Category Archives: OpenSource

SSO integration with simpleSAMLphp and openSSO

Posted on by

The integration of simpleSAMLphp and openSSO in an application like sugarCRM is clearly explained in the article Single Sign-On for SugarCRM Through a SAML-Based Integration of OpenSSO and simpleSAMLphp.

When integrating SSO in a public web-site with a login box like the one on the upper right corner of Le Figaro.fr. How could we test that the user is already logged on the SSO in order to display his name in place of the login, sign-on links ?

If the user is not already authenticated on the domain, the usual way to check the SSO login is by making a redirect to the SSO domain with a RelayState to the target page. However, in this case, two problems occurs. First the usual 302 redirect towards the SSO domain is not really SEO friendly. Secondly, if the user is not logged on the SSO, the redirection will bring him to the login page which is not really what we want.

My solution to this issue is the following.

Next to the login box, add a 1×1 iframe having the following php page as source.

<?php
require_once ('/opt/simpleSAML/simplesamlphp_1_4/www/_include.php'); require_once('SimpleSAML/Utilities.php');
require_once('SimpleSAML/Session.php');
require_once('SimpleSAML/XHTML/Template.php'); 

/* Load simpleSAMLphp, configuration and metadata */
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance(); 

/* Check if valid local session exists.. */
if (!isset($session) || !$session-&gt;isValid('saml2') ) {
  SimpleSAML_Utilities::redirect( '/' . $config->getBaseURL() . 'saml2/sp/initSSO.php', array('RelayState' => 'http://www.aragorn2.cool/testsso/authenticated.html') );
}
SimpleSAML_Utilities::redirect('/testsso/authenticated.html');

This assumes that openSSO and simpleSAML have been correctly configured.

When the user is not already connected to the SSO, the little php snipped will return the HTML code for the SSO login to the iframe. Since the iframe has a 1×1 size, this will not be visible.

If the user is already connected, this authenticated.html page will be returned and this will create a cookie for the local domain. In order to display the user information, we have to redirect the parent page either to a specific home page or to the original page where we will test the cookie existence.

The code for the authenticated.html page is given below.

 <html> <body> <script type="text/javascript"> parent.location.href='home.html' </script> </body> </html>

This is more or less what Google does on Blogger.

In a next post, I will explained how to retrieve profile attributes from the SAML assertion.

OpenSource UML tools – BOUML

Posted on by

Up to now, when I had to realize a UML analysis, I was using ArgoUML as free tool. However, I was always frustrated by some strange behavior. Sometimes, for example, it was really difficult to add a synchronous connection in a sequence diagram and with the last version (0.24) I couldn’t assign a class to an item instance of a sequence diagram.

 Recently, I discovered BOUML. BOUML is quite easy to use and it has a lot of interesting features – HTML document generation; Java, C++, IDL and PHP code generation.

I did not had the time yet to test the reverse engineering capabilities but it sounds really promising.

Moreover, BOUML is build to allow multiple users to work on the same model. Something not easy with ArgoUML and often reserved to the non-free editions in the other tool.

I really think BOUML is a great tool and deserve spending time to investigate and test it