SAML Server
(Redirected from SAML)
Installing SAML Server
Source: helloitsliam.com,support.citrix.com, simplesamlphp.org, citrix.com
Installation
- Prerequisites:
Ubuntu Server - VM or Physical box Internet connectivity
- Update Ubuntu
sudo apt-get update sudo apt-get upgrade
- Install PHP, Apache2 & related libraries:
sudo apt-get install php7.0 apache2 php7.0-mcrypt php7.0-ldap php7.0-mysql libapache2-mod-php7.0 php-xml
- Installing SimpleSAMLphp binaries:
cd /var
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz
OR
sudo wget https://simplesamlphp.org/download?latest sudo mv download\?latest simplesamlphp.tar.gz
sudo tar zxf simplesamlphp-*.tar.gz sudo mv simplesamlphp-* simplesamlphp sudo rm -f simplesamlphp-*.tar.gz cd simplesamlphp/
Configuring SAML Server as IDP
Modify the below files as per given parameters depending on your environment:
- /var/simplesamlphp/config/config.php
'auth.adminpassword' => 'test@123', 'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g', 'technicalcontact_email' => 'test@testlab.com', 'timezone' => 'Asia/Kolkata', 'enable.saml20-idp' => true, 'enable.shib13-idp' => true, 'session.phpsession.cookiename' => null,
- /var/simplesamlphp/config/authsources.php
'my-ldap' => array( 'hostname' => 'ad.testlab.com', 'enable_tls' => FALSE, 'timeout' => 10, 'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com', 'search.enable' => TRUE, 'search.base' => 'cn=Users,dc=testlab,dc=com', 'search.attributes' => array('cn'), 'search.username' => 'test2', 'search.password' => 'Password@123', 'priv.read' => TRUE, 'priv.username' => 'test2', 'priv.password' => 'Password@123',
- /var/simplesamlphp/metadata/saml20-idp-hosted.php
'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem', 'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer', 'auth' => 'my-ldap',
Uncomment the below section:
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),
Disable the message signing as the NetScaler does not understand this signature type
'saml20.sign.response' => FALSE, 'saml20.sign.assertion' => FALSE,
- /var/simplesamlphp/metadata/saml20-sp-remote.php
Generate the metadata from the SP and paste in the end of this file:
$metadata['testlab-AD-CA'] = array ( 'entityid' => 'testlab-AD-CA', 'contacts' => array ( ), 'metadata-set' => 'saml20-sp-remote', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://samlvip.testlab.com/cgi/samlauth', 'index' => 255, ), ), 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://samlvip.testlab.com/cgi/tmlogout', ), ), 'keys' => array ( 0 => array ( 'encryption' => true, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => ' MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1 p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ /hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7 iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk 7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8 ', ), ), );
Configuring Apache Server
Pointing Apache to SimpleSAMLphp by editing below file:
- /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /simplesaml /var/simplesamlphp/www/ <Directory /var/simplesamlphp/www/> Require all granted </Directory> </VirtualHost>
- Now check if application is accessible over HTTP:
http://<ip-address-of-server>/simplesamlphp
Enabling SSL Access
- Generate Certificates
cd /etc/apache2/ sudo mkdir ssl
sudo openssl genrsa -des3 -out Certificate.key 4096 sudo openssl rsa -in Certificate.key -out Certificate.pem sudo openssl req -new -key Certificate.key -out Certificate.csr sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt
- Restart Apache
sudo a2enmod ssl sudo service apache2 restart
- Point Apache to use these Certificates by editing below config file:
- /etc/apache2/sites-available/000-default.conf
<VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html SSLCertificateFile /etc/apache2/ssl/wildcard.testlab.com.cer SSLCertificateKeyFile /etc/apache2/ssl/wildcard.testlab.com.pem SSLEngine On ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /simplesaml /var/simplesamlphp/www/ <Directory /var/simplesamlphp/www/> Require all granted </Directory> </VirtualHost>
- Restart Apache
sudo a2ensite ssl sudo a2enmod ssl sudo service apache2 restart
sudo phpenmod mcrypt sudo service apache2 restart
- Now the page should be available over https:
https://<ip-address-of-server>/simplesamlphp
- References
{{#widget:DISQUS
|id=networkm
|uniqid=SAML Server
|url=https://aman.awiki.org/wiki/SAML_Server
}}