thought. Is there a more simple way to do this?

    My best thought is this:

    Plugin Author Daniel Bachhuber

    (@danielbachhuber)

    Does wordpress even need anything saved to the local user / pass?

    Yes, it does need to create a WordPress user in order to provide a “logged-in” user experience. WordPress can use WP SAML Auth as the bridge to the true authentication source, so it doesn’t need to know the actual username / password, but it will always have to create a WordPress user.

    Should I rather do all authentication remotely?

    It does sound like you want to use your subscriber database as the source of truth, which seems reasonable. In order to make this secure, you’ll need some form of password system, unique to each subscriber.

    That is basically what I can come up with.. lots of work. :-). But, I thought I’d see what you thought. Is there a more simple way to do this?

    Given the complexity involved with the system, what you’ve outlined seems like a reasonable approach. SimpleSAMLphp may have some basic user registration system you can use in place of setting up another system. WP SAML Auth will be able to connect to whatever system implements SAML authentication.

    Good luck on the project!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘simpleSAMLphp and External Auth’ is closed to new replies.