My website is used by multiple companies. These companies want to implement SSO. So they log into their company portal and click a link to my website. They go to my website's home page without logging in. My website is in php. The different companies can have their website in any language. We want this to be as general as possible so all companies can use it. It also needs to be secure for obvious reasons and also because we are a health company with phi.
I've read through a lot on simpleSAMLphp, but I'm just not sure if I'm right about how to implement this.
Do I just set up my website as an SP with simpleSAML and say to other companies "this is what I use make yourself an Idp and send me the correct data" ? Is there another way to go about this ?
Yes - pretty much.
You send the companies your SP metadata and they import it and then they send you their IDP metadata and you import it.
The trick is the "primary key" i.e. how does the user in another system match a user in yours. NameID is usually used for this and it can have a number of formats.
Again, this is all in the metadata.
Another very useful part of being the Service Provider (SP) in a SAML integration, is to have a IdP Discovery Service. Since each one of your partners will exchange metadata with your organization, each is essentially a point-to-point SAML connection. The IdP Discovery Service uses something in the request to identify the partner and invoke a SAML SP-Initiated SSO transaction. One of the common strategies is to use URL naming such as yourpartner.company.com. Then the IdP Discovery Service detects the subdomain "yourpartner" in the URL and then invokes the proper SP transaction. There are other strategies, but I find this one works best for most organizations.
Well, if you wanna provide a good service, guess you would have to support multiple SSO protocols, and let the clients choose. Beside SAML there are OAuth OpenID Connect and JWT I would mention as relatively simple and well adopted. I find JWT especially simple and easy to use.
Regarding SAML PHP implementation, I have tried with simpleSAML but it turned out to be too complicated to integrate it into an existing app. I prefer the lightSAML library, which is actually v2 of aerialship/lightsaml, especially because my app was in Symfony and lightsaml had a security bundle.