Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:applications:simplesamlphp [2016/07/19 12:10] (current)
Line 1: Line 1:
 +====== simpleSAMLphp ======
  
 +{{ :​applications:​simplesamlphp_logo.png?​nolink |}}
 +
 +===== Presentation =====
 +
 +[[https://​simplesamlphp.org/​|simpleSAMLphp]] is an identity/​service provider written in PHP. It supports a lot of protocols like CAS, OpenID and SAML.
 +
 +This documentation explains how to interconnect LemonLDAP::​NG and simpleSAMLphp using SAML 2.0 protocol.
 +
 +===== Pre-requisites =====
 +
 +==== simpleSAMLphp ====
 +
 +You need to [[https://​simplesamlphp.org/​docs/​stable/​simplesamlphp-install|install the software]]. If using Debian, just do:
 +<​code>​apt-get install simplesamlphp</​code>​
 +
 +We suppose that configuration is done in ''/​etc/​simplesamlphp''​ and that simpleSAMLphp is accessible at http://​localhost/​simplesamlphp.
 +
 +To be able to sign SAML messages, you need to create a certificate. First set where certificates are stored:
 +<​code>​vi /​etc/​simplesamlphp/​config.php</​code>​
 +<file php>
 +   '​certdir'​ => '/​etc/​simplesamlphp/​certs/',​
 +</​file>​
 +
 +Create directory and generate the certificate
 +<​code>​
 +mkdir /​etc/​simplesamlphp/​certs/​
 +cd /​etc/​simplesamlphp/​certs/​
 +openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
 +</​code>​
 +
 +Then associate this certificate to the default SP:
 +<​code>​vi /​etc/​simplesamlphp/​authsources.php</​code>​
 +<file php>
 +    '​default-sp'​ => array(
 +        '​saml:​SP',​
 +        '​privatekey'​ => '​saml.pem',​
 +        '​certificate'​ => '​saml.crt',​
 +</​file>​
 +
 +==== LemonLDAP::​NG ====
 +
 +You need to configure [[.:​..:​samlservice|SAML Service]]. Be sure to convert public key in a certificate,​ as described in the [[.:​..:​samlservice#​security_parameters|security chapter]] as simpleSAMLphp can't use the public key.
 +
 +===== simpleSAMLphp as Service Provider =====
 +
 +We suppose you configured LemonLDAP::​NG as [[.:​..:​idpsaml|SAML Identity Provider]] and want to use simpleSAMLphp as Service Provider.
 +
 +In LL::NG Manager, create an new SP and load simpleSAMLphp metadata trough URL (by default: http://​localhost/​simplesamlphp/​module.php/​saml/​sp/​metadata.php/​default-sp):​
 +
 +{{ :​applications:​simplesamlphp_sp_metadata.png?​nolink |}}
 +
 +Then set some attributes that will be sent to simpleSAMLphp:​
 +
 +{{ :​applications:​simplesamlphp_sp_attributes.png?​nolink |}}
 +
 +<note tip>Set ''​Mandatory''​ to ''​On''​ to force attributes in authentication response.</​note>​
 +
 +You can also force all signatures:
 +
 +{{ :​applications:​simplesamlphp_sp_signature.png?​nolink |}}
 +
 +On simpleSAMLphp side, use the metadata converter (by default: http://​localhost/​simplesamlphp/​admin/​metadata-converter.php) to convert LL::NG metadata (by default: http://​auth.example.com/​saml/​metadata) into internal PHP representation. Copy the ''​saml20-idp-remote''​ content:
 +<​code>​vi /​etc/​simplesamlphp/​metadata/​saml20-idp-remote.php</​code>​
 +<file php>
 +<?php
 +$metadata['​http://​auth.example.com/​saml/​metadata'​] = array (
 +  '​entityid'​ => '​http://​auth.example.com/​saml/​metadata',​
 +...
 +   // Add this option to force SLO requests signature
 +   '​sign.logout'​ => true,
 +);
 +?>
 +</​file>​
 +
 +<note tip>​Don'​t forget PHP start and end tag to have a valid PHP file.</​note>​
 +
 +All is ready, you can now test the authentication (by default: http://​localhost/​simplesamlphp/​module.php/​core/​authenticate.php). You should see something like that:
 +
 +{{ :​applications:​simplesamlphp_sp_authentication.png?​nolink |}}
 +
 +===== simpleSAMLphp as Identity Provider =====
 +
 +We suppose you configured LemonLDAP::​NG as [[.:​..:​authsaml|SAML Service Provider]] and want to use simpleSAMLphp as Identity Provider.
 +
 +First, you need to activate IDP feature in simpleSAMLphp:​
 +<​code>​vi /​etc/​simplesamlphp/​config.php</​code>​
 +<file php>
 +    '​enable.saml20-idp'​ => true,
 +</​file>​
 +
 +And create a default IDP configuration:​
 +<​code>​vi /​etc/​simplesamlphp/​metadata/​saml20-idp-hosted.php</​code>​
 +<file php>
 +<?php
 +$metadata['​__DYNAMIC:​1__'​] = array(
 +    /*
 +     * The hostname for this IdP. This makes it possible to run multiple
 +     * IdPs from the same configuration. '​__DEFAULT__'​ means that this one
 +     * should be used by default.
 +     */
 +    '​host'​ => '​__DEFAULT__',​
 +
 +    /*
 +     * The private key and certificate to use when signing responses.
 +     * These are stored in the cert-directory.
 +     */
 +    '​privatekey'​ => '​saml.pem',​
 +    '​certificate'​ => '​saml.crt',​
 +
 +    /*
 +     * The authentication source which should be used to authenticate the
 +     * user. This must match one of the entries in config/​authsources.php.
 +     */
 +    '​auth'​ => '​admin',​
 +    // Sign SLO messages
 +    '​sign.logout'​ => true,
 +);
 +?>
 +</​file>​
 +
 +<note important>​You need to configure your own certificates and authentication scheme</​note>​
 +
 +Now in LL::NG Manager, create a new IDP and import metadata with URL (by default: http://​localhost/​simplesamlphp/​saml2/​idp/​metadata.php):​
 +
 +{{ :​applications:​simplesamlphp_idp_metadata.png?​nolink |}}
 +
 +List attributes you want to collect:
 +
 +{{ :​applications:​simplesamlphp_idp_attributes.png?​nolink |}}
 +
 +<note tip>You can keep ''​Mandatory''​ to ''​Off''​ to not fail if attribute is not sent by IDP</​note>​
 +
 +And activate all signatures:
 +
 +{{ :​applications:​simplesamlphp_idp_signature.png?​nolink |}}
 +
 +To finish, you need to declare LL::NG SP in simpleSAMLphp. Use the metadata converter (by default: http://​localhost/​simplesamlphp/​admin/​metadata-converter.php) to convert LL::NG metadata (by default: http://​auth.example.com/​saml/​metadata) into internal PHP representation. Copy the ''​saml20-sp-remote''​ content:
 +<​code>​vi /​etc/​simplesamlphp/​metadata/​saml20-sp-remote.php</​code>​
 +<file php>
 +<?php
 +$metadata['​http://​auth.example.com/​saml/​metadata'​] = array (
 +  '​entityid'​ => '​http://​auth.example.com/​saml/​metadata',​
 +...
 +);
 +?>
 +</​file>​
 +
 +<note tip>​Don'​t forget PHP start and end tag to have a valid PHP file.</​note>​
 +
 +All is ready, you can now test the authentication from LL::NG portal.