simpleSAMLphp is an identity/service provider written in PHP. It supports a lot of protocols like CAS, OpenID and SAML.
This documentation explains how to interconnect LemonLDAP::NG and simpleSAMLphp using SAML 2.0 protocol.
You need to install the software. If using Debian, just do:
apt-get install simplesamlphp
We suppose that configuration is done in /etc/simplesamlphp
and that simpleSAMLphp is accessible at http://localhost/simplesamlphp.
To be able to sign SAML messages, you need to create a certificate. First set where certificates are stored:
vi /etc/simplesamlphp/config.php
'certdir' => '/etc/simplesamlphp/certs/',
Create directory and generate the certificate
mkdir /etc/simplesamlphp/certs/ cd /etc/simplesamlphp/certs/ openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Then associate this certificate to the default SP:
vi /etc/simplesamlphp/authsources.php
'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt',
You need to configure SAML Service. Be sure to convert public key in a certificate, as described in the security chapter as simpleSAMLphp can't use the public key.
We suppose you configured LemonLDAP::NG as SAML Identity Provider and want to use simpleSAMLphp as Service Provider.
In LL::NG Manager, create an new SP and load simpleSAMLphp metadata trough URL (by default: http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp):
Then set some attributes that will be sent to simpleSAMLphp:
Mandatory
to On
to force attributes in authentication response.
You can also force all signatures:
On simpleSAMLphp side, use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-idp-remote
content:
vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
<?php $metadata['http://auth.example.com/saml/metadata'] = array ( 'entityid' => 'http://auth.example.com/saml/metadata', ... // Add this option to force SLO requests signature 'sign.logout' => true, ); ?>
All is ready, you can now test the authentication (by default: http://localhost/simplesamlphp/module.php/core/authenticate.php). You should see something like that:
We suppose you configured LemonLDAP::NG as SAML Service Provider and want to use simpleSAMLphp as Identity Provider.
First, you need to activate IDP feature in simpleSAMLphp:
vi /etc/simplesamlphp/config.php
'enable.saml20-idp' => true,
And create a default IDP configuration:
vi /etc/simplesamlphp/metadata/saml20-idp-hosted.php
<?php $metadata['__DYNAMIC:1__'] = array( /* * The hostname for this IdP. This makes it possible to run multiple * IdPs from the same configuration. '__DEFAULT__' means that this one * should be used by default. */ 'host' => '__DEFAULT__', /* * The private key and certificate to use when signing responses. * These are stored in the cert-directory. */ 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', /* * The authentication source which should be used to authenticate the * user. This must match one of the entries in config/authsources.php. */ 'auth' => 'admin', // Sign SLO messages 'sign.logout' => true, ); ?>
Now in LL::NG Manager, create a new IDP and import metadata with URL (by default: http://localhost/simplesamlphp/saml2/idp/metadata.php):
List attributes you want to collect:
Mandatory
to Off
to not fail if attribute is not sent by IDP
And activate all signatures:
To finish, you need to declare LL::NG SP in simpleSAMLphp. Use the metadata converter (by default: http://localhost/simplesamlphp/admin/metadata-converter.php) to convert LL::NG metadata (by default: http://auth.example.com/saml/metadata) into internal PHP representation. Copy the saml20-sp-remote
content:
vi /etc/simplesamlphp/metadata/saml20-sp-remote.php
<?php $metadata['http://auth.example.com/saml/metadata'] = array ( 'entityid' => 'http://auth.example.com/saml/metadata', ... ); ?>
All is ready, you can now test the authentication from LL::NG portal.