simpleSAMLphp

image0

Presentation

simpleSAMLphp is an identity/service provider written in PHP. It supports a lot of protocols like CAS, OpenID and SAML.

This documentation explains how to interconnect LemonLDAP::NG and simpleSAMLphp using SAML 2.0 protocol.

Pre-requisites

simpleSAMLphp

You need to install the software. If using Debian, just run:

apt install simplesamlphp

We suppose that configuration is done in /etc/simplesamlphp and that simpleSAMLphp is accessible at http://localhost/simplesamlphp.

To be able to sign SAML messages, you need to create a certificate. First set where certificates are stored:

vi /etc/simplesamlphp/config.php
'certdir' => '/etc/simplesamlphp/certs/',

Create directory and generate the certificate

mkdir /etc/simplesamlphp/certs/
cd /etc/simplesamlphp/certs/
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Then associate this certificate to the default SP:

vi /etc/simplesamlphp/authsources.php
'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',

LemonLDAP::NG

You need to configure SAML Service. Be sure to convert public key in a certificate, as described in the security chapter as simpleSAMLphp can’t use the public key.

simpleSAMLphp as Service Provider

We suppose you configured LemonLDAP::NG as SAML Identity Provider and want to use simpleSAMLphp as Service Provider.

In LL::NG Manager, create an new SP and load simpleSAMLphp metadata through URL (by default: http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp):

image1

Then set some attributes that will be sent to simpleSAMLphp:

image2

Tip

Set Mandatory to On to force attributes in authentication response.

You can also force all signatures:

image3

On simpleSAMLphp side, use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-idp-remote content:

vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
  'entityid' => 'http://auth.example.com/saml/metadata',
...
   // Add this option to force SLO requests signature
   'sign.logout' => true,
);
?>

Tip

Don’t forget PHP start and end tag to have a valid PHP file.

All is ready, you can now test the authentication (by default: http://localhost/simplesamlphp/module.php/core/authenticate.php). You should see something like that:

image4

simpleSAMLphp as Identity Provider

We suppose you configured LemonLDAP::NG as SAML Service Provider and want to use simpleSAMLphp as Identity Provider.

First, you need to activate IDP feature in simpleSAMLphp:

vi /etc/simplesamlphp/config.php
'enable.saml20-idp' => true,

And create a default IDP configuration:

vi /etc/simplesamlphp/metadata/saml20-idp-hosted.php
<?php
$metadata['__DYNAMIC:1__'] = array(
    /*
     * The hostname for this IdP. This makes it possible to run multiple
     * IdPs from the same configuration. '__DEFAULT__' means that this one
     * should be used by default.
     */
    'host' => '__DEFAULT__',

    /*
     * The private key and certificate to use when signing responses.
     * These are stored in the cert-directory.
     */
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',

    /*
     * The authentication source which should be used to authenticate the
     * user. This must match one of the entries in config/authsources.php.
     */
    'auth' => 'admin',
    // Sign SLO messages
    'sign.logout' => true,
);
?>

Attention

You need to configure your own certificates and authentication scheme

Now in LL::NG Manager, create a new IDP and import metadata with URL (by default: http://localhost/simplesamlphp/saml2/idp/metadata.php):

image5

List attributes you want to collect:

image6

Tip

You can keep Mandatory to Off to not fail if attribute is not sent by IDP

And activate all signatures:

image7

To finish, you need to declare LL::NG SP in simpleSAMLphp. Use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-sp-remote content:

vi /etc/simplesamlphp/metadata/saml20-sp-remote.php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
  'entityid' => 'http://auth.example.com/saml/metadata',
...
);
?>

Tip

Don’t forget PHP start and end tag to have a valid PHP file.

All is ready, you can now test the authentication from LL::NG portal.