Implementing a Symfony2 single-sign-on

Question

I have a basic understanding of the security concept in Symfony2. Now I'm trying to implement a single-sign-on feature for a multi-domain website.

The SSO concept itself is rather straightforward:

• Domain A is the cookie domain; people can log in on this domain
• When logging in on domain B, the user is redirected to domain A, where a One-time password is requested. The user needs a session on domain A to get this password.
• After obtaining the OTP, the user is returned to domain B, which will match the OTP to the session on domain A.
• If matched, a session will be created for domain B. The session will be validated against the session on domain A for each subsequent request from this point on.

Implementing the firewall/authentication for domain A can be done as you normally would. In my understanding, I need to:

• Set up a firewall for domain B
• Create a listener for this firewall, that somehow redirects the user to domain A (more specific: an uri that requests an OTP)
• Create an authentication provider that handles a OTP and creates a session for domain B
• Create another listener that checks the session validity against the session on domain A

However I could really use some tips on how to do this in a bundle. If anyone can help me out here, that'd be great.

Also, I'm not yet sure how to implement the OTP, or how to compare the two sessions, and make sure they both are valid. That will come later, I need to get this workflow working first.

Answer 1

In order to get multidomain SSO you can implement a SAML solution. Take a look on simplesamlphp software and in this extension for symfony1 https://github.com/chtitux/sfSAMLPlugin

To resolve the OTP issue you can use for example LinOTP2 witch is compatible with simplesamlphp: https://github.com/lsexperts/simplesamlphp-linotp