<ahref="https://simplesamlphp.org/"class="urlextern"title="https://simplesamlphp.org/"rel="nofollow">simpleSAMLphp</a> is an identity/service provider written in PHP. It supports a lot of protocols like <abbrtitle="Central Authentication Service">CAS</abbr>, OpenID and <abbrtitle="Security Assertion Markup Language">SAML</abbr>.
</p>
<p>
This documentation explains how to interconnect LemonLDAP::NG and simpleSAMLphp using <abbrtitle="Security Assertion Markup Language">SAML</abbr> 2.0 protocol.
You need to <ahref="https://simplesamlphp.org/docs/stable/simplesamlphp-install"class="urlextern"title="https://simplesamlphp.org/docs/stable/simplesamlphp-install"rel="nofollow">install the software</a>. If using Debian, just do:
We suppose that configuration is done in <code>/etc/simplesamlphp</code> and that simpleSAMLphp is accessible at <ahref="http://localhost/simplesamlphp"class="urlextern"title="http://localhost/simplesamlphp"rel="nofollow">http://localhost/simplesamlphp</a>.
</p>
<p>
To be able to sign <abbrtitle="Security Assertion Markup Language">SAML</abbr> messages, you need to create a certificate. First set where certificates are stored:
You need to configure <ahref="../samlservice.html"class="wikilink1"title="documentation:2.0:samlservice">SAML Service</a>. Be sure to convert public key in a certificate, as described in the <ahref="../samlservice.html#security_parameters"class="wikilink1"title="documentation:2.0:samlservice">security chapter</a> as simpleSAMLphp can't use the public key.
<h2class="sectionedit6"id="simplesamlphp_as_service_provider">simpleSAMLphp as Service Provider</h2>
<divclass="level2">
<p>
We suppose you configured LemonLDAP::NG as <ahref="../idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML Identity Provider</a> and want to use simpleSAMLphp as Service Provider.
</p>
<p>
In <abbrtitle="LemonLDAP::NG">LL::NG</abbr> Manager, create an new SP and load simpleSAMLphp metadata trough <abbrtitle="Uniform Resource Locator">URL</abbr> (by default: <ahref="http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp"class="urlextern"title="http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp"rel="nofollow">http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</a>):
On simpleSAMLphp side, use the metadata converter (by default: <ahref="http://localhost/simplesamlphp/admin/metadata-converter.php"class="urlextern"title="http://localhost/simplesamlphp/admin/metadata-converter.php"rel="nofollow">http://localhost/simplesamlphp/admin/metadata-converter.php</a>) to convert <abbrtitle="LemonLDAP::NG">LL::NG</abbr> metadata (by default: <ahref="http://auth.example.com/saml/metadata"class="urlextern"title="http://auth.example.com/saml/metadata"rel="nofollow">http://auth.example.com/saml/metadata</a>) into internal PHP representation. Copy the <code>saml20-idp-remote</code> content:
<divclass="notetip">Don't forget PHP start and end tag to have a valid PHP file.
</div>
<p>
All is ready, you can now test the authentication (by default: <ahref="http://localhost/simplesamlphp/module.php/core/authenticate.php"class="urlextern"title="http://localhost/simplesamlphp/module.php/core/authenticate.php"rel="nofollow">http://localhost/simplesamlphp/module.php/core/authenticate.php</a>). You should see something like that:
<!-- EDIT6 SECTION "simpleSAMLphp as Service Provider" [1649-3258] -->
<h2class="sectionedit7"id="simplesamlphp_as_identity_provider">simpleSAMLphp as Identity Provider</h2>
<divclass="level2">
<p>
We suppose you configured LemonLDAP::NG as <ahref="../authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML Service Provider</a> and want to use simpleSAMLphp as Identity Provider.
</p>
<p>
First, you need to activate IDP feature in simpleSAMLphp:
<divclass="noteimportant">You need to configure your own certificates and authentication scheme
</div>
<p>
Now in <abbrtitle="LemonLDAP::NG">LL::NG</abbr> Manager, create a new IDP and import metadata with <abbrtitle="Uniform Resource Locator">URL</abbr> (by default: <ahref="http://localhost/simplesamlphp/saml2/idp/metadata.php"class="urlextern"title="http://localhost/simplesamlphp/saml2/idp/metadata.php"rel="nofollow">http://localhost/simplesamlphp/saml2/idp/metadata.php</a>):
To finish, you need to declare <abbrtitle="LemonLDAP::NG">LL::NG</abbr> SP in simpleSAMLphp. Use the metadata converter (by default: <ahref="http://localhost/simplesamlphp/admin/metadata-converter.php"class="urlextern"title="http://localhost/simplesamlphp/admin/metadata-converter.php"rel="nofollow">http://localhost/simplesamlphp/admin/metadata-converter.php</a>) to convert <abbrtitle="LemonLDAP::NG">LL::NG</abbr> metadata (by default: <ahref="http://auth.example.com/saml/metadata"class="urlextern"title="http://auth.example.com/saml/metadata"rel="nofollow">http://auth.example.com/saml/metadata</a>) into internal PHP representation. Copy the <code>saml20-sp-remote</code> content: