Versions Compared

Old Version 1

changes.mady.by.user Kevin Yeh

Saved on

compared with

New Version Current

changes.mady.by.user Kevin Yeh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Metadata for each Identity Provider needs to be added to the saml20-idp-remote.php file

IdP setup will vary depending on which IdP is being used.  However, they generally all provide a link to the metadata in XML format that is needed to establish the connection between the IdP and the SP

The XML from the IdP needs to be converted into PHP format and appended to the above file using the metarefresh tool:

...

cat SF-SSO.php SF-SSO-2.php SF-SSO-3.php > /var/simplesamlphp/metadata/saml20-idp-remote.php

...


This creates entries in the metadata array for each IdP.  The keys in this array are used in the next step

$metadata['https://drcloudehr-idd-qa-dev-ed.develop.my.salesforce.com'] = array (
  'entityid' => 'https://drcloudehr-idd-qa-dev-ed.develop.my.salesforce.com',
  'entityDescriptor' => 'PG1kOkVu....



Changes to /var/simplesamlphp/config/authsources.php

...

'sp1' => [
    'saml:SP',
  'entityID' => 'https://drcloudehr-idd-qa-dev-ed.develop.my.salesforce.com',

  'idp'      => 'https://drcloudehr-idd-qa-dev-ed.develop.my.salesforce.com',
 ],
'sp2' => [
    'saml:SP',
  'entityID' => 'https://drcloudehr-idd-staging-dev-ed.develop.my.salesforce.com/',
],

...

/okta.com/',   
  'idp'      => 'https://okta.com/',
],

The entityID and idp are keys to the metadata array defined in saml20-idp-remote.php file that was updated in the previous step.

The entityId and the idp entries are set to the same value to eliminate the step of choosing an IdP when logging in. 

Changes to /var/simplesamlphp/metadata/dc-idp-mapping.php

The authentication sources defined in the previous step are mapped to V1 site_id/database configurations

/var/simplesamlphp/metadata/dc-idp-mapping.php stores an associative array of authentication source to V1 site_id tags.  It specifies which database should be used to compare the SAML user with the V1 user. (referenced through the email address column in the users table)

$DC_IDP_MAPPINGS = [
     // idp-tag                     DrCloud SiteID                   idp-entity-id
      'qa'         =>['dc_site_id' => 'qa'          , 'idp_entity' => 'sp1'],     // (Connects to qa site using "Salesforce IdP"
      'qa-okta'    =>['dc_site_id' => 'qa'          , 'idp_entity' => 'sp2'],     // (Connects to qa site using "Okta IdP"
];

These mapping consist of an idp-tag that associates a SiteID(dc_site_id) with one of the sources(idp_entity) defined in authsources.php

The idp-tag is specified when accessing the SSO URL described earlier
https://<v1-server>/<ehrFiles>/interface/login/saml.php?idp=<IdentityProviderTag>

The idp-tag does not need to match the V1 site id.  However, when possible, it is encouraged to do so.  If multiple IdP need to connect to the same V1 site, then only one of the idp-tags can match the V1 site id