Simplesamlphp como SP

De Federacion (SSO)
Ir a la navegación Ir a la búsqueda

Simplesamlphp

  • Instalar prerequisitos:
# apt-get install php5 php5-mcrypt php5-mhash php5-mysql openssl
  • Instalar simplesamlphp:

Sitio con información para descarga: https://simplesamlphp.org/download

  • Descarga, descompresión, creación de link simbolico:
# cd /var/www/html
# wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.XX.X.tar.gz
# tar zxvf simplesamlphp-1.XX.X.tar.gz
# ln -s simplesamlphp-1.XX.X.tar.gz simplesamlphp
  • Simplesamlphp requiere un certificado SSL en el directorio certs.

Podemos crear uno autofirmado y copiarlo a dicho directorio: 

# mkdir /etc/ssl/certs/sp/
# cd /etc/ssl/certs/sp/
# openssl genrsa -out server.pem 2048
# openssl req -new -key server.pem -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
# cp * /var/www/html/simplesamlphp/cert/
  • Editar archivo de configuracion /var/www/html/simplesamlphp/config/config.php
 'auth.adminpassword' => 'secret'      # Set a new password for admin web interface
 'enable.saml20-idp' => true,          # Enable ssp as IdP
 'secretsalt' => 'secret',             # Set a Salt, in the config file there is documentation to generate it
 'technicalcontact_name' => 'Admin name',          # Set admin data
 'technicalcontact_email' => 'xxxx@riu.edu.ar',
 'session.cookie.domain' => '.sp.riu.edu.ar',        # Set the global domain, to share cookie with the rest of componnets

Valores recomendados para Produccion: 

 'admin.protectindexpage'        => true,    # To protect the index page of simpleSAMLphp
 'debug'                 =>      FALSE,
 'showerrors'            =>      FALSE,      # To hide error-trace

Ajustar owner en directorios: 

# chown -R apache:apache cert log data metadata
  • Editar archivo donde se declaran los identity providers /var/www/html/simplesamlphp/config/authsources.php:
 <?php
 $config = array(
 
        // This is a authentication source which handles admin authentication.
        'admin' => array(
                // The default is to use core:AdminPassword, but it can be replaced with
                // any authentication source.
 
                'core:AdminPassword',
        ),
 
        // An authentication source which can authenticate against both SAML 2.0
        // and Shibboleth 1.3 IdPs.
        'default-sp' => array(
                'saml:SP',
 
                // The entity ID of this SP.
                // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
                'entityID' => NULL,
 
                // The entity ID of the IdP this should SP should contact.
                // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
 
 //              'idp' => NULL,
                'idp' => 'https://id.riu.edu.ar/saml2/idp/metadata.php', # Set the entityID of the IdP you gonna use
 
                // The URL to the discovery service.
                // Can be NULL/unset, in which case a builtin discovery service will be used.
                'discoURL' => NULL,
 
        ),
 ),
  • Conectarse como administrador al sitio idp (en nuestro caso https://id.riu.edu.ar) para obtener SAML 2.0 IdP Metadata“ en formato php.

Pegar su contenido en el archivo /var/www/html/simplesamlphp/metadata/saml20-idp-remote.php

  • Agregar el siguiente alias en la definición de virtualhost del servidor web:
Alias /simplesaml /var/www/html/simplesamlphp/www
Obtenido de «http://federacion.riu.edu.ar/index.php?title=Simplesamlphp_como_SP&oldid=5»