Jan
4
Installing SimpleSAMLphp and use it as SP and IdP (for development env. only)
January 4, 2013 | 19 Comments
Overview
The goal of this walk through is to install SimpleSAML twice to work on a SAML authentication between two systes.
We could have an application on one side using SimpleSAML SP and a LDAP, AD, CAS, etc plugged in SimpleSAML configure as an IdP.
Installation of Simple SAML (1)
Download simplesaml.
Untar the package in a folder of your application, for example /var/www/myapp/library/simplesaml
Edit your app’s Virtual Host so that /simplesaml is accessible
1
2
3
4
5 Alias /simplesaml /Users/samo/Workspace/simplesamlphp/www
<Directory "/Users/samo/Workspace/simplesamlphp/www">
Order deny,allow
Allow from all
</Directory>
Restart Apache if necessary
Setting Up your SP
Edit SimpleSAML’s config file in config/config.php Set the ‘debug’ to ‘TRUE’ Set an admin password ‘auth.adminpassword’ to the password of your choice Set the ‘secretsalt’ Define ‘technicalcontact_name’ and ‘technicalcontact_email’
Installation of Simple SAML (2)
Untar the simple package again, this time, in another folder for example /var/www/simplesaml
Choose a URL for your IdP for example http://auth.saml.net and add this to your hosts file
Create a virtual host for your IdP, it will look something like
1
2
3
4
5
6
7
8
9
10
11
12
13 <VirtualHost *:80>
ServerAdmin <your_email>
ServerName auth.saml.net
AddDefaultCharset UTF-8
DocumentRoot /var/www/simplesaml
Alias /simplesaml /var/www/simplesaml/www
<Directory /var/www/simplesaml/www>
Options Indexes FollowSymlinks multiViews
AllowOverride None
Order deny,allow
allow from all
</Directory>
</VirtualHost>
Setting Up your IdP
Again, begin by editing the SimpleSAML config file and repeat the steps listed above This time, you must also set ‘enable.saml20-idp’ to ‘true’
Since all this is just for development and test purposes, I setup my IdP to an exampleauth. The login / password will be matched against a plain list of accounts defined in the authources.php file. First, you need to enable the exempleauth module by doing touch /var/www/simplesaml/modules/exampleauth/enable Second, edit your authsources.php file (in the config directory) and create your users based on the following example :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 …
'example-userpass' => array(
'exampleauth:UserPass',
'user1:pwd' => array(
'uid' => array('user1'),
'mail' => 'user1@test.com',
'first_name' => 'User',
'last_name' => 'One'
),
'user2:pwd' => array(
'uid' => array('user2'),
'mail' => 'user2@test.com',
'first_name' => 'User',
'last_name' => 'Two'
)
),
…
Next, make sure that the content of metadata/saml2-idp-hosted.php is
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27 $metadata['__DYNAMIC:1__'] = array(
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
* Can be '__DEFAULT__', to use this entry by default.
*/
'host' => '__DEFAULT__',
/* X.509 key and certificate. Relative to the cert directory. */
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
/*
* Authentication source to use. Must be one that is configured in
* 'config/authsources.php'.
*/
'auth' => 'example-userpass',
/* Uncomment the following to use the uri NameFormat on attributes. */
/*
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
*/
);
Connecting the dots
Now, let’s connect SP and IdP together. Browse to your IdP for example : auth.saml.net/simplesaml. Connect using the admin password defined in your configuration Click on the Federation tab You should see a SAML 2.0 IdP Metadata line, click on [show metadata] below and copy the metadata URL which should look something like http://auth.saml.net/simplesaml/saml2/idp/metadata.php
Back to the SP, edit the file config/authsources.php and add the declaration of your IdP based on this code sample :
1
2
3
4
5
6
7
8 …
'default-sp' => array(
'saml:SP',
'entityID' => 'http://auth.saml.net',
'idp' => 'http://auth.saml.net/simplesaml/saml2/idp/metadata.php',
'ssoPortalUrl'=> 'http://auth.saml.net/simplesaml/saml2/idp/SSOService.php',
),
…
Back to your browser, copy the content of the box “SimpleSAMLphp flat file format” and paste it in the file metadata/saml20-idp-remote.php of your SP.
Back to the browser, go to your applications’s SimpleSAML setup for example http://myapp.localhost.net/simplesaml. Login using the password defined in the configuration file. Browse to the Federation tab and click on the [show metadata] link for your default-sp/
Copy the content of the “SimpleSAMLphp flat flie format” box and paste it in the IdP metadata/saml20-sp-remote.php file.
Test
That should be all for the setup, now you can test it by browsing to your SP side SimpleSAML for example
http://myapp.localhost.net/simplesaml
Login using the password defined in the admin and click on the authentication tab. Click on the link “Test configured authentication sources” and click on your IdP declaration in the list of authsources. This will perform a test SAML authentication process.
Congratulations !
If it failed, you should check the logs of both your SimpleSAML and try and get help on the SimpleSamlPHP mailing list.
Time to code
Now that everything works between the SP and the IdP it is time to integrate the SAML auth to your application. You can do so by adding code similar to this to your authentication process :
1
2
3
4 require_once('/lib/simplesamlphp/lib/_autoload.php');
SimpleSAML_Configuration::setConfigDir('/lib/simplesaml/config/saml');
$authService = new SimpleSAML_Auth_Simple($selectedIdp);
$authService->requireAuth();
That’s it !
Tagged with: idp, saml, simplesamlphp, sp, sso, web
Liked this page?
Subscribe to the RSS feed or sign up for the newsletter now.
Thank you, great tutorial !
btw, did you ever try to manage auth of MediaWiki with SAML (and simpleSamlPhp) ?
I checked 3 different MW plugins, but never succeded so far…
Sorry, I didn’t test with MediaWiki.
Hi,
This tutorial is really helpful for me to start with SAML.
Can you please provide me with the same sort of tutorial ,if you have ,for installation and configuration of simplesaml (SP,IDP,integration) for windows 7 IIS 7.5 server.
Thanks in advance!
Actually I’ve worked on this on a Windows environnement as well though it was to setup ADFS as an IdP. I have no tutorial at this time for the SP part. I’ll try and write up the IdP setup part sometimes though
Thanks a lot mate!
I had huge trouble configuring SimpleSAMl as SP and IdP.
Now it works perfectly. Good tutorial, had to check a few things more than once, but I guess that’s normal for someone starting with SimpleSAML 😉
Greets SoundHunter
Excellent tutorial, I will sure give it a try. I know it’s simple, but it would be great if you could include the command to create the x.509 cert and key (I found this guide: http://www.microhowto.info/howto/create_a_self_signed_ssl_certificate.html)
I would like to ask what would you modify for a production setup (besides using exampleauth, of course…)
Thanks for sharing this information here.
For production you just need to not use the default certificates which come by default in simplesaml but since you genereted your own, you should be ready to go
Im getting this error tring to do your tutorial men.
Parse error: syntax error, unexpected T_FUNCTION in C:\AppServ\www\ProveedorServicioSSO\lib\simplesaml\modules\core\lib\Auth\Process\GenerateGroups.php on line 139
Can you tell me what going on? Thanks BTW
Great tutorial. Thanks for all the efforts.
Could you be more specific about how to test? Such as test admin and default-sp. As for default-sp, what username and what password should I enter if I follow your example exactly?
Thanks,
Gong
Sorry I do not understand the question. The user login and pass for the example auth are declared in authsources.php
The Admin password is set. But what is the username and password for log in with default-sp option?
Thanks.
OK, I see, the password is declared in the configuration file of simplesaml. Hope this helps
I have two machines connected by LAN. Using IP I have followed all your above steps and authenticated properly. Now how do I check that login into one computer gets automatically logged to another and I want to know how SSOService.php gets called from SP to IdP.
One more question – In whole simplesaml lib, what would it affect if I redirect http://SSOService.php to https://SSOService.php
what is process of sso in php?
Hi, thanks for putting a great tutorial together. In the final snippet to integrate SAML auth into my app, what should I put for $selectedIdp? ‘default-sp’? Also, I get an error:
Fatal error: Uncaught exception ‘Exception’ with message ‘Missing configuration file: simplesaml/config/saml/config.php’ in /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php:103
Stack trace:
#0 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php(167): SimpleSAML_Configuration::loadFromFile(‘simplesaml/conf…’, true)
#1 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php(229): SimpleSAML_Configuration::getConfig()
#2 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Session.php(226): SimpleSAML_Configuration::getInstance()
#3 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Auth/Simple.php(72): SimpleSAML_Session::getSessionFromRequest()
#4 /var/www/sso_sp/auth.php(9): SimpleSAML_Auth_Simple->requireAuth()
#5 {main}
thrown in /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php on line 103
Missing config file? Why?
Everything is very open with a precise description of the issues.
It was truly informative. Your website is very useful.
Thank you for sharing!
Wow, that’s what I was seeking for, what a information! existing here at this webpage, thanks admin of this website.
Hi,
I like these tutorial and also if you can provide me IDP initiate Login process same like above example then it’s very help full to me.
Thanks
Good afternoon Samantha,
Many thanks for this informative tutorial. It doesn’t work for SimplsSAMLphp 1.14.1 but of all the SimpleSAMLphp tutorials on the web right now, that is the simplest and nearest to working ‘out-of-the-box’.
As far as I can see the only changes needed to make this work for v1.14.1 are to remove the line ‘ssoPortalUrl’=> ‘http://auth.saml.net/simplesaml/saml2/idp/SSOService.php’, from the SP file config/authsources.php. and to set the VirtualHost Directory entries to ‘Require all granted’ for both IdP and SP.
Apart from that everything works as expected.
Thanks you.
Mark