Proxied Authentication Request Interface

The implementation of the Proxied Authentication Request interface supposes that your web application/service is able to verify local account credentials sent by IdP over HTTPS.

Particularly, your web application/service must be able to do the following:

• Receive and process HTTPS POST request packets from IdP.
• Issue the account ID corresponding to the given credentials.
• Send HTTPS response packets to IdP.

Possible scenario

For instance, the SP stores IDs and credentials of its accounts in a database. Additionally, the SP has a handler that retrieves HTTPS packets from IdP. Then, credentials verification via the interface is performed according to the following scheme:

1. IdP sends an HTTPS POST request packet to the handler. The packet body contains local account credentials.
2. The handler receives the packet, fetches the credentials and verifies them against the database.
   • If the verification is successfully passed, the SP retrieves the local account ID corresponding to the credentials from the database and sends the ID back to IdP.
   • If the verification is failed, the SP sends the response with the empty body.

Then the control is passed back to the SP which listens on its interfaces for packets from IdP.

Interface endpoint

The handler mentioned in the previous paragraph must fetch HTTPS POST packets coming to URL SP_API_BASE_URL/users. This may require reconfiguration of the HTTP server which manages your web application/service.

Note: It is recommended to accept only packets that have a valid IdP certificate.

Source code

The source code that illustrates the interface implementation is stored in <APS-Identity-SDK-directory>/src/examples/auth/proxied_auth.php.

For the step-by-step commented source code of proxied_auth.php, refer to the Sample section.