SimpleSAMLphp Installation (Debian Etch)¶
- SimpleSAMLphp Installation (Debian Etch)
This is an installation guide to configure SimpleSAMLphp with the EDIT federation.
For any details, please look at the original simpleSAMLphp Installation page
SimpleSAMLphp requires the following prerequisites:
PHP Version 5.2or higher
Webserver running PHP
Debian Etch includes a suitable PHP version (>=5.2). So, just install php and the apache webserver.
apt-get install php5 apache2
Download the current version from http://code.google.com/p/simplesamlphp/
Unzip it (default location V1.4: /var/simplesamlphp
wget http://simplesamlphp.googlecode.com/files/simplesamlphp_1_4.zip unzip simplesamlphp_1_4.zip -d /var ln -s /var/simplesamlphp_1.4 /var/simplesamlphp or mv /var/simplesamlphp_1.4 /var/simplesamlphp
Change to the simplesamlphp directory and copy the configuration and metadata template files to the config directory:
cp -r config-templates/*.php config/ cp -r metadata-templates/*.php metadata/
Don't forget to set access rights, such as the web server has access to the directory:
chown -R root:www-data /var/simplesamlphp
So, that's all for the basic installation.
You must make SimpleSAMLphp accessible via the web server. With Apache2, you may use an Alias to your Virtual Server configuration (/etc/apache2/sites-available)
Alias /simplesaml /var/simplesamlphp/www
Basic SimpleSAMLphp configuration¶
The main configuration file is located at /var/simplesamlphp/config/config.php.
Here check at least the following options and adopt them to your installation, if necessary
'baseurlpath' => 'simplesaml/', 'secretsalt' => 'randombytesinsertedhere', 'technicalcontact_name' => 'Administrator', 'technicalcontact_email' => 'email@example.com',
The baseurlpath must be equal to the path given as alias in the Apache configuration.
The secretsalt should be unique and can be generated with the following command:
tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
Finally, check your installation and browse the URL of your installation (e.g. https://sp.e-taxonomy.eu/simplesaml/)
You should see the SimpleSAMLphp installation page.
Configure SimpleSAMLphp as SAML 2.0 Service Provider¶
First, edit /var/simplesamlphp/config/config.php and check if the option enable.saml20-sp is set to true
'enable.saml20-sp' => true,
Next, we need to set up the metadata of our SP instance and the authenticating IdP instance.
Configure Service Provider metadata¶
Please edit /var/simplesamlphp/metadata/saml20-sp-hosted.php.
'https://sp.e-taxonomy.eu/simplesaml' => array( 'host' => 'sp.e-taxonomy.eu', 'privatekey' => 'sp.e-taxonomy.eu-key.pem', 'certificate' => 'sp.e-taxonomy.eu-cert.pem', 'privatekey_pass' => "secret" )
This declares the entityId of this serviceprovider. With Shibboleth, it is common practice to use the base-URL of the service provider. But, it may be also any other URI. This is an federation wide identifier, which serves here as an index into the metadata array.
This is the host name of the service provider.
This is the private key file name of the service provider and is needed e.g. to sign assertion requests to the IdP.
This is the passphrase of the private key
This is the certificate file name of the service provider (relating to the private key).
By default, SimpleSAMLphp expects any key and certificate files within the /var/simplesamlphp/cert directory. You must copy these files to this directory, or create symbolic links there pointing to the location of these files, e.g.
ln -s /etc/ssl/private/sp.e-taxonomy.eu-key.pem /var/simplesamlphp/cert/
Also, ensure the access rights of these files, so that your webserver can access them!
Configure Identity Provider metadata¶
Please edit /var/simplesamlphp/metadata/saml20-idp-remote.php. The following is the correct metadata for the EDIT Identity Provider:
$metadata['https://idp.e-taxonomy.eu:443/opensso'] = array( 'name' => 'EDIT OpenSSO IdP', 'description' => 'Here you can login with your account on EDIT IdP.', 'SingleSignOnService' => 'https://idp.e-taxonomy.eu:443/opensso/SSORedirect/metaAlias/idp', 'SingleLogoutService' => 'https://idp.e-taxonomy.eu:443/opensso/IDPSloRedirect/metaAlias/idp', 'certFingerprint' => '2E:EF:0A:57:22:B5:E0:45:2D:AF:C3:83:24:84:A2:CA:53:B3:13:4B' );
This declares the entityId of the EDIT Identity Provider. Please use this value to use the EDIT IdP for authentication.
This is just an internal name for the IdP instance
Internal description of the IdP instance.
The denotes the URL to access the IdP's single sign-on service. This is fixed by the IdP.
The denotes the URL to access the IdP's single logout service. This is fixed by the IdP.
This is the SHA1 fingerprint of the IdP's certificate. It can be obtained using the following openssl command:
openssl x509 -fingerprint -sha1 -in /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem | grep SHA1
Finally, you may want to set the EDIT IdP as the default IdP for your service provider. If so, edit /var/simplesamlphp/config/config.php and set the entityID of the EDIT IdP.
'default-saml20-idp' => 'https://idp.e-taxonomy.eu:443/opensso',
If you have configured several IdPs and you would like your users to select the IdP to be used for authentication, set the entityID as follows:
'default-saml20-idp' => null,
That's all for instance.
Please check your installation by browsing the /simplesaml URL of your service provider (e.g. https://sp.e-taxonomy.eu/simplesaml, and select the link to check the login with your IdP. If everything is ok, you should be redirected to your IdP, enter your credentials for login, and finally view a page listing all your attributes received from the IdP
Please follow the General description
Don't forget to install memcached:
apt-get install memcached php5-memcache
and to change the simplesamlphp default session handler from phpsession to memcache in /var/simplesamlphp/config/config.php:
'session.handler' => 'memcache',