-
Notifications
You must be signed in to change notification settings - Fork 0
Install simpleSAMLphp
Installing simpleSAMLphp can be very straightforward, but it is can also be easy to experience some problems. If you have complete control over the server you will be using to host your application, you can use the documentation provided by simpleSAMLphp. In either case, it is a good reference and you should keep an eye on it, to know more about it. Go to installing simpleSAMLphp and configuration, to see their documentation. If you have simpleSAMLphp already installed, please go to configuring simpleSAMLphp
At this point you should have WordPress up and running on your server. https://www.mws.org/ can point directly to it, or you could host it in a subfolder called blog. If you have not done this, please refer back to the Installing WordPress step.
Start by fetching the latest version of simpleSAMLphp on their downloads page. They recommend downloading featured packages only, and so do we. Extract the archive into, and move the folder into the wordpress folder, so your structure will look like this (assuming wordpress is inside a folder called blog).
server_root/blog/
server_root/blog/simplesamlphp/
This will cause WordPress to think that simplesamlphp is actually a part of WordPress and tries to draw its elements on any page you load. We want to discourage so we need some rule to make sure that wordpress ignores that folder. To solve that problem we will use a rewrite rule, that servers like apache and LiteSpeed understand.
We use the .htaccess files interpreted by servers like apache to set up this environment. The .htaccess file placed in the root folder of the wordpress installation (blog in our example), should look like this.
RewriteRule ^simplesaml/(.*) /blog/simplesamlphp/www/$1 [L]
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>
# END WordPress
This is the default .htaccess file provided with WordPress, with one extra rule to make sure that each request that has simplesaml and it's subsequent subfolders are redirected into the simplesamlphp/www folder.
TODO: Add documentation for this part. simpleSAMLphp does not, and even should not be accessible in any folders, except the www folder. That's why we need other .htaccess files that block every request made into simplesamlphp, except the www folder.
You should be able to access your simpleSAMLphp installation right now and look around. If you experience some errors, please let us know and we will add it to the FEL, or Frequent Error List. If you have a solution to your problem (found by way of Google, or your sheer brilliance), please include that as well.
The single most effective way of getting simpleSAMLphp to work is by configuring it. It also, by definition the most frequent source of failure. As a SAML service provider, we are mainly interested in 3 files.
server_root/blog/simplesamlphp/config/authsources.php
server_root/blog/simplesamlphp/config/config.php
server_root/blog/simplesamlphp/metadata/saml20-idp-remote.php
This is the main configuration file for simpleSAMLphp. It is big and covers many areas. The most notable ones will be described below. The number inside a bracket indicates a rough line number estimate, for ease of searching through your copy of config.php
[ 25] 'baseurlpath' => 'blog/simplesaml/', // The path to simplesaml on the url
[ 25] 'certdir' => 'cert/', // Folder housing your encryption securities
[ 70] 'auth.adminpassword' => 'password', // The password used for authenticating admin user
[ 85] 'secretsalt' => '4hze31kst0k360mr4ikgnyavi5pgyw0m', // Salt used for hash generation
[ 90] 'technicalcontact_name' => 'Your name', // Contact's name
[ 90] 'technicalcontact_email' => '[email protected]', // Contact's email
[120] 'logging.level' => SimpleSAML_Logger::DEBUG, // Very important to get the most information, when stuff goes wrong
[120] 'logging.handler' => 'file', // Make sure we save it to a file
You can modify your values in config.php or copy these one and put them at the end, just before the closing parentheses of the config array.
Authsources define the different possible ways to authenticate a user. We will be overwriting the default-sp, default service provider entry although you can create your own and call it what you want. Here is the definition like we will be using it.
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
'entityID' => "https://wfs.org/blog/simplesaml/module.php/saml/sp/metadata.php/default-sp",
// The entity ID of the IdP this should SP should contact.
'idp' => 'https://testbridge.wayf.dk',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => NULL,
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
),
Here we have not a lot set for this service provider, first we define default-sp as a saml service provider with saml:SP. The entityID set's an ID for default-sp and we use the public URI location of the metadata that this installation describes. Next we set the id of the identity provider, the service that will authenticate for us. It's metadata, the information about this provider is defined in the last file, and this is a key to reference that identity provder. We have no discovery service running, and we are using the default certificates. If you would like to generate new ones, please see self signed certificates page for more.
In the authsources.php file we defined the identity provider to be testbridge.wayf.dk. To gain it's metadata, we go to wayf.dk and under their institution section, we find a link to metadata examples. Now we are going to start with the Test metadata so we visit that link and copy all of the XML metadata. This is not the correct format for simplesaml to use, so we visit https://mws.org/blog/simplesaml/admin/metadata-converter.php. This page converts the XML metadata to a php metadata array, so we paste the XML and copy the output. You can see an example of the php metadata for the testbridge, here.
The only thing we will do wih this data is we will add it at the bottom of the saml20-idp-remote.php file, and add one line into the definition. This line is hard to explain and is received via experience of people before me.
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
Add this line inside the definition for the testbridge metadata.
Unfortunately, this is not the step where you can verify that you have done something correct. We first have to create an entry in JANUS, wayf's management tool of services, so that they know about us a service and can issue a valid response that tells us if a user is logged in.