[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use-case: SSO integration of PHP and Perl applications



Michael Dondrup <michael.dondrup@xxxxxx> said:
> Hi,
> 
> After we are able to compile ZXID on my development platform,
> I would like to give some background of my intended use case 
> for the Perl module Net::SAML and ask for advice, whether or not this is possible at all.
> 
> I have two web-applications:
> - Drupal [1], a content-management system written in PHP. It will be uses together 
> with a module called Tripal [2] to serve genomic data.
> - GBrowse2 [3], a genome browser written in Perl that will visualize the same genomic 
> data.

If the web server happens to be Apache httpd, I would recommend using
mod_auth_saml.so for both perl and PHP site. Then just configure the
apps to use REMOTE_USER execution environment variable (i.e. what is
visible to CGI as environment variable and through _SERVER array
to PHP), REMOTE_USER is the mechanism by which Basic Authentication
is visible to web apps. So if Drupal and GBrowse2 support Basic
Authentication, then they will also work with mod_auth_saml.so.

Typically you would put something like this in your Apache httpd.conf

<Location /protected>
  Require valid-user
  AuthType "saml"
  ZXIDDebug "0x01"
  ZXIDConf "PATH=/home/sampo/sidemo/zxid/sp.citizendata.eu_8445/"
  ZXIDConf "REDIR_TO_CONTENT=1"
</Location>

(You can put the config in the ZXIDConf directives, or you can
create /var/zxid/zxid.conf for the rest of the configuration.)

You will then get on REMOTE_USER the pseudonym from SAML SSO. You will
also get the attributes that the IdP sent as environment variables
that start by SAML_ (write a little test program to print the
environment to see what you get).

See mod_auth_saml.pd or apache.pd for more documentation.

> Both applications can run on the same web-server and must use the same PostgreSQL backend.
> 

If they run on same web server you have two alternatives:

1. Configure them both under same mod_auth_saml protected directory. In
   this case the SSO happens before apps. The IdP sees only one SP.

2. Configure two directories each with their own SAML setup. In this
   case the IdP sees the two apps as distinct SPs.

> Both applications support external authentication-modules, and I intend to implement 
> single-sign-on between both, based on federated authentication from an external Identity Provider 

Despite apps supporting modules, the Apache mod_auth_saml approach is
usually cleaner.

> (e.g. feide.no or our in house system using WStrust).

Why WSTrust rather than SAML2?

> Such that all users who want to use both apps only have to log once, and when they come to the 
> other application, they are already logged in, and have identical credentials in both.
> 
> Using  simpleSAMLphp[4] and its Drupal binding, I have somewhat solved the problem for the
> PHP side. simpleSAMLphp is currently configured as a Service Provider, but could also be configured
> as  an IdP if necessary. 
> 
> Now I was hoping to be able to connect to simpleSAMLphp via Net::SAML somehow, but I have now 
> gotten the impression that this was misguided and that SSO cannot be implemented that way between
> a PHP and a Perl application.

Wrong.

Of course SSO works between two SAML supporting apps. You really
do not have to worry about compatibility of PHP SP with Perl based
SP. Instead you just make sure each SP is compatible with the IdP.

Only requirement is that SAML is supported in both SP and IdP end.

Cheers,
--Sampo

> Am I right?

> [1] http://drupal.org/
> [2] http://gmod.org/wiki/Tripal
> [3] http://gmod.org/wiki/GBrowse
> [4] http://simplesamlphp.org/
> 
> I'd be greatful for any input.
> 
> Michael Dondrup
> Postdoctoral researcher
> The Sea Lice Research Centre
> Department of Informatics
> University of Bergen
> Thormxhlensgate 55, N-5008 Bergen, 
> Norway