SimpleSAMLphp for Easy Identities

SimpleSAMLphp word cloud

As part of an ongoing series, we’re helping to explain ways to configure SimpleSAMLphp as a centralized identity provider (IDP) for your organization.

Making authentication easy for everyday users is hard. It’s hard because of how many moving parts are involved. It’s hard because of the sheer number of services being consumed and identity providers being offered. It’s hard because of the number of discrete accounts maintained by individual users over time.

Our goal at Tozny is to make security -- and authentication -- easy. Both for you and for your users.

To that end, this series has detailed what’s involved in building and configuring your own centralized authentication service built atop the open source SimpleSAMLphp project.

Part one walked through basic configuration and setup with the example username/password authentication system that ships with the platform.

Part two integrated Tozny’s Secure Authentication system to move beyond passwords and empower more efficient user login.

Parts three and four detailed the steps required to leverage the new SimpleSAMLphp server as an identity provider for Microsoft’s Office 365 and Google’s G-Suite respectively.

Containerization

We made setting up SimpleSAMLphp even easier!

We’ve taken the time to pull all of this setup and configuration into a set of reusable, open source Docker containers. The basic container is merely a “files container” -- it contains all the source files and configuration for SimpleSAMLphp itself, but is otherwise a static component that never runs.

A live server would consist of:

A server or load balancer, like Nginx, that handles SSL termination and forwards requests for your hosted identity server. Aside from managing certificates, this server could also forward traffic for unrelated subdomains or subdirectories and allow you to collocate multiple services on the same platform.

A PHP application container that runs PHP itself either as a standalone server or via FPM. The Nginx server would forward traffic on a default port to the PHP container, which then generates a response based on the scripts it has loaded.

The SimpleSAMLphp files container that holds the server configuration itself. This container never runs, but exposes a static volume that is mounted into both the Nginx container (for document discovery) and the PHP container (for execution). Site-specific configuration is handled through an external file that is parsed at load time and converted into the documents SimpleSAMLphp expects to see.

To make things easier, our open source project includes two example Docker Compose configurations: one for a vanilla SimpleSAMLphp server; one for a server that has Tozny’s external authentication plugin pre-installed. Feel free to adapt from either for your purposes.

Moving Forward

SimpleSAMLphp can be configured as either an identity provider -- which was the use case we documented this month -- or as a service provider that relies on an external IDP. It can also be configured to integrate with multiple identity providers or set to filter the metadata returned from IDPs to the service providers that depend upon them.

The flexibility of the server allows the developer to configure endless combinations of identity providers, service providers, and manipulations of the federated metadata shared between them. It’s a powerful option that can fit almost any use case.

At the same time though, the power and flexibility of SimpleSAMLphp masks the true beauty of the system -- your end users have fewer credentials to remember and manage!