SimpleSAMLphp is an alternative SP implementation that can be used in place of Shibboleth SP - and can be particularly suitable on hosted servers without root access or the ability to install full software packages. This page documents the basic install of SimpleSAMLphp Service Provider and the configuration steps necessary to integrate the SP into Tuakiri.
Full SimpleSAMLphp documentation is available at http://simplesamlphp.org/
- A web server (Apache installed) with PHP (5.2.0+)
- To meet the PHP version requirement, the OS has to be CentOS/RHEL 6 (CentOS 5 has only PHP 5.1.x)
- The following PHP modules:
- XML DOM (php-xml)
- MCrypt (php-mcrypt)
- Basic PDO database support (php-pdo) for storing sessions (at least SQLite3).
- Optionally, also MySQL support (php-mysql)
- Configure SELinux: if your system has SELinux enabled, allow Apache to send email (otherwise, invocation of sendmail(postfix) from PHP breaks):
- Download simpleSAMLphp from http://code.google.com/p/simplesamlphp/ (1.11.0 as of August 2013)
- Install into
/varas instructed in the SimpleSAMLphp manual.
- In the web server space, SimpleSAMLphp will be accesible as
- Install into
- Alias this directory as
- Do some basic changes to
auth.adminpasswordto a new password.
- Set secretsalt to a new random string (can also generate with " ")
- Set technical contact name and email address.
- Optionally, set timezone to
'Pacific/Auckland'- or leave as
NULLto rely on OS
- Configure a SQL session store to store sessions in a local database (even if just a sqlite3 file) instead of PHPsessions.
config.phpand set the following:
- And give Apache write access to the "data" directory (this also means setting the SELinux context if SELinux is enabled on your system):
We will be using
sp.example.org to refer to the hostname of your Service Provider - please substitute that with the actual hostname of your SP.
- Create a certificate (self-signed for 20 years)
- ... and enter all information requested ("." to skip) - the crucial part is your hostname.
- Make the private key readable only to the user SimpleSAMLphp runs as (
/opt/simplesamlphp/config/authsources.phpand add references to the certificate to the default-sp definition:
Loading the federation metadata
- Enable and configure the
- Create a directory to cache the downloaded federation metadata (writable by Apache - this also means setting the SELinux context if SELinux is enabled on your system):
'kalmar'with the federation name (
- Set the download URL - either for Tuakiri Production:
- Or Tuakiri-TEST:
- Set output directory and format (use
- Set expiry date to 7 days to match Tuakiri
- Set the 'validateFingerprint' to the fingerprint value of the metadata issuing certificate
- To calculate the fignerprint yourself:
- Download the metadata signing certificate (for Tuakiri-PROD and Tuakiri-TEST, they are linked from the instructions on registering an SP into Tuakiri)
- and get the fingerprint value with:
config/config.phpand add an extra entry into 'metadata.sources'
- Now go with your browser to your SimpleSAMLphp page: https://sp.example.org/simplesaml/
- and go to the Configuration page (log in with the Administrator password).
- and from there to "Cron module information page"
- Paste the cron job entry (invoking curl to localhost) into root's crontab - at least,
- (run "crontab -e" and paste the line into the editor)
- You can force the job to run immediately by opening the URL in your browser directly.
- Also, edit
config/module_cron.phpand to avoid getting a confirmation email each time the cron-job runs, set
'debug_message' => FALSE,(to suppress the confirmation debug message)
'sendemail' => FALSE,(to suppress all email messages from the cron module)
- However, they will have the same effect - as any error messages from metarefresh do not propagate to the cron module and are only visible in Apache error logs (
Configure the SP to use the Tuakiri Discovery Service
- or Tuakiri-TEST:
Configure Additional Tuakiri Attributes
From the list of attributes used within Tuakiri and the list of Attributes supported by SimpleSAMLphp in the default configuration, the following need to be explicitly added:
attributemap/tuakiri-attrs.phpwith the following contents (adding on to what already exists in attributemap/oid2name.php)
config/config-metarefresh.phpand add a reference to this file in the template for IdPs downloaded via metarefresh:
- To also configure friendly attribute names, add the following after the first line of
eduPersonAssurancealready has an entry there, does not need to be duplicated)
Clean up SP configuration
Remove (comment-out) pre-configured IdPs and SPs
metadata/saml20-idp-remote.php- remove pre-configured
metadata/saml20-sp-remote.php- remove pre-configured
saml2sp.example.org and google.com
metadata/shib13-sp-remote.php- remove pre-configured
Register into Federation Registry
The Tuakiri Federation Registry has in the initial setup only pre-configured support for Shibboleth SP implementation, not SimpleSAMLphp. Without the pre-configured support, it is necessary to enter all endpoints URLs manually. There is an ongoing project to add support to FR to support SimpleSAMLphp, until then, please use the Advanced Registration form as described in this section.
As a reference point, the metadata for your SP can be accessed at https://sp.example.org/simplesaml/module.php/saml/sp/metadata.php/default-sp?output=xhtml
For reference, please also see the attached image mapping SimpleSAMLphp metadata to Federation Registry form (credits: Bevan Rudge, University of Auckland).
Access the Federation Registry at the correct URL for the respective federation:
- Tuakiri (Production): https://registry.tuakiri.ac.nz/federationregistry/
- Tuakiri-TEST: https://registry.test.tuakiri.ac.nz/federationregistry/
- Start registering a new SP
- Enter your personal details
- Select your organization (Create an Organization first if not already listed)
- Enter the details about your SP (name, description, service URL)
- If SimpleSAMLphp is not listed as a supported implementation, select Advanced Registration and enter the following information (drawing from your SP metadata and using the mapping as in the image above), replacing sp.example.org with the hostname of your SP:
- Entity Descriptor ID: https://sp.example.org/simplesaml/module.php/saml/sp/metadata.php/default-sp
- Assertion Consuming Service (Post): https://sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp (Index: 0)
- Assertion Consuming Service (Artifact): https://sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp (Index: 2)
- Single Logout Redirect Endpoint: https://sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp
- Single Logout SOAP Endpoint: https://sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp
- Discovery Response: https://sp.example.org/simplesaml/module.php/saml/sp/discoresp.php
- Leave other fields blank
- Certificate: paste in the contents of cert/saml.crt
- Attributes: select the attributes needed by your SP (and give a reason for requesting each of the attributes)
- Review the SP registration form and submit it for approval.
Test authentication by going to https://sp.example.org/simplesaml/module.php/core/authenticate.php?as=default-sp
- Initial documentation written by Bevan Rudge: https://wiki.auckland.ac.nz/display/nesiproj/Integrating+Tuakiri+with+SimpleSAMLphp
- SimpleSAMLphp installation manual: http://simplesamlphp.org/docs/1.11/simplesamlphp-install
- SimpleSAMLphp SP configuration manual: http://simplesamlphp.org/docs/1.11/simplesamlphp-sp
- SimpleSAMLphp documentation on integrating into a federation: http://simplesamlphp.org/docs/1.11/simplesamlphp-ukaccess
- SimpleSAMLphp metadata refresh documentation: http://simplesamlphp.org/docs/stable/simplesamlphp-automated_metadata