I want to verify the Minimum Required Setup based on my requirements.

The requirements are:

  1. I need to support multiple sites representing a main site and subsites. For example, www.example.com, hr.example.com, it.example.com.
  2. Organization runs on Active Directory for all authentication, therefore all sites should as well.
  3. SSO should be implemented such that if I log into www.example.com, then navigate to hr.example.com, I will not need to reauthenticate.
  4. Given cross-site SSO, I may have different roles for each site. For example, in one I may be a publisher, but in another, I may just be a contributor. Upon navigating to each site, I should have the roles I have been allocated for the given site.

Based on the above, I believe I need:

  1. A SimpleSAMLphp Identity Provider (IP) server. This should be configured to talk to Active Directory.
  2. For each site, a SimpleSAMLphp Service Provider (SP) instance running on the same server as Drupal, so that simplesamlphp_auth can access its directory. (NOTE: I have a different server for each site.)
  3. Each site's SimpleSAMLphp SP configuration must point to #1 for their IP.

The questions:

  1. Can the above setup be simplified in any way? For example, can each site's SimpleSAMLphp setup talk directly to LDAP without the need for an IP instance, while still giving me cross-site SSO?
  2. Which SimpleSAMLphp instances require memcached? Only the SP instances? Only the IP instance? All instances?
  3. I believe that the SP instances need to be public (accessible via the internet). Does the IP need to be accessible publicly? Is it sufficient for the SP instances, which are behind a firewall, to talk to the IP also behind the firewall?
  4. Which instances need certificates? Does only the IP need certificate so the SP instances can talk to the IP securely? Do the SP instances also need certificates?
  5. In a production environment, can the certificates from step #4 be self-signed? Or do some need to be public certificates? In other words,
    which certificates will be accessed on a user's browser, and therefore should be "valid" certificates?

Thanks in advance for this information!

Comments

arnaldop created an issue.