Installing SimpleSAMLphp and use it as SP and IdP (for development env. only)


Overview

The goal of this walk through is to install SimpleSAML twice to work on a SAML authentication between two systes.

We could have an application on one side using SimpleSAML SP and a LDAP, AD, CAS, etc plugged in SimpleSAML configure as an IdP.

Installation of Simple SAML (1)

Download simplesaml.

Untar the package in a folder of your application, for example /var/www/myapp/library/simplesaml

Edit your app’s Virtual Host so that /simplesaml is accessible

1
2
3
4
5
    Alias /simplesaml /Users/samo/Workspace/simplesamlphp/www
<Directory “/Users/samo/Workspace/simplesamlphp/www”>
Order deny,allow
Allow from all
</Directory>

Restart Apache if necessary

Setting Up your SP

Edit SimpleSAML’s config file in config/config.php Set the ‘debug’ to ‘TRUE’ Set an admin password ‘auth.adminpassword’ to the password of your choice Set the ‘secretsalt’ Define ‘technicalcontact_name’ and ‘technicalcontact_email’

Installation of Simple SAML (2)

Untar the simple package again, this time, in another folder for example /var/www/simplesaml

Choose a URL for your IdP for example http://auth.saml.net and add this to your hosts file

Create a virtual host for your IdP, it will look something like

1
2
3
4
5
6
7
8
9
10
11
12
13
<VirtualHost *:80>
ServerAdmin <your_email>
ServerName  auth.saml.net
AddDefaultCharset UTF-8
DocumentRoot /var/www/simplesaml
Alias /simplesaml /var/www/simplesaml/www
<Directory /var/www/simplesaml/www>
Options Indexes FollowSymlinks multiViews
AllowOverride None
Order deny,allow
allow from all
</Directory>
</VirtualHost>

Setting Up your IdP

Again, begin by editing the SimpleSAML config file and repeat the steps listed above This time, you must also set ‘enable.saml20-idp’ to ‘true’

Since all this is just for development and test purposes, I setup my IdP to an exampleauth. The login / password will be matched against a plain list of accounts defined in the authources.php file. First, you need to enable the exempleauth module by doing touch /var/www/simplesaml/modules/exampleauth/enable Second, edit your authsources.php file (in the config directory) and create your users based on the following example :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

‘example-userpass’ => array(
‘exampleauth:UserPass’,
‘user1:pwd’ => array(
‘uid’ => array(‘user1’),
‘mail’ => ‘user1@test.com’,
‘first_name’ => ‘User’,
‘last_name’ => ‘One’
),
‘user2:pwd’ => array(
‘uid’ => array(‘user2’),
‘mail’ => ‘user2@test.com’,
‘first_name’ => ‘User’,
‘last_name’ => ‘Two’
)
),

Next, make sure that the content of metadata/saml2-idp-hosted.php is

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$metadata[‘__DYNAMIC:1__’] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be ‘__DEFAULT__’, to use this entry by default.
*/
‘host’ => ‘__DEFAULT__’,

/* X.509 key and certificate. Relative to the cert directory. */
‘privatekey’ => ‘server.pem’,
‘certificate’ => ‘server.crt’,

/*
* Authentication source to use. Must be one that is configured in
* ‘config/authsources.php’.
*/
‘auth’ => ‘example-userpass’,

/* Uncomment the following to use the uri NameFormat on attributes. */
/*
‘attributes.NameFormat’ => ‘urn:oasis:names:tc:SAML:2.0:attrname-format:uri’,
‘authproc’ => array(
// Convert LDAP names to oids.
100 => array(‘class’ => ‘core:AttributeMap’, ‘name2oid’),
),
*/
);

Connecting the dots

Now, let’s connect SP and IdP together. Browse to your IdP for example : auth.saml.net/simplesaml. Connect using the admin password defined in your configuration Click on the Federation tab You should see a SAML 2.0 IdP Metadata line, click on [show metadata] below and copy the metadata URL which should look something like http://auth.saml.net/simplesaml/saml2/idp/metadata.php

Back to the SP, edit the file config/authsources.php and add the declaration of your IdP based on this code sample :

1
2
3
4
5
6
7
8

‘default-sp’ => array(
‘saml:SP’,
‘entityID’    => ‘http://auth.saml.net&#8217;,
‘idp’         => ‘http://auth.saml.net/simplesaml/saml2/idp/metadata.php&#8217;,
‘ssoPortalUrl’=> ‘http://auth.saml.net/simplesaml/saml2/idp/SSOService.php&#8217;,
),

Back to your browser, copy the content of the box “SimpleSAMLphp flat file format” and paste it in the file metadata/saml20-idp-remote.php of your SP.

Back to the browser, go to your applications’s SimpleSAML setup for example http://myapp.localhost.net/simplesaml. Login using the password defined in the configuration file. Browse to the Federation tab and click on the [show metadata] link for your default-sp/

Copy the content of the “SimpleSAMLphp flat flie format” box and paste it in the IdP metadata/saml20-sp-remote.php file.

Test

That should be all for the setup, now you can test it by browsing to your SP side SimpleSAML for example

http://myapp.localhost.net/simplesaml

Login using the password defined in the admin and click on the authentication tab. Click on the link “Test configured authentication sources” and click on your IdP declaration in the list of authsources. This will perform a test SAML authentication process.

Congratulations !

If it failed, you should check the logs of both your SimpleSAML and try and get help on theSimpleSamlPHP mailing list.

Time to code

Now that everything works between the SP and the IdP it is time to integrate the SAML auth to your application. You can do so by adding code similar to this to your authentication process :

1
2
3
4
require_once(‘/lib/simplesamlphp/lib/_autoload.php’);
SimpleSAML_Configuration::setConfigDir(‘/lib/simplesaml/config/saml’);
$authService = new SimpleSAML_Auth_Simple($selectedIdp);
$authService->requireAuth();

Acerca de albertoarceti
Administrador de sistemas informáticos, y erps en la industria farmacéutica.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

A %d blogueros les gusta esto: