simpleSAMLphp

Presentation

simpleSAMLphp is an identity/service provider written in PHP. It supports a lot of protocols like CAS, OpenID and SAML.

This documentation explains how to interconnect LemonLDAP::NG and simpleSAMLphp using SAML 2.0 protocol.

Pre-requisites

simpleSAMLphp

You need to install the software. If using Debian, just do:

apt-get install simplesamlphp

We suppose that configuration is done in /etc/simplesamlphp and that simpleSAMLphp is accessible at http://localhost/simplesamlphp.

To be able to sign SAML messages, you need to create a certificate. First set where certificates are stored:

vi /etc/simplesamlphp/config.php
   'certdir' => '/etc/simplesamlphp/certs/',

Create directory and generate the certificate

mkdir /etc/simplesamlphp/certs/
cd /etc/simplesamlphp/certs/
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Then associate this certificate to the default SP:

vi /etc/simplesamlphp/authsources.php
    'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',

LemonLDAP::NG

You need to configure SAML Service. Be sure to convert public key in a certificate, as described in the security chapter as simpleSAMLphp can't use the public key.

simpleSAMLphp as Service Provider

We suppose you configured LemonLDAP::NG as SAML Identity Provider and want to use simpleSAMLphp as Service Provider.

In LL::NG Manager, create an new SP and load simpleSAMLphp metadata trough URL (by default: http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp):

Then set some attributes that will be sent to simpleSAMLphp:

Set Mandatory to On to force attributes in authentication response.

You can also force all signatures:

On simpleSAMLphp side, use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-idp-remote content:

vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
  'entityid' => 'http://auth.example.com/saml/metadata',
...
   // Add this option to force SLO requests signature
   'sign.logout' => true,
);
?>
Don't forget PHP start and end tag to have a valid PHP file.

All is ready, you can now test the authentication (by default: http://localhost/simplesamlphp/module.php/core/authenticate.php). You should see something like that:

simpleSAMLphp as Identity Provider

We suppose you configured LemonLDAP::NG as SAML Service Provider and want to use simpleSAMLphp as Identity Provider.

First, you need to activate IDP feature in simpleSAMLphp:

vi /etc/simplesamlphp/config.php
    'enable.saml20-idp' => true,

And create a default IDP configuration:

vi /etc/simplesamlphp/metadata/saml20-idp-hosted.php
<?php
$metadata['__DYNAMIC:1__'] = array(
    /*
     * The hostname for this IdP. This makes it possible to run multiple
     * IdPs from the same configuration. '__DEFAULT__' means that this one
     * should be used by default.
     */
    'host' => '__DEFAULT__',
 
    /*
     * The private key and certificate to use when signing responses.
     * These are stored in the cert-directory.
     */
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
 
    /*
     * The authentication source which should be used to authenticate the
     * user. This must match one of the entries in config/authsources.php.
     */
    'auth' => 'admin',
    // Sign SLO messages
    'sign.logout' => true,
);
?>
You need to configure your own certificates and authentication scheme

Now in LL::NG Manager, create a new IDP and import metadata with URL (by default: http://localhost/simplesamlphp/saml2/idp/metadata.php):

List attributes you want to collect:

You can keep Mandatory to Off to not fail if attribute is not sent by IDP

And activate all signatures:

To finish, you need to declare LL::NG SP in simpleSAMLphp. Use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-sp-remote content:

vi /etc/simplesamlphp/metadata/saml20-sp-remote.php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
  'entityid' => 'http://auth.example.com/saml/metadata',
...
);
?>
Don't forget PHP start and end tag to have a valid PHP file.

All is ready, you can now test the authentication from LL::NG portal.