Search code examples
phpsingle-sign-onsimplesamlphp

SimpleSAMLphp Multiple SPs Configuration

I am new to SSO and SimpleSAMLphp and have a question.

If we want to have multiple SPs each on one the environments : Integration, Staging and preproduction, can we first deploy the simplesamlphp on the integration server with the authsources.php having the configuration of all environments (we will have an array of SPs) and then generate the XML metadata for all SPs on only the Integration?

Or we have to deploy on each environment seperately and get the xml metadata on each of them? I am thinking SimpleSAMLphp uses the ssl certificate to generate the xmls so it should be done seperately on each server..But I am not so sure..

Thanks

Solution

  • You can do this, BUT you will probably need to manually edit the URLs in the generated metadata to point to the correct environments - SimplSAMLphp uses the domain from the request for the metadata to construct the URLs in the metadata, so if you generate the metadata in Staging, the URLs will point to your staging environment.

    For example, if you generate the metadata for your production environment in staging, you would have to change the URLs in elements like:

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://staging.test.com/simplesaml/module.php/saml/sp/saml2-acs.php/your-sp-name" index="0"/>

    to

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.com/simplesaml/module.php/saml/sp/saml2-acs.php/your-sp-name" index="0"/>

    The certificates are specified in the SP configuration, so if you have different certificates for each environment, you would need to have ALL of the certificates present in the environment you generate the metadata from.

    $config = [
    'my-test-sp' => [
        'saml:SP',
        'entityID'     => 'my-sp-test',
        'idp'          => 'http://test/idp',
        'privatekey'   => 'test.pem',
        'certificate'  => 'test.crt'
    ],
    'my-staging-sp' => [
        'saml:SP',
        'entityID'     => 'my-sp-staging',
        'idp'          => 'http://staging/idp',
        'privatekey'   => 'staging.pem',
        'certificate'  => 'staging.crt'
    ],
    'my-prod-sp' => [
        'saml:SP',
        'entityID'     => 'my-sp-prod',
        'idp'          => 'http://prod/idp',
        'privatekey'   => 'prod.pem',
        'certificate'  => 'prod.crt'
    ]
];

    It's definitely easier to generate the metadata from each environment, but if you need to provide the metadata to an IDP before the environment goes live, it's not difficult to manually edit the metadata from a non-prod server; there's not much to the XML.