SAML 2.0 Authentication Using PHP

Question

We have a website create in PHP and MySQL where users can register and login. Recently my client gave me some 3rd party service/website which also required users to login to access their services. Now, my client wants that if users is already logged-in to our site and when we redirect user to other/3rd party site it should not ask for the password or login again. When I talked to 3rd party site to provide solution for this, they ask me to implement/use SAML 2.0 SSO option to achieve this feature. Though, I heard about auth0 and SAML but I have no idea from where should I start from.

1. Do I have to add something on our website? Like auth0 service?
2. Do I have to ask something from them to implement this? What changes do I need to make ?
3. What will be the steps involve in this, When we redirect user to 3rd party site it will be auto logged-in or something?

Answer 1

It seems that your customer want you to be a "Identity Provider", so that when the users are loggued to your website, they will autolog to the other 3rs party customer's website.

Technical Solution : MiniOrange

I recently did this, connecting my PHP/MySQL app to external customer's intranets with "MiniOrange" SAML Solution.

• more informations here : https://www.miniorange.com/ and https://idp.miniorange.com/
• support : I had many free hours of Skype Support, they are very good, they helped me until it worked !
• installating/pricing : I paid for having an onsite licence (they installed this on my server at zero cost), but you can use the Cloud version (start from 10$/month), and they have Wordpress and other CMS plugins...

---

Answers to your questions :

• 1) Do I have to add something on our website? Like auth0 service? :

yes, your website must be a identity provider...

• 2) Do I have to ask something from them to implement this? What changes do I need to make ?

Yes, they have to install and configure a "Service Provider" connector, that will automatically connect to the Identity Provider (your website) with JSON Web Tokens (JWT) for example, check if the user is already connected to your website (if yes, your website return a token, and then the user autologs to the 3rd party website, if not, he's redirected to the SAML login form for instance)...all this process will be invisible for the user.

• 3) What will be the steps involve in this, When we redirect user to 3rd party site it will be auto logged-in or something?

The process will be like this :

• the user goes to the 3rd party site

• the "service provider" connector installed in this 3rd party site checks if the user is connected to this 3rd party site. If yes, nothing to do, the user is already connected.

• If not connected, then the user is redirected to your website's login form. The user types his login/password, then is redirected to the 3rd party website.

• the 3rd party website (in which the user isn't yet loggued) ask to his "service provider" module to call the "Identity Provider" (ie your website) with JWT Json Web Tokens for example (the communication between the IDP identity provider and the SP Service Provider is invisible for the user in the browser, but if you install "SAML DevTools extension" Chrome extension, you'll see the tokens exchanged between the Identity Provider and the Service Provider)

• As you are connected to your website (being the "identity provider"), then the Identity Provider returns a SAML Response token, that allows the user to automatically connect to the 3rd party website...And that's done, the user is auto-loggued !

Answer 2

Some confusion here.

Auth0 is an Identity as a Service product, not part of SAML. You've tagged OAuth but that has nothing to do with SAML either. It's a completely different protocol.

What you need is a SAML client-side stack. As you are using PHP, use simpleSAMLphp.

As you are the client, you need to implement the SP mode.

If you were intending to use Auth0, use this sample.

Then use Auth0 to do the SAML connection to the SAML IDP.

So the path is:

PHP application --> Auth0 --> SAML protocol --> SAML IDP

Just to be clear, use either simpleSAMLphp or Auth0.