Page tree
Skip to end of metadata
Go to start of metadata
Icon

This page provides information about how to setup Identity Provider (IdP) by using SimpleSAMLphp

Prerequisites

 

  • Some webserver capable of executing PHP scripts.
  • PHP version >= 5.4.0.
  • Support for the following PHP extensions:
    • Always required: datedomhashlibxmlopensslpcreSPLzlibjsonmbstring
    • When automatically checking for latest versions, and used by some modules: cURL
    • When authenticating against LDAP server: ldap
    • When authenticating against RADIUS server: radius
    • When using native PHP session handler: session
    • When saving session information to a memcache server: memcache
  • When using databases:
    • Always: PDO
    • Database driver: (mysqlpgsql, ...)
  • Support for the following PHP packages:
  • When saving session information to a Redis server: predis

What actual packages are required for the various extensions varies between different platforms and distributions.

 

Installation Steps

1. Install the Prerequisites Extensions

Icon

CentOS 6 users can follow the following tutorial to install php7: https://www.tecmint.com/install-php-7-in-centos-6/

The web server shall use a production-grade SSL certificate (e.g. Let's encrypt) and shall be install and configured prior to the installation of the SimpleSAMLphp.

Even though this tutorial uses CentOS as the base, you could also use another Linux distribution such as Debian/Ubuntu. You just need to adjust step 1,3 and 4 to follow the standard practice in your Linux distribution.



2. Download and Extract the SimpleSAMLphp installer



3. Create an HTTPD Configuration File



Alias /sso /var/www/simplesamlphp/www
 
<Directory /var/www/simplesamlphp/www>
  <IfModule !mod_authz_core.c>
 	# For Apache 2.2:
    Order allow,deny
    Allow from all
  </IfModule>
  <IfModule mod_authz_core.c>
    # For Apache 2.4:
    Require all granted
  </IfModule>
</Directory>


4. Restart the HTTPD Service



5. Edit SimpleSAMLphp Configuration File

Icon

You can use the following command to generate a random string for the secretsalt:

 

# openssl rand -base64 32


 

  • Find auth.adminpassword , set the admin password.
  • Find baseurlpath , set to 'sso/'
  • Find secretsalt , set the key for the salt.
  • Find admin.protectindexpage , set to true.
  • Find technicalcontact_name and technicalcontact_email , set them with appropriate values. Use a service email address rather than a personal email.
  • Find timezone , set with a preferred time zone from this list of timezones for PHP . For example: 'Etc/UTC'
  • Find enable.saml20-idp , set to true.
  • Find metadata.sources, add the following lines:

 

 

  • Find the following lines, and uncomment it:

 

 

Enable the Consent module:

 

6. Check the Initial Installation and Config

 

By using your web browser, open the SimpleSAMLphp installation by accessing the following url: https://<your hostname>/sso . You will be asked to login as administrator. Please do so and you will see the following screen after a successful authentication:

Click the Configuration tab to check the config and installation:

 

7. Connect with Directory Services

Edit the authsources.php file

 

Add the following entry:

OpenLDAP
MicrosoftAD
Icon

Replace ds.university.edu.my with your LDAP/MicrosoftAD hostname/IP Address

Replace the search.base , dnpattern, search.username and search.password parameters according to your directory services setup

 

8. Perform Authentication Test

Back to the web browser, click at the "Authentication" tab and select "Test configured authentication sources". Select "Directory-Services" as the user database that you want to test:

 

 

Perform authentication test by entering user's username and password. Upon successful, you will see the Directory Service returns the user's attribute to the SimpleSAMLphp.

 

 

9. Ingest SIFULAN and eduGAIN Metadata

 

Enable and configure the metarefresh and cron modules:

 

Create a folder to "cache" the Federation metadata files:

 

Download SIFULAN's metadata signing certificate:

 

Create metarefresh module' config file:

config-metarefresh.php

 

Edit the metadata "cron" configuration file:

 

Replace the default secret key with another key string. You can use the following command to generate a random string as the secret key:

 

Back to the web browser, click at the "Configuration" tab and select "Cron module information page". Select one from the three options (by copying them) from the suggested crontab entry to allow a periodic metadata download from SIFULAN Federation. Run the crontab editor and paste the option:

Example cron entry

 

To start fetching the metadata from the SIFULAN, from the web browser and click at the "Federation" tab and click the "Metarefresh: fetch metadata" link at the bottom part of the page. Once done, simply press the "back" button at the web browser to see the result.

 

Icon

It may take sometimes for the middleware (SimpleSAMLphp) to download and process the metadata from the federations.

 

10. Configure IdP Metadata

 

Generate a long term self signed certificate:

 

Edit the saml20-idp-hosted.php

OpenLDAP
MicrosoftAD
Icon

Replace "university.edu.my" and "University Edu My" with the actual value

Replace the height and the width of the Logo with the actual value.

 

11. Metadata Registration

To get your IdP metadata, in your SimpleSAMLphp installation page, click at the "Federation" tab and click "Show Metadata" at the "SAML 2.0 IdP Metadata" section.

SimpleSAMLphp provides three options in regards to your IdP metadata:

  1. Dynamic/Direct link to the metadata
  2. Metadata in XML format
  3. Metadata in SimpleSAMLphp format.

Typically, option 2 is chosen as it provides better compatibility with other SAML middleware. Select and copy the metadata (which later you are going to paste it at the Federation Manager portal).

Please click here for the tutorial on how you can register your metadata with SIFULAN Federation.

 

12. Customizing the Theme

You can use the SimpleSAMLphp Theme Generator to customize the theme. You can find the tutorial from here.

 

 

  • No labels