is OAuth2 a good choice to allow external Enterprise clients SAML Authentication?

Question

We have build a stand alone SaaS product and we are attracting Enterprise clients who want their users to log straight in. We are not looking for authorization, just simpler authentication; where the user gets an account without having to enter their name or email address.

We want to give our enterprise customers the ability to connect to our login system. Once we implement Oauth2, do we need to supply the end customers with an authentication server or is this something they sort themselves?

I have been looking at services, would https://github.com/fkooman/php-oauth be good?

Answer 1

It sounds like your clients want to use their own Identity Provider to issue SAML assertions that your SaaS product can use to authenticate them. Hence you would be looking at an Identity Provider initiated logon architecture.

You would need to setup your SaaS product as a Service Provider, exchange metadata and certificates to enable signing, then you can accept SAML assertions and grant the users access. You can use a number of libraries to implement this.

We recently used the open source library OIOSAML to build both an Identity Provider and a Service Provider, both which proved straightforward and reliable. They have .Net and Java versions. Even if you decide to use a different product, both include sample applications and documentation that are very valuble to see SAML in action.