Custom SAML Login Handler

[jj1987]

Good Morning,

I'm developing a custom login handler using OneLogin's PHP SAML library.  The way that saml works is the user clicks a button to login -> redirected to the login page -> login page realizes user needs to login, builds a SAML request and redirects to the Identity Provider (IDP) -> User Logs in -> User is redirected back to an "assertion consumer" page which consumes either HTTP POST or GET XML containing the login information.

I have the button handler setup and the login redirect is working thanks to the documentation Invision provides.

My question is how do I create a custom Assertion Consumer URL (Example: https://mysite.com/AssertionConsumer) that can decrypt the SAML assertion?  It almost seems as if I need a separate php page that loads the invision session information, but I wasn't sure.  My current assumption is that I'll need to create a plugin (or maybe application since it's not extending any existing app functionality?), but I wanted to ask before I went down that path.

[bfarber]

What I've done in the past is use the PHP simplesamlphp library to handle reading/decrypting the SAML response. A plugin is then used to invoke the library during session initialization.

SAML isn't exactly the simplest route for SSO/unified login, but this approach works fine for our clients using it.