This is an old revision of the document!


simpleSAMLphp

Presentation

simpleSAMLphp is an identity/service provider written in PHP. It supports a lot of protocols like CAS, OpenID and SAML.

This documentation explains how to interconnect LemonLDAP::NG and simpleSAMLphp using SAML 2.0 protocol.

Pre-requisites

simpleSAMLphp

You need to install the software. If using Debian, just do:

apt-get install simplesamlphp

We suppose that configuration is done in /etc/simplesamlphp and that simpleSAMLphp is accessible at http://localhost/simplesamlphp.

To be able to sign SAML messages, you need to create a certificate. First set where certificates are stored:

vi /etc/simplesamlphp/config.php
   'certdir' => '/etc/simplesamlphp/certs/',

Create directory and generate the certificate

mkdir /etc/simplesamlphp/certs/
cd /etc/simplesamlphp/certs/
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Then associate this certificate to the default SP:

vi /etc/simplesamlphp/authsources.php
    'default-sp' => array(
        'saml:SP',
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',

LemonLDAP::NG

You need to configure SAML Service. Be sure to convert public key in a certificate, as described in the security chapter as simpleSAMLphp can't use the public key.

simpleSAMLphp as Service Provider

We suppose you configured LemonLDAP::NG as SAML Identity Provider and want to use simpleSAMLphp as Service Provider.

In LL::NG Manager, create an new SP and load simpleSAMLphp metadata trough URL (by default: http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp):

Then set some attributes that will be sent to simpleSAMLphp:

Set Mandatory to On to force attributes in authentication response.

You can also force all signatures:

On simpleSAMLphp side, use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-idp-remote content:

vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
  'entityid' => 'http://auth.example.com/saml/metadata',
...
   // Add this option to force SLO requests signature
   'sign.logout' => true,
);
?>
Don't forget PHP start and end tag to have a valid PHP file.

All is ready, you can now test the authentication (by default: http://localhost/simplesamlphp/module.php/core/authenticate.php). You should see something like that: