When the session is attached you can do actions as login/logout or get the user's info.
$broker = new Jasny\SSO\Broker($serverUrl, $brokerId, $brokerSecret);
$broker->attach();
//$user = $boker->getUserInfo();
$user = $broker->getUserInfo();
echo json_encode($user);

The lib is MIT licensed, but the LICENSE is missing.

https://opensource.org/licenses/MIT

If you are logged in and your IP changes, you cannot re-login because of this error:

The broker session id isn't attached to a user session

Until you clear your cookies, you have no chance to get around this error.

The client requests the index page at the broker. The broker will request user information from the server. Since the visitor is already logged in, the server returns this information. The index page is shown to the visitor.

Each client request to the index page ,the broker has to request user information from the server ,though the visitor is already logged in.

Is it reasonable?

I mean it takes 1second to complete curl request to get information from the server. Cost too much than traditional session login .

Hope your answer

I have SSO server running with AWS autoscaling group with 1 instance at the moment, now if I have to make it scalable (more than 1 instance) what is the good way to do it? I see we are using linking of the session by $sid from the cache. Seems, I need to modify createCacheAdapter and to store same information outside server? What is a good solution for it?

To many users have issues with setting up Jasny SSO. To solve this, we should add a debug mode.

In debug mode we might add HTTP headers or even additional dialogs which help the user find out why things aren't working.

Hey Arnold,

thank you for this great SSO Implementation. Its very easy, secure and extendable.

I used it for this case:

I habe a wordpress site, and if it is logged in, other external sites must be also logged in.

So in that case I did the following on server side (wordpress)

$broker = new Jasny\SSO\Broker('http://www.xxxx.de/sso/server/', 'xxxx', 'xxxx');
$ssoServer = new MySSOServer();
$ssoServer->startUserSession();

if (is_user_logged_in()) {
    $ssoServer->setSessionData('sso_user', 'xxxx');
} else {
    $ssoServer->setSessionData('sso_user', null);
}

This snipped is called after wordpress logout/login as callback.

It that a good aproach and correct?, because it works. I did not want to create a new login on wordpress and want to use the existing login.

Best Regards
Sven

When I click logout I got "Expected application/json response, got text/html"

So I try to capture data from (Broker->Server) and I got this(HTTP Error 411).

I try to fix this Error by edit(sso/src/Broker.php) line 254
I change
public function logout() { $this->request('POST', 'logout'); }
to
public function logout() { $this->request('GET', 'logout'); }

And, it works fine for me.

I want to know that my hotfix will affect my website security or not? Since, I don't know what I'm doing.

Sorry for my poor English.

Hello,

I try to implement a Master-Slave solution, made from two websites which need a common sign-in method. In theory, the Users sign in into Master, where they have access to a Private Area after login, with diverse pages.

Also, there are available some Files for download and a (AJAX) WebChat (which use of course, the Website's Auth System to find the users & Co.).

My intention is to move those (private) Files and the WebChat engine on a secondary website, while they can be available only under Authentication. But, what I want is that Secondary Website to transparently authenticate and un-authenticate the Users, following the Master website.
In theory, when the User is authenticated in Master, it should be automatically authenticated in Slave, with the same credentials as Username, Real Name, etc. An that User have access to his Private Files and WebChat, like those are hosted in the Master, where he is logged in.

You are kind to offer some suggestions about how can this design can be implemented using your SSO?

Hello,

When I try the examples on my virtual machine I have no problem and that's works fine but when I put it into a web server, I have this error every time Expected application/json response, got text/html

Do you know why I have this error ?

Thank's a lot,

PetitBX

How to synchronous logout ?

The client address from the checksum should be removed, be this can change. Especially when you use an app on a mobile device the IP address change frequently.

I tested locally and works well. but when I try try from different subdomains I have problems

Broker didn't send a session key

Hi,
After few hours I gave up and decide to ask for help...
When I try to login "The broker session id isn't attached to a user session" is returned every time.
When I first land on login page SSO token is generated under cookies, but after pressing "Log in" button, cookie disappears and error is returned. I tried both methods for broker (AJAX, non-AJAX), same error every time.
Could the problem be that both Broker and server are running on same machine with same IP and only different port (Broker 55556, Server 55557)?

Can you please point me in right direction where to possibly look for errors?

Thank You!

The demo websites are currently down. I should set them up under other domains.

I have implement your code to one form Login on server. But, I have stuck.

Broker > attach to server
Broker > Server::GetUserInfo (Curl) > False > Server::Login Form (Redirect) > Broker (Redirect)
Broker > Server::GetUserInfo (Curl) > No Session (This fail)

Can I use your code for that rule?
I know the session is not shared. But, how can I get it? Any Idea?

All "require_once DIR . '/../../vendor/autoload.php';" should be replaced by "require_once DIR . '/../../../../../vendor/autoload.php';"

Hi,

im using your lib to integrate it into an old Joomla site.

It fails with "Broker didn't send a session key", any Idea what causes this or how to fix it?

Hello,

First of all, thank you for this amazing package.
As said in the title, I might be using it in prod environment. Is it stable/mature enough?

Regards,

Hi,jasny
Your code works well in my project.
My question is that ,it creats a lot of session files in session save path and could not be deleted automaticly,how to fix it ?

Hi!

If the server of SSO restart, all sessions are deleted.

All brokers receive this error :

Unknown client IP address for the attached session

But all brokers have a valid cookie, then they do not attach to server.
All current users must remove manually cookies to successfully reconnect in broker.

The same problem occurs on SSO file cache when expired or deleted

I have one idea I have been working on, hoping you’ll take time to take a look at PR I’d send.

Thanks

Your README.md reads

Install this library through composer

composer request jasny/sso

Is that means composer require jasny/sso ?

When session handler is set to memcache then call to session_save_path() will return url like 'tcp://localhost:11211' instead of file path, so everything become broken with attaching.

The examples should work pretty much as the old demo (on the current master branch) does.

It should create a concrete SSOServer class that extends Jasny\SSO\Server.

I have difficulty installing jasny/sso, below are the error I'm getting when I tried to "composer require jasny/sso":-

Using version ^0.3.0 for jasny/sso
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - The requested package jasny/sso No version set (parsed as 1.0.0) is satisf
iable by jasny/sso[No version set (parsed as 1.0.0)] but these conflict with you
r requirements or minimum-stability.


Installation failed, reverting ./composer.json to its original content.

i logged in on s1 then i went to s2 still the login form is show.

i created a demo, no changes has been made in the source code except for the server url.and the broker for each domain. server url is http://85.214.200.88/sso/.

s1: http://arnelqlabarda.com/testing/sso/
s2: http://85.214.200.88/sso/login/

i checked the server tmp dir.. this is what i have.

-rw-r--r-- 1 www-data www-data   26 Feb  8 09:52 SSO-BINCK-f1f8f90da0380e4cc44a781b67136664-b1e1f0927c2dc7fc9fd1586a2fb47d3d
-rw-r--r-- 1 www-data www-data   26 Feb  8 09:52 SSO-LYNX-a54cd54a56a688309cb301ff9739d978-5f14e5d9a1e3f8e57d1f890921349c64
-rw-r--r-- 1 www-data www-data   26 Feb  8 09:52 SSO-UZZA-28f7a678f27c5bd01d030d2d6374986b-0744949136594cfe0aab565d9b620591

Is this true and still the case? This is where I see issues.

I've problem with getting error "Expected application/json response, got text/html ". On my localhost it works well but not from web server. I'm running Pl*sk and base with FatFreeFramwork, tried to switching php version but nothing happens, even to put "curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);" into broker.php as @petitbx said. But for php 7.0 i got this error "Broker didn't send a session key".
Thx

php 7.1

php 7.0.15

Hi,
I tried to implement "Single Sign-On" within our applications. It works fine in localhost but when we tried to deploy this on web then it work with in single broker. It mean when we jump on second broker the session lost and login box start displaying instead of displaying index.php of second broker.

localhost/sso-live/broker1
localhost/sso-live/broker2

foo.com/sso-live/broker1
foo.com/sso-live/broker2

Please help me out to resolve this.

I found now session is strored in $_SESSION

maybe set session store place configurable is better, such as use redis,memcache

Sending the SSO session token as query parameter can be unsafe. These typically appear in access and errors logs. This means ppl who have access to these logs (developers, devops, etc) can abuse these tokens.

Instead we should send an Authentication Bearer header with the session token. See RFC 6750.

For BC the SSO server should accept both.

I would really like to use this!
But I need a few words on how to install and test it all.
the demo's are offline, so I really don't know where to start now

Hi!

I downloaded your SSO,and when i'm tryied out one of your example (server),the PHP gives me a require error. I serached for autoload.php,but i'm didn't find it.

require_once __DIR__ . '/../../vendor/autoload.php';

Can you help me with this problem?

Thank you in advice!

Hello.
After a bit of reading on OAuth and SSO I was aiming to use this library rather than implementing OAuth2 for a SSO, which seems to be a bit of a trend rather than a real need.
In my case I only have trusted parties, so I don't need any level of Authorisation. What I need is Single Authentication and shared session, just what this library does.

The documentation says that the server class can be utilised in MVC as controller or library.
Does anyone ever integrated this with Symfony. As proof of concept I could use this library in my project between various technologies (Drupal, shopify etc) as service providers and a Symfony (full stack framework) as Id provider I utilised the @jasny examples as SPs and reproduced a IdP in the default symfony controller as follows below.

The AppBundle\SSO\SSOServer extends Server exactly like Jasny does and it's a copy of the MySSOServer you find in the examples folder. My intention was get a proof of concept working, so for the moment is convenient working with that.

The only real difference is the return in the Symfony indexAction. In general a symfony controller must return a response so I used a return new JsonResponse to actually pass stuff back to the broker.

I could have everything working (token generation, session key, redirection). But when I tried to log-in on the brokers I would get a "Failed Login" error (coming from the Broker itself - line 16 of the login.php example if ($_SERVER['REQUEST_METHOD'] == 'POST') $errmsg = "Login failed";)

Now the question: did somebody ever used this library with Symfony or have any suggestion on how to do it properly.

class DefaultController extends Controller
{
    /**
     * @Route("/", name="homepage")
     */
    public function indexAction(Request $request)
    {

//Symfony Dependency Injection here:
        $container = new ContainerBuilder();

        $container->register('server', 'AppBundle\SSO\SSOServer');
        $ssoServer = $container->get('server');

        $command = isset($_REQUEST['command']) ? $_REQUEST['command'] : null;

        if (!$command || !method_exists($ssoServer, $command)) {
           return new JsonResponse(array('error' => 'Unknown $command'));
        }
        return new JsonResponse(array($ssoServer->$command()));
    }
}

The examples are login with different login page
I need all brokers login with the same login page on sso server.

Could you help me.
Thanks.

Hello,
Can you please tell me what is the procedure to deploy this in an aws configuration?
I have tried to run the command php -S SERVER_IP:9000 -t sso/server and then when i try to open my site then its just loading and loading... is there any step that is left while deployment??

There is no much data available for its deployment although ive tested the whole mechanism in my local machine but its not working in live as it does in local. I have double checked all the confguration at deployment.
Iam a bit confused that do i need to run the above stated command or should a virtual host pointed to above directory and host must do the stuff?

Is there a simple way to implement a "remember me" functionality like known from other sites like Paypal, Facebook, etc.? ("This is a private computer. Keep me logged in until i nuke my browser")

This isn't required to make SSO work. It gives major problems, especially when clients are on mobile devices. The problems outweigh the added security.

The login method should call $this->authenticate(), which is an abstract method. To create a server, the developer must create a class that extends the Jasny\SSO\Server class and implements this method.

The authenticate method must return a Jasny\ValidationResult object.

getRequestUrl not set the $params['sso_session'] = $this->getSessionId();

$sid = $this->getBrokerSessionID(); no session

I try to make login from a broker to the server, but always the server return userinfo method like null, this problem prints on broker: Expected application/json response, got text/html

I try delete all cookies and all sessions but the problem is not fixed

I want to implement this with a broker application that only supports CAS v3.0 or SAML v2.0.

Do you think your package would be able to help with this?

This is great but I am confused how actually I can use or install it in laravel.

Can you provide example application for this.

If every broker has a unique brokerId and secret?

As already mentioned at #13, there is no session GC. In my case, using the File-adapter, had a cache-folder containing millions of files (sadly I didn't do a count before cleanup). find . -mtime +5 -exec rm {} \; did at least run for 20 minutes - now I'm at 134806 files. So maybe at least 2,5 million files before.

https://github.com/desarrolla2/Cache/blob/master/src/Adapter/AbstractAdapter.php#L59

Not a single concrete adapter implements a clearCache logic.

Please don't close this issue, just because it is a "missing feature" in an external library.
Consider implementing a cleanup within the SSO-Server class or replace desaroll2/cache with another PHP-cache library.

Hi,

First of the congrats and thanks for this wonderful library

Please do favour and help me implementing it with laravel.

I think only big problem i could get is with merging the vendor folder because what you used is already used in Laravel.

Kindly Help. Thanks!

Remove the option to use symlinks to link sessions. Instead use the desarrolla2/cache library to store the session id for the broker (replacing SSO\Session line 157 to 169.

Add a protected function createCacheAdapter(), which is called in the constructor. By default the function will create a file cache adapter, using /tmp/sso-sessions as directory. This function can be overloaded when extending the SSO\Server class.

Use jasny/php-code-quality and implement unit tests (with phpunit or codeception)

can i balance the authentification to active directory ?