Skip to content

Configuring Authentication using SimpleSAMLphp

Jump to bottom Edit New page
Irina Zaks edited this page Mar 7, 2023 · 15 revisions

Based on article from Stanford Open Source Lab

Overview

The following files are used in configuration

  • authsources.php - shows location of your certificates and default IDP
  • saml20-idp-remote.php - contains metadata for your IDP provider
  • settings.php - defines path to simplesaml library ( $settings['simplesamlphp_dir'] = $_SERVER['HOME'] .'/code/private/simplesamlphp';) and redirect to primary custom domain
  • config.php - various configuration parameters

Setting SimpleSAMLphp library

Download SimpleSAMLphp from https://simplesamlphp.org/download Unzip into a directory and tell server where library is located Here is example provided by Pantheonof instructions for adding library in directory /private/simplesamlphp/www and setting symlink

Server SSL certificate and https connection

Make sure the web server has a valid SSL certificate and set up for https. Setting your SSL certificate cd into SimpleSAMLphp cert directory (on your local computer) and create a self-signed certificate: openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

cd into SimpleSAMLphp/config directory and edit authsources.php In the "default-sp" section, change

"idp" => null,
to: "idp" => "https://idp.someurl.edu/',

and add the following:

   'privatekey' => 'saml.pem',
   'certificate' => 'saml.crt',
   'authproc' => array(
     20 => 'saml:NameIDAttribute',
   ),

more coming soon

Setting remote IDP sources

cd into SimpleSAMLphp metadata directory and edit saml20-idp-remote.php

and add the following to the bottom of the file:

 'name' => array(
   'en' => 'Your University AuthService',
 ),
 'description'         => 'Your University AuthService',
 'SingleSignOnService' => 'https://login.someurl.edu/idp/SSO',
  'certFingerprint' 	=> 'add value here'
);

Config might be using certData instead of certFingerprint.

Set your config.php

Stay in the config directory and edit config.php

  • Make sure the following config options are set: 'baseurlpath' => 'https://<YOUR WEB SERVER HOSTNAME>.someurl.edu/simplesaml/', 'certdir' => "/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/cert/', 'metadatadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/metadata/', 'attributenamemapdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/attributemap/', 'loggingdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/log/', 'datadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/data/',

  • Change auth.adminpassword to something better than "123"

  • Change secretsalt to something other than default by following instructions in config.php

  • Change technicalcontact_name and technicalcontact_email to your name and email address - this is the address where email will be sent from the “email administrator” box available on the error page.

  • Change timezone to 'America/Los_Angeles"

  • Change "enable.saml20-idp" to true Replace the "authproc.sp" section with the following:

    'authproc.sp' => array(
        10 => array(
            'class' => 'core:AttributeMap', 'removeurnprefix',
            'oid2name',
        ),
        20 => array(
            'class' => 'authorize:Authorize',
            // use Regular Expression to define which workgroup members can login
            // this example lets in anyone from stemname:web-group1 or stemname:web-group1
            'eduPersonEntitlement' => array(
                '/stemname:(web-group2|web-group1)/',
            )
        ),
        // Adopts language from attribute to use in UI
        90 => 'core:LanguageAdaptor',

    ),

It is recommended that you do not use "store.type" => "phpsession".

If PHP on your server includes memcache, change "store.type" => "memcache" and (other memcache configuration TBD).

Otherwise, change "store.type" => "sql", and set store.sql.dsn, store.sql.username, and store.sql.password to access your Drupal database.

Test SimpleSamlphp Library and get metadata

  • Go to your website at https://.someurl.edu/simplesaml/ and click Configuration tab.
  • Go to the configuration tab and run the "sanity check" to see if you are still sane.
  • Go to federation tab and click "SAML 2.0 SP Metadata"� for "default-sp"
  • Copy the metadata to your clipboard
  • Submit metadata to your SP (service provider)

Last step - Configure your module

  • Enable module
  • Configure options /admin/config/people/simplesamlphp_auth
  • Enter the location of simplesamlphp directory. If you are working on Pantheon, this will be defined in settings.php file.
  • Check other options as required for your site
  • Place blocks with "simpleSAMLphp authentication" in the region of a layout to provide login link to users
Add a custom footer
Add a custom sidebar
Clone this wiki locally