SimpleSAMLphp Installation (Debian Etch)
Table of Contents
This is an installation guide to configure SimpleSAMLphp with the EDIT federation. For any details, please look at the original simpleSAMLphp Installation page.
Basic Installation
SimpleSAMLphp requires the following prerequisites:
- PHP Version 5.2or higher
- Webserver running PHP
Debian Etch includes a suitable PHP version (>=5.2). So, just install php and the apache webserver.
apt-get install php5 apache2
Download the current version from http://code.google.com/p/simplesamlphp/ Unzip it (default location V1.4: /var/simplesamlphp
wget http://simplesamlphp.googlecode.com/files/simplesamlphp_1_4.zip unzip simplesamlphp_1_4.zip -d /var ln -s /var/simplesamlphp_1.4 /var/simplesamlphp or mv /var/simplesamlphp_1.4 /var/simplesamlphp
Change to the simplesamlphp directory and copy the configuration and metadata template files to the config directory:
cp -r config-templates/*.php config/ cp -r metadata-templates/*.php metadata/
Don't forget to set access rights, such as the web server has access to the directory:
chown -R root:www-data /var/simplesamlphp
So, that's all for the basic installation.
Configuration
Apache Configuration
You must make SimpleSAMLphp accessible via the web server. With Apache2, you may use an Alias to your Virtual Server configuration (/etc/apache2/sites-available)
Alias /simplesaml /var/simplesamlphp/www
Basic SimpleSAMLphp configuration
The main configuration file is located at /var/simplesamlphp/config/config.php. Here check at least the following options and adopt them to your installation, if necessary
'baseurlpath' => 'simplesaml/', 'secretsalt' => 'randombytesinsertedhere', 'technicalcontact_name' => 'Administrator', 'technicalcontact_email' => 'admin@edit.org',
The baseurlpath must be equal to the path given as alias in the Apache configuration.
The secretsalt should be unique and can be generated with the following command:
tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
Finally, check your installation and browse the URL of your installation (e.g. https://sp.e-taxonomy.eu/simplesaml/) You should see the SimpleSAMLphp installation page.
Configure SimpleSAMLphp as SAML 2.0 Service Provider
First, edit /var/simplesamlphp/config/config.php and check if the option enable.saml20-sp is set to true
'enable.saml20-sp' => true,
Next, we need to set up the metadata of our SP instance and the authenticating IdP instance.
Configure Service Provider metadata
Please edit /var/simplesamlphp/metadata/saml20-sp-hosted.php.
'https://sp.e-taxonomy.eu/simplesaml' => array( 'host' => 'sp.e-taxonomy.eu', 'privatekey' => 'sp.e-taxonomy.eu-key.pem', 'certificate' => 'sp.e-taxonomy.eu-cert.pem', 'privatekey_pass' => "secret" )
This declares the entityId of this serviceprovider. With Shibboleth, it is common practice to use the base-URL of the service provider. But, it may be also any other URI. This is an federation wide identifier, which serves here as an index into the metadata array.
- host
- privatekey
- privatekey_pass
- certificate
- Note
By default, SimpleSAMLphp expects any key and certificate files within the /var/simplesamlphp/cert directory. You must copy these files to this directory, or create symbolic links there pointing to the location of these files, e.g.
ln -s /etc/ssl/private/sp.e-taxonomy.eu-key.pem /var/simplesamlphp/cert/
Also, ensure the access rights of these files, so that your webserver can access them!
Configure Identity Provider metadata
Please edit /var/simplesamlphp/metadata/saml20-idp-remote.php. The following is the correct metadata for the EDIT Identity Provider:
$metadata['https://idp.e-taxonomy.eu:443/opensso'] = array( 'name' => 'EDIT OpenSSO IdP', 'description' => 'Here you can login with your account on EDIT IdP.', 'SingleSignOnService' => 'https://idp.e-taxonomy.eu:443/opensso/SSORedirect/metaAlias/idp', 'SingleLogoutService' => 'https://idp.e-taxonomy.eu:443/opensso/IDPSloRedirect/metaAlias/idp', 'certFingerprint' => '2E:EF:0A:57:22:B5:E0:45:2D:AF:C3:83:24:84:A2:CA:53:B3:13:4B' );
This declares the entityId of the EDIT Identity Provider. Please use this value to use the EDIT !IdP for authentication.
- name
- description'
- SingleSignOnService'
- SingleLogoutService
- certFingerprint
openssl x509 -fingerprint -sha1 -in /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem | grep SHA1
Finally, you may want to set the EDIT !IdP as the default !IdP for your service provider. If so, edit /var/simplesamlphp/config/config.php and set the entityID of the EDIT !IdP.
'default-saml20-idp' => 'https://idp.e-taxonomy.eu:443/opensso',
If you have configured several IdPs and you would like your users to select the !IdP to be used for authentication, set the entityID as follows:
'default-saml20-idp' => null,
That's all for instance. Please check your installation by browsing the /simplesaml URL of your service provider (e.g. https://sp.e-taxonomy.eu/simplesaml, and select the link to check the login with your !IdP. If everything is ok, you should be redirected to your !IdP, enter your credentials for login, and finally view a page listing all your attributes received from the !IdP
Drupal Integration
Please follow the General description.
Don't forget to install memcached:
apt-get install memcached php5-memcache
and to change the simplesamlphp default session handler from phpsession to memcache in /var/simplesamlphp/config/config.php:
'session.handler' => 'memcache',
