Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:applications:simplesamlphp [2016/06/20 15:45]
coudot
documentation:latest:applications:simplesamlphp [2016/07/19 12:10] (current)
Line 69: Line 69:
   '​entityid'​ => '​http://​auth.example.com/​saml/​metadata',​   '​entityid'​ => '​http://​auth.example.com/​saml/​metadata',​
 ... ...
 +   // Add this option to force SLO requests signature
 +   '​sign.logout'​ => true,
 ); );
 ?> ?>
Line 76: Line 78:
  
 All is ready, you can now test the authentication (by default: http://​localhost/​simplesamlphp/​module.php/​core/​authenticate.php). You should see something like that: All is ready, you can now test the authentication (by default: http://​localhost/​simplesamlphp/​module.php/​core/​authenticate.php). You should see something like that:
- 
  
 {{ :​applications:​simplesamlphp_sp_authentication.png?​nolink |}} {{ :​applications:​simplesamlphp_sp_authentication.png?​nolink |}}
 +
 +===== simpleSAMLphp as Identity Provider =====
 +
 +We suppose you configured LemonLDAP::​NG as [[.:​..:​authsaml|SAML Service Provider]] and want to use simpleSAMLphp as Identity Provider.
 +
 +First, you need to activate IDP feature in simpleSAMLphp:​
 +<​code>​vi /​etc/​simplesamlphp/​config.php</​code>​
 +<file php>
 +    '​enable.saml20-idp'​ => true,
 +</​file>​
 +
 +And create a default IDP configuration:​
 +<​code>​vi /​etc/​simplesamlphp/​metadata/​saml20-idp-hosted.php</​code>​
 +<file php>
 +<?php
 +$metadata['​__DYNAMIC:​1__'​] = array(
 +    /*
 +     * The hostname for this IdP. This makes it possible to run multiple
 +     * IdPs from the same configuration. '​__DEFAULT__'​ means that this one
 +     * should be used by default.
 +     */
 +    '​host'​ => '​__DEFAULT__',​
 +
 +    /*
 +     * The private key and certificate to use when signing responses.
 +     * These are stored in the cert-directory.
 +     */
 +    '​privatekey'​ => '​saml.pem',​
 +    '​certificate'​ => '​saml.crt',​
 +
 +    /*
 +     * The authentication source which should be used to authenticate the
 +     * user. This must match one of the entries in config/​authsources.php.
 +     */
 +    '​auth'​ => '​admin',​
 +    // Sign SLO messages
 +    '​sign.logout'​ => true,
 +);
 +?>
 +</​file>​
 +
 +<note important>​You need to configure your own certificates and authentication scheme</​note>​
 +
 +Now in LL::NG Manager, create a new IDP and import metadata with URL (by default: http://​localhost/​simplesamlphp/​saml2/​idp/​metadata.php):​
 +
 +{{ :​applications:​simplesamlphp_idp_metadata.png?​nolink |}}
 +
 +List attributes you want to collect:
 +
 +{{ :​applications:​simplesamlphp_idp_attributes.png?​nolink |}}
 +
 +<note tip>You can keep ''​Mandatory''​ to ''​Off''​ to not fail if attribute is not sent by IDP</​note>​
 +
 +And activate all signatures:
 +
 +{{ :​applications:​simplesamlphp_idp_signature.png?​nolink |}}
 +
 +To finish, you need to declare LL::NG SP in simpleSAMLphp. Use the metadata converter (by default: http://​localhost/​simplesamlphp/​admin/​metadata-converter.php) to convert LL::NG metadata (by default: http://​auth.example.com/​saml/​metadata) into internal PHP representation. Copy the ''​saml20-sp-remote''​ content:
 +<​code>​vi /​etc/​simplesamlphp/​metadata/​saml20-sp-remote.php</​code>​
 +<file php>
 +<?php
 +$metadata['​http://​auth.example.com/​saml/​metadata'​] = array (
 +  '​entityid'​ => '​http://​auth.example.com/​saml/​metadata',​
 +...
 +);
 +?>
 +</​file>​
 +
 +<note tip>​Don'​t forget PHP start and end tag to have a valid PHP file.</​note>​
 +
 +All is ready, you can now test the authentication from LL::NG portal.