I am currently working on a project that requires the implementation of a Single Sign-On (SSO) system between an Identity Provider (IDP) and a Service Provider (SP). The IDP is hosted on a server accessible via the Internet, while the SP is also hosted on a different server with a distinct URL.
I am facing challenges in configuring the communication between the IDP and the SP, considering their locations on separate servers. I have consulted the SSO documentation, but I still find it complex to understand how to configure metadata and endpoints to establish secure and successful communication between the two parties.
I am reaching out to the community for assistance with the following:
How to configure the metadata of the IDP and the SP so that they can properly recognize and authenticate each other?
What are the endpoints to configure on both sides to enable a secure connection?
Are there any specific considerations to keep in mind when configuring communication between an IDP and an SP on separate servers?
If you have experience working on a similar configuration or if you possess expertise in setting up Single Sign-On between separate servers, I would greatly appreciate any advice, guidance, or configuration examples you can provide.
Additionally, to better illustrate my situation, here are the details and some code examples I am currently using:
Hello everyone,
I am currently working on a project that requires the implementation of a Single Sign-On (SSO) system between an Identity Provider (IDP) and a Service Provider (SP). The IDP is hosted on a server accessible via the Internet, while the SP is also hosted on a different server with a distinct URL.
I am facing challenges in configuring the communication between the IDP and the SP, considering their locations on separate servers. I have consulted the SSO documentation, but I still find it complex to understand how to configure metadata and endpoints to establish secure and successful communication between the two parties.
I am reaching out to the community for assistance with the following:
How to configure the metadata of the IDP and the SP so that they can properly recognize and authenticate each other? What are the endpoints to configure on both sides to enable a secure connection? Are there any specific considerations to keep in mind when configuring communication between an IDP and an SP on separate servers? If you have experience working on a similar configuration or if you possess expertise in setting up Single Sign-On between separate servers, I would greatly appreciate any advice, guidance, or configuration examples you can provide.
Additionally, to better illustrate my situation, here are the details and some code examples I am currently using:
hslavich_onelogin_saml: sp: entityId: 'https://test.elium.com/login/saml2/metadata' assertionConsumerService: url: 'https://test.elium.com/login/saml2/acs' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' singleLogoutService: url: 'https://test.elium.com/login/saml2/sls' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' NameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:identifiant' idp: entityId: 'https://127.0.0.1:8000/saml/metadata' singleSignOnService: url: 'https://127.0.0.1:8000/saml/login' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' singleLogoutService: url: 'https://127.0.0.1:8000/saml/logout' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' x509cert: '%kernel.project_dir%/config/saml2/idp-public-cert.pem' x509certMulti: signing: ['%kernel.project_dir%/config/saml2/idp-private-key.pem']
https://127.0.0.1:8000 or https://test-site.com
security.yaml
security: enable_authenticator_manager: true password_hashers: Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
Thank you very much for your time and valuable assistance.
Best regards,