SAML Server

= Installing SAML Server =

Source: helloitsliam.com,support.citrix.com, simplesamlphp.org, citrix.com

Installation
Ubuntu Server - VM or Physical box Internet connectivity
 * Prerequisites:

sudo apt-get update sudo apt-get upgrade
 * Update Ubuntu

sudo apt-get install php7.0 apache2 php7.0-mcrypt php7.0-ldap php7.0-mysql libapache2-mod-php7.0 php-xml
 * Install PHP, Apache2 & related libraries:

cd /var
 * Installing SimpleSAMLphp binaries:

sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz

OR sudo wget https://simplesamlphp.org/download?latest

sudo tar zxf simplesamlphp-1.14.12.tar.gz sudo mv simplesamlphp-1.14.12 simplesamlphp sudo rm -f simplesamlphp-1.14.12.tar.gz cd simplesamlphp/

Configuring SAML Server as IDP
Modify the below files as per given parameters depending on your environment:


 * /var/simplesamlphp/config/config.php

'auth.adminpassword' => 'test@123', 'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g', 'technicalcontact_email' => 'test@testlab.com', 'timezone' => 'Asia/Kolkata', 'enable.saml20-idp' => true, 'enable.shib13-idp' => true, 'session.phpsession.cookiename' => null,


 * /var/simplesamlphp/config/authsources.php

'my-ldap' => array( 'hostname' => 'ad.testlab.com', 'enable_tls' => FALSE,		 'timeout' => 10,		 'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com',	 'search.enable' => TRUE, 'search.base' => 'cn=Users,dc=testlab,dc=com', 'search.attributes' => array('cn'),		 'search.username' => 'test2', 'search.password' => 'Password@123',		 'priv.read' => TRUE,		 'priv.username' => 'test2', 'priv.password' => 'Password@123',


 * /var/simplesamlphp/metadata/saml20-idp-hosted.php

'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem', 'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer', 'auth' => 'my-ldap',

Uncomment the below section:

'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),

Disable the message signing as the NetScaler does not understand this signature type

'saml20.sign.response' => FALSE, 'saml20.sign.assertion' => FALSE,


 * /var/simplesamlphp/metadata/saml20-sp-remote.php

Generate the metadata from the SP and paste in the end of this file:

$metadata['testlab-AD-CA'] = array ( 'entityid' => 'testlab-AD-CA',  'contacts' =>   array ( ), 'metadata-set' => 'saml20-sp-remote',  'AssertionConsumerService' =>   array ( 0 =>    array (      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',      'Location' => 'https://samlvip.testlab.com/cgi/samlauth',      'index' => 255,    ), ), 'SingleLogoutService' =>   array ( 0 =>    array (      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',      'Location' => 'https://samlvip.testlab.com/cgi/tmlogout',    ), ), 'keys' =>   array ( 0 =>    array (      'encryption' => true,      'signing' => true,      'type' => 'X509Certificate',      'X509Certificate' => ' MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1 p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ /hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7 iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk 7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8

',   ),  ), );

Configuring Apache Server
Pointing Apache to SimpleSAMLphp by editing below file:

 ServerAdmin webmaster@localhost DocumentRoot /var/www/html
 * /etc/apache2/sites-available/000-default.conf

ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /simplesaml /var/simplesamlphp/www/  Require all granted 



http:///simplesamlphp
 * Now check if application is accessible over HTTP:

Enabling SSL Access

 * Generate Certificates

cd /etc/apache2/ sudo mkdir ssl

sudo openssl genrsa -des3 -out Certificate.key 4096 sudo openssl rsa -in Certificate.key -out Certificate.pem sudo openssl req -new -key Certificate.key -out Certificate.csr sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt

sudo a2enmod ssl sudo service apache2 restart
 * Restart Apache


 * Point Apache to use these Certificates by editing below config file:
 * /etc/apache2/sites-available/000-default.conf

 ServerAdmin webmaster@localhost DocumentRoot /var/www/html

SSLCertificateFile     /etc/apache2/ssl/wildcard.testlab.com.cer SSLCertificateKeyFile  /etc/apache2/ssl/wildcard.testlab.com.pem SSLEngine On

ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /simplesaml /var/simplesamlphp/www/  Require all granted  

sudo a2ensite ssl sudo a2enmod ssl sudo service apache2 restart
 * Restart Apache

sudo phpenmod mcrypt sudo service apache2 restart

https:///simplesamlphp
 * Now the page should be available over https:


 * References