0
votes

I'm building a SAAS web app in PHP that needs to integrate SSO. We'll have multiple client organizations, each that have their own Identity Provider (Active Directory). While researching possibilities, I came across SimpleSAMLphp, but I'm not sure it will fulfill my requirements and would like feedback on best approach for implementation. Seems like SAML or OAuth2 is the way to go, but I have limited experience in this area.

Need these abilities:

  1. Client Admins should be able to add and remove access to our app via AD.
  2. Authenticate user with their respective AD Server (flexibility for authenticating with others a big plus) - Other than depending on static IPs how can I know which Identity Provider to check?
  3. Users of organizations that do not have an Identity Provider should be able to login through the existing authentication method (hashed pass in mysql).
  4. We'll also have a hybrid mobile app (ios/android), developed on the IONIC framework, that will need to have SSO, wondering if I'd authenticate through REST API or how that process would work. Hoping for a solution that can accommodate both web app and the mobile app - if possible.

Additional info: I'm planning to host the PHP app on a CentOS server. We do have the capability of connecting a site-to-site VPN if required.

1

1 Answers

1
votes
  1. As I know, AD can not do OAuth, only SAML trough ADFS
  2. You can have separate SSO url for each client. Or you could have single SSO page and determine which IDP to use - then you could first ask for the username, and check which client that user belongs to, and pick up all their IDPs and present them to the user to pick one, then do do SSO, and finally rember IDP preference in a cookie, so next time you don't have to do all that.
  3. Sure, normal un/pw login page
  4. Never did SAML on mobile, but it being mostly a front-end bearer channel, guess you would have to open a web view and do the SAML SSO process within. At the end, you either let your site do the whole SSO and somehow "give" the credentials to the app, or you pick up the Response from webview and decode it localy in the app, but in that case that would be separate SP with it's own EntityID due to different Assertion Consumer Service URL then your site, and that would introduce additional complexity, to your system as well as to your clients setting up the ADFS. Guess first option with your site doing all SSO is better.

I would suggest you take a look at LightSAML - a stack of PHP libraries implementing SAML data model and Web browser SSO profile. If you're using Symfony it also provides a security bundle, and what's most important it's a library fit to custom usage, rather then an app like simple SAML.

For the app design, screens, flow and setup, you could also check how zendesk did it. They are multitenant SAAS app with multiple SSO options, like SAML, JWT, and even OAuth I think. Had a chance do integrate with them, and it quite fits what you're doing.

If you where not limited to SAML, I would suggest JWT as the simplest one, though not quite a standard.