SSO - how to automatically log into an external website from an intranet (SAML 2.0)?

A client has used our PHP web-application for years, but now wants a Single Sign On solution (SSO).

They have a company-intranet where they log in to, and they want to use this same login as an automatic authentication for our web-application (which is on an external domain).

They talk about SAML 2.0, which I had never heard of until now.

I searched the internet, but have a hard time understanding all different concepts (identity provider, etc.). All websites about the subject seem to require some basic knowledge that I don'开发者_运维技巧t have. I don't understand how and where the authentication data has to be stored... (in post-data from a cookie , it seems, but how do you get the authentication xml anywhere the first time you start doing this?!)

Could anybody point me in some directions for this specific situation?

Here's a very high level overview video on SAML that will give you the big picture: http://youtu.be/gUmMcecHN9s

If you want more technical introduction to it, I would suggest the official Executive Summary: http://www.oasis-open.org/committees/download.php/13525/sstc-saml-exec-overview-2.0-cd-01-2col.pdf

The basics of it are that typically a digitally signed XML blob of data is passed from an IdP (Identity Provider) to an SP (Service Provider) to tell it the user has authenticated and they should be trusted. There is an out of band initial setup required between IdP and SP to trust each other and agree upon what information will be shared (user ID's, attributes, etc.).

To get SAML 2.0 working, there are many options - including commercial ones (like from Ping Identity - http://www.pingidentity.com/) that are great and save you much effort and provide commercial support. There are also other options like building your own or using open source libraries - provided you have more time on your hands and it's a one-off problem.