Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:applications:simplesamlphp [2016/06/21 10:54]
coudot [simpleSAMLphp as Service Provider]
documentation:latest:applications:simplesamlphp [2016/07/19 12:10]
Line 1: Line 1:
-====== simpleSAMLphp ====== 
  
-{{ :​applications:​simplesamlphp_logo.png?​nolink |}} 
- 
-===== Presentation ===== 
- 
-[[https://​simplesamlphp.org/​|simpleSAMLphp]] is an identity/​service provider written in PHP. It supports a lot of protocols like CAS, OpenID and SAML. 
- 
-This documentation explains how to interconnect LemonLDAP::​NG and simpleSAMLphp using SAML 2.0 protocol. 
- 
-===== Pre-requisites ===== 
- 
-==== simpleSAMLphp ==== 
- 
-You need to [[https://​simplesamlphp.org/​docs/​stable/​simplesamlphp-install|install the software]]. If using Debian, just do: 
-<​code>​apt-get install simplesamlphp</​code>​ 
- 
-We suppose that configuration is done in ''/​etc/​simplesamlphp''​ and that simpleSAMLphp is accessible at http://​localhost/​simplesamlphp. 
- 
-To be able to sign SAML messages, you need to create a certificate. First set where certificates are stored: 
-<​code>​vi /​etc/​simplesamlphp/​config.php</​code>​ 
-<file php> 
-   '​certdir'​ => '/​etc/​simplesamlphp/​certs/',​ 
-</​file>​ 
- 
-Create directory and generate the certificate 
-<​code>​ 
-mkdir /​etc/​simplesamlphp/​certs/​ 
-cd /​etc/​simplesamlphp/​certs/​ 
-openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem 
-</​code>​ 
- 
-Then associate this certificate to the default SP: 
-<​code>​vi /​etc/​simplesamlphp/​authsources.php</​code>​ 
-<file php> 
-    '​default-sp'​ => array( 
-        '​saml:​SP',​ 
-        '​privatekey'​ => '​saml.pem',​ 
-        '​certificate'​ => '​saml.crt',​ 
-</​file>​ 
- 
-==== LemonLDAP::​NG ==== 
- 
-You need to configure [[.:​..:​samlservice|SAML Service]]. Be sure to convert public key in a certificate,​ as described in the [[.:​..:​samlservice#​security_parameters|security chapter]] as simpleSAMLphp can't use the public key. 
- 
-===== simpleSAMLphp as Service Provider ===== 
- 
-We suppose you configured LemonLDAP::​NG as [[.:​..:​idpsaml|SAML Identity Provider]] and want to use simpleSAMLphp as Service Provider. 
- 
-In LL::NG Manager, create an new SP and load simpleSAMLphp metadata trough URL (by default: http://​localhost/​simplesamlphp/​module.php/​saml/​sp/​metadata.php/​default-sp):​ 
- 
-{{ :​applications:​simplesamlphp_sp_metadata.png?​nolink |}} 
- 
-Then set some attributes that will be sent to simpleSAMLphp:​ 
- 
-{{ :​applications:​simplesamlphp_sp_attributes.png?​nolink |}} 
- 
-<note tip>Set ''​Mandatory''​ to ''​On''​ to force attributes in authentication response.</​note>​ 
- 
-You can also force all signatures: 
- 
-{{ :​applications:​simplesamlphp_sp_signature.png?​nolink |}} 
- 
-On simpleSAMLphp side, use the metadata converter (by default: http://​localhost/​simplesamlphp/​admin/​metadata-converter.php) to convert LL::NG metadata (by default: http://​auth.example.com/​saml/​metadata) into internal PHP representation. Copy the ''​saml20-idp-remote''​ content: 
-<​code>​vi /​etc/​simplesamlphp/​metadata/​saml20-idp-remote.php</​code>​ 
-<file php> 
-<?php 
-$metadata['​http://​auth.example.com/​saml/​metadata'​] = array ( 
-  '​entityid'​ => '​http://​auth.example.com/​saml/​metadata',​ 
-... 
-   // Add this option to force SLO requests signature 
-   '​sign.logout'​ => true, 
-); 
-?> 
-</​file>​ 
- 
-<note tip>​Don'​t forget PHP start and end tag to have a valid PHP file.</​note>​ 
- 
-All is ready, you can now test the authentication (by default: http://​localhost/​simplesamlphp/​module.php/​core/​authenticate.php). You should see something like that: 
- 
- 
-{{ :​applications:​simplesamlphp_sp_authentication.png?​nolink |}}