February 12, 2018 at 4:43 pm #20864jgoersParticipant
My organization is implementing Magento as our new eCommerce solution, and we need it to act as a SAML2 service provider with OpenAM being the IdP. Magento is written in PHP using the Zend framework, and unfortunately it does not contain native SAML support. Our Magento implementation partner is recommending to install this Magento SAML2 plugin: https://marketplace.magento.com/sixtomartin-onelogin-module-saml2-extend.html However there is concern about the supportability of that plugin and I have been asked to research alternatives. So, I am asking for anyone who has implemented Magento as a SAML SP to comment on their solution, and/or to comment on the following options I see:
1. Use the above plugin – this seems the cleanest to me by far
2. Use SimpleSAMLphp – https://simplesamlphp.org/ – this seems like it would give us more control over the implementation and support of it – but it would be more integration work
3. Use the OpenAM Fedlet – this does not seem like a good option as the fedlet needs to run in a servlet container
4. Use OpenIG to implement the SAML SP interface and sit in front of Magento – looking at the IG docs this looks like it could work pretty well. It would extract the attribute statements from the SAML response assertion from OpenAM and pass them to Magento as a form post or maybe JWT.
thanks and regards,
Jeffrey W. Goers
AAMCFebruary 13, 2018 at 8:41 am #20868Peter MajorModerator
* deploy web agent and protect the PHP application using that (this wouldn’t be SAML2 based though)
* install Shibboleth SP on the web serverFebruary 13, 2018 at 12:14 pm #20876Andy CoryParticipant
If it were me, I’d go for Peter’s option 1, the web agent protecting the PHP app (unless you must use SAML for some reason_. Pretty much as clean as using the Magento SAML2 plugin, but without any supportability concerns.
-AndyFebruary 13, 2018 at 3:24 pm #20879jgoersParticipant
Well I forgot to state that Magento will be implemented as a cloud service in AWS, and our OpenAM IdP is on prem, so I was just assuming we would use federation and SAML. But using a web agent, or installing Shibboleth may be options too. My understanding is that we will have direct access to the AWS Magento infrastructure and can alter it if we need to. I imagine we could also use IG instead of the web agent and just configure it as a regular SSO filter and not bother with SAML.
You must be logged in to reply to this topic.