Post on 12-Jun-2015
description
simpleSAMLphpAndreas Åkre Solberg
andreas.solberg@uninett.no
Generic presentationUpdated: November 2009
What is it?
Software with focus on SAML (both SP and IdP),but with support for multiple protocols.
Widespread• Wide adoption, and interest is increasing…• Mostly Europe and US.Both commercial / educational. • 350 users on mailing-list.• Translated into 20 languages• IDDY-award in California 2008.
Visitors of project homepage demography ›
Project structure
Contributors
Secondary commiters
Main developers
Project leader 1
2
~ 5
~ 15
Why people like it • easy to install and maintain just drop a folder to install :) • easy to extend • fully modularized • very helpful open source community.
• authentication sources• processing filters• themes• hooks
Version 1.5 (October 2009)with improved interoperability with Shibboleth
• automated shibboleth-style metadata consumption• Improved experience with combined
SAML 1.1 and SAML 2.0 envir.• Improved SAML 1.1 + 2.0 integrated
IdP Discovery Service.• SAML 1.1 Artifact binding• encrypted NameIDs
Multiple protocols • SAML 2.X SP • SAML 2.X IdP • Shib 1.3 SP • Shib 1.3 IdP • OpenID Provider • OpenID Consumer • OAuth • WS-Fed / ADFS • Infocard • CAS
• Twitter auth • Facebook auth •!YubiKey
*) some protocols experimental support
•!Radius client •!LDAP • SQL
Protocols can be bridged!
SAML 2.0IdP
SimpleSAMLphp bridgeacting as
OpenID Providerand
SAML 2.0 SP
Example I
Protocols can be bridged!
SAML 2.0SP
SimpleSAMLphp bridgeacting as
SAML 2.0 IdPand
SAML 1.1 SP
SAML 1.1IdP
Example II
Apache 2 + PHP 5
simpleSAMLphp
Scalable from simple
to not sosimple
with the memcachesessionhandler
Failover
Failover
Load balancedLoad balanced
Apache 2PHP 5
simpleSAMLphp
Apache 2PHP 5
simpleSAMLphp
Load balancer
memcache1B
memcache2B
memcache1A
memcache2A
Apache 2PHP 5
simpleSAMLphp
Apache 2PHP 5
simpleSAMLphp
Load balanced
memcache3B
memcache3A
Failover
memcache1C
memcache2C
memcache3C
PerformanceLast performance test on IdP: ~ 12.000 SAML logins per minute on one server instance
Possible because of the lightweight design from the group up.
"Self-check" API• Santity-check API allows you to check if everything is "OK".• Can be connected to monitoring systems like NAGIOS.• Hooks for adding sanity check tests in external modules.
Statistics module
User consent
Fancy Robust Single Log-Out
IdP Discovery Service
• Tabbed interface• Drop-down free• Incremental live search
Timed-out HTTP-POST Rescue
The wiki use-caseWhat will happen if you save and the session is timed out?
SimpleSAMLphp rescues the user's
data when session is timed out .
AFAIK No other software does.
Easy log lookupwith TrackID
more...http://rnd.feide.no/simplesamlphp