Project

General

Profile

Actions

SimpleSAMLphp Installation (Debian Etch)


This is an installation guide to configure SimpleSAMLphp with the EDIT federation.

For any details, please look at the original simpleSAMLphp Installation page

Basic Installation

SimpleSAMLphp requires the following prerequisites:

  • PHP Version 5.2or higher

  • Webserver running PHP

Debian Etch includes a suitable PHP version (>=5.2). So, just install php and the apache webserver.

apt-get install php5 apache2

Download the current version from http://code.google.com/p/simplesamlphp/

Unzip it (default location V1.4: /var/simplesamlphp

wget http://simplesamlphp.googlecode.com/files/simplesamlphp_1_4.zip
unzip simplesamlphp_1_4.zip -d /var
ln -s /var/simplesamlphp_1.4 /var/simplesamlphp
or
mv /var/simplesamlphp_1.4 /var/simplesamlphp

Change to the simplesamlphp directory and copy the configuration and metadata template files to the config directory:

cp -r config-templates/*.php config/
cp -r metadata-templates/*.php metadata/

Don't forget to set access rights, such as the web server has access to the directory:

chown -R root:www-data /var/simplesamlphp

So, that's all for the basic installation.

Configuration

Apache Configuration

You must make SimpleSAMLphp accessible via the web server. With Apache2, you may use an Alias to your Virtual Server configuration (/etc/apache2/sites-available)

Alias /simplesaml /var/simplesamlphp/www

Basic SimpleSAMLphp configuration

The main configuration file is located at /var/simplesamlphp/config/config.php.

Here check at least the following options and adopt them to your installation, if necessary

'baseurlpath'                   => 'simplesaml/',
'secretsalt'                    => 'randombytesinsertedhere',
'technicalcontact_name'         => 'Administrator',
'technicalcontact_email'        => 'admin@edit.org',

The baseurlpath must be equal to the path given as alias in the Apache configuration.

The secretsalt should be unique and can be generated with the following command:

tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo

Finally, check your installation and browse the URL of your installation (e.g. https://sp.e-taxonomy.eu/simplesaml/)

You should see the SimpleSAMLphp installation page.

Configure SimpleSAMLphp as SAML 2.0 Service Provider

First, edit /var/simplesamlphp/config/config.php and check if the option enable.saml20-sp is set to true

'enable.saml20-sp'  => true,

Next, we need to set up the metadata of our SP instance and the authenticating IdP instance.

Configure Service Provider metadata

Please edit /var/simplesamlphp/metadata/saml20-sp-hosted.php.

    'https://sp.e-taxonomy.eu/simplesaml' => array(

        'host'  => 'sp.e-taxonomy.eu',
        'privatekey' => 'sp.e-taxonomy.eu-key.pem',
        'certificate' => 'sp.e-taxonomy.eu-cert.pem',
        'privatekey_pass' => "secret"
    )

https://sp.e-taxonomy.eu/simplesaml::

This declares the entityId of this serviceprovider. With Shibboleth, it is common practice to use the base-URL of the service provider. But, it may be also any other URI. This is an federation wide identifier, which serves here as an index into the metadata array.

host::

This is the host name of the service provider.

privatekey::

This is the private key file name of the service provider and is needed e.g. to sign assertion requests to the IdP.

privatekey_pass::

This is the passphrase of the private key

certificate::

This is the certificate file name of the service provider (relating to the private key).

Note::

By default, SimpleSAMLphp expects any key and certificate files within the /var/simplesamlphp/cert directory. You must copy these files to this directory, or create symbolic links there pointing to the location of these files, e.g.

ln -s /etc/ssl/private/sp.e-taxonomy.eu-key.pem /var/simplesamlphp/cert/

Also, ensure the access rights of these files, so that your webserver can access them!

Configure Identity Provider metadata

Please edit /var/simplesamlphp/metadata/saml20-idp-remote.php. The following is the correct metadata for the EDIT Identity Provider:

$metadata['https://idp.e-taxonomy.eu:443/opensso'] = array(
    'name'                 => 'EDIT OpenSSO IdP',
    'description'          => 'Here you can login with your account on EDIT IdP.',

    'SingleSignOnService'  => 'https://idp.e-taxonomy.eu:443/opensso/SSORedirect/metaAlias/idp',
    'SingleLogoutService'  => 'https://idp.e-taxonomy.eu:443/opensso/IDPSloRedirect/metaAlias/idp',
    'certFingerprint'      => '2E:EF:0A:57:22:B5:E0:45:2D:AF:C3:83:24:84:A2:CA:53:B3:13:4B'
);

https://idp.e-taxonomy.eu:443/opensso::

This declares the entityId of the EDIT Identity Provider. Please use this value to use the EDIT IdP for authentication.

name::

This is just an internal name for the IdP instance

_description'::

Internal description of the IdP instance.

_!SingleSignOnService'::

The denotes the URL to access the IdP's single sign-on service. This is fixed by the IdP.

!SingleLogoutService::

The denotes the URL to access the IdP's single logout service. This is fixed by the IdP.

certFingerprint::

This is the SHA1 fingerprint of the IdP's certificate. It can be obtained using the following openssl command:

 openssl x509 -fingerprint -sha1 -in /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem | grep SHA1

Finally, you may want to set the EDIT IdP as the default IdP for your service provider. If so, edit /var/simplesamlphp/config/config.php and set the entityID of the EDIT IdP.

'default-saml20-idp' => 'https://idp.e-taxonomy.eu:443/opensso',

If you have configured several IdPs and you would like your users to select the IdP to be used for authentication, set the entityID as follows:

'default-saml20-idp' => null,

That's all for instance.

Please check your installation by browsing the /simplesaml URL of your service provider (e.g. https://sp.e-taxonomy.eu/simplesaml, and select the link to check the login with your IdP. If everything is ok, you should be redirected to your IdP, enter your credentials for login, and finally view a page listing all your attributes received from the IdP

Drupal Integration

Please follow the General description

Don't forget to install memcached:

apt-get install memcached php5-memcache

and to change the simplesamlphp default session handler from phpsession to memcache in /var/simplesamlphp/config/config.php:

    'session.handler'       => 'memcache',

Attribute mapping

ToDo

Updated by Andreas Müller almost 2 years ago · 5 revisions