How to integrate authorization through the ESIA on the site?

S

SciFi2015-02-20 11:28:25

PHP

SciFi, 2015-02-20 11:28:25

For authorization through the ESIA (public services), the SAML protocol is used. The SimpleSAML library has become the standard for PHP in solving this issue .
When integrating, I try to follow this instruction. But a lot of things are omitted from it. For example: what to do with the metadata file? Where to put it? Somehow you need to specify the path for it in the configs?
At the moment I'm doing this:
1. In simplesaml/metadata/saml20-idp-remote.php I write connection data:

$metadata['https://esia-portal1.test.gosuslugi.ru/idp/shibboleth'] = array(
    'name' => array(
        'ru' => 'Авторизация ЕСИА'
    ),
    'privatekey' => 'private.key', //путь к файлу закрытого ключа
    'certificate' => 'open.crt', //путь к сертификату открытого ключа
    'SingleSignOnService' => 'https://esia-portal1.test.gosuslugi.ru',
);

2. In the file simplesaml/config/authsources.php in the entityID I specify the site address and certificates, as mentioned in the link above.
3. Made an alias to the simplesaml folder and php_admin_value mbstring.func_overload 0
Now, when you try to login through the standard SimpleSAML interfaces, you are redirected to the ESIA authorization page. I enter data, I am authorized, but there is no redirect back to the site and no data about the user is transmitted back.
What did I miss?

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

J

jerry_ru, 2015-03-23
@jerry_ru

Let's use the ESIA terminology:
1. The metadata file is sent by the ESIA itself when registering your IP. Have you done this and registered your IP?
2. you do not need certificates yourself - you only need a private key, the public part certificate of which you sent to the ESIA in the metadata file
3. unfortunately, I cannot suggest how to implement this in php.
If in the end you don’t succeed, then there are ready-made solutions that include both consultations and program modules (including for php): esia.pro

I

IvanVP, 2017-11-01
@IvanVP

There is a solution for Ruby on Rails + Devise
https://rubygems.org/gems/omniauth-esia
https://github.com/elsant/omniauth-esia

E

exman82, 2015-11-02
@exman82

SciFi , managed to defeat SimpleSAML?

K

Kirill, 2016-01-29
@KirillAG

Yes, the result is also interesting. As far as I know, ESIA was also connected using such libraries as SimpleSAML and OIOSAML.
As for ready-made solutions, in addition to the above, there is also a solution from the ESIA development team: identityblitz.ru/products/esia-bridge
It is true that it is not based on the SAML protocol, but OAuth 2.0/OpenID Connect, but for a number of organizations it is even better.

T

tatar3005, 2017-02-13
@tatar3005

Can anyone please share how you did it.