Using SimpleSAMLphp in a multi-tenant application

Question

Using SimpleSAMLphp in a multi-tenant application

Tenants of our application have their own subdomain, for example. customer1.domain.com, although this is one code base. Some tenants want the SP to initiate SSO with SAML.

What is the best way to do this?

SimpleSAMLphp in a static common subdomain, for example. sso.domain.com/saml/
SimpleSAMLphp as part of the tenant, for example. customer1.domain.com/saml/

If we go to option 1, how do we know which tenant needs an incoming SAML request?

If we move on to option 2, how would you recommend setting up SimpleSAMLphp for metadata / authsources, since it only supports hard-coded files.

thank

+4

php multi-tenant single-sign-on saml simplesamlphp

Marcus May 20, '15 at 14:11

source share

2

Jeetendra Pujari · Answer 1 · 2015-09-08T17:06:25+0000

, 2, . , , SAML /index.php

1

client1.com/index.php

client2

client2.com/index.php

SAML.

( ) authsources.php . , ,

saml20-idp-remote.php .

Marcus · Answer 2 · 2015-09-09T08:32:50+0000

2, . SimpleSAMLphp : customer1.domain.com/saml/

SimpleSAMLphp authsources.php :

$_SERVER['HTTP_HOST'] => array(
    'saml:SP',
    'entityID' => 'https://'.$_SERVER['HTTP_HOST'],
    ...etc

, , . https://customer1.domain.com

SP SSO IdP , IdP :

if (!$as->isAuthenticated()) {
    $params = array(
        'saml:idp' => $samlEntityID
    );
    $as->login($params);
}

, .

Using SimpleSAMLphp in a multi-tenant application

More articles: