SAML Server: Difference between revisions
(25 intermediate revisions by the same user not shown) | |||
Line 1:
[[Category:Lab]]
= Installing SAML Server =
Source: [https://www.helloitsliam.com/2014/12/23/install-configure-and-test-simplesamlphp-for-authentication-testing/ helloitsliam.com],[https://support.citrix.com/article/CTX200271 support.citrix.com], [https://simplesamlphp.org/docs/stable/simplesamlphp-idp simplesamlphp.org], [https://www.citrix.com/blogs/2012/08/24/174193098/ citrix.com]
== Installation ==
*Prerequisites:
Line 19:
*Installing SimpleSAMLphp binaries:
cd /var
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz
OR
sudo
sudo
sudo tar zxf simplesamlphp-*.tar.gz
sudo mv simplesamlphp-* simplesamlphp
sudo rm -f simplesamlphp-*.tar.gz
cd simplesamlphp/
Modify the below files as per given parameters depending on your environment:
'auth.adminpassword' => 'test@123',
'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g',
'technicalcontact_email' => 'test@testlab.com',
'timezone' => 'Asia/Kolkata',
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
'session.phpsession.cookiename' => null,
*; /var/simplesamlphp/config/authsources.php
'my-ldap' => array(
'hostname' => 'ad.testlab.com',
'enable_tls' => FALSE,
'timeout' => 10,
'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com',
'search.enable' => TRUE,
'search.base' => 'cn=Users,dc=testlab,dc=com',
'search.attributes' => array('cn'),
'search.username' => 'test2',
'search.password' => 'Password@123',
'priv.read' => TRUE,
'priv.username' => 'test2',
'priv.password' => 'Password@123',
*; /var/simplesamlphp/metadata/saml20-idp-hosted.php
'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem',
'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer',
'auth' => 'my-ldap',
Uncomment the below section:
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),
Disable the message signing as the NetScaler does not understand this signature type
'saml20.sign.response' => FALSE,
'saml20.sign.assertion' => FALSE,
*; /var/simplesamlphp/metadata/saml20-sp-remote.php
Generate the metadata from the SP and paste in the end of this file:
<pre>
$metadata['testlab-AD-CA'] = array (
'entityid' => 'testlab-AD-CA',
'contacts' =>
array (
),
'metadata-set' => 'saml20-sp-remote',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://samlvip.testlab.com/cgi/samlauth',
'index' => 255,
),
),
'SingleLogoutService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://samlvip.testlab.com/cgi/tmlogout',
),
),
'keys' =>
array (
0 =>
array (
'encryption' => true,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => '
MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF
ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh
YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy
MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN
BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU
qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj
anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1
p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b
On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ
/hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw
ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd
EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh
cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL
ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl
c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w
gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl
Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA
VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7
iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd
Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW
fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq
cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk
7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8
',
),
),
);
</pre>
== Configuring Apache Server ==
Pointing Apache to SimpleSAMLphp by editing below file:
*; /etc/apache2/sites-available/000-default.conf
<pre>
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /simplesaml /var/simplesamlphp/www/
<Directory /var/simplesamlphp/www/>
Require all granted
</Directory>
</VirtualHost>
</pre>
*Now check if application is accessible over HTTP:
http://<ip-address-of-server>/simplesamlphp
*Generate Certificates
cd /etc/apache2/
Line 48 ⟶ 189:
sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt
*Restart Apache
sudo a2enmod ssl
sudo service apache2 restart
*Point Apache to use these Certificates by editing below config file:
; /etc/apache2/sites-available/000-default.conf
<pre>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
SSLCertificateFile /etc/apache2/ssl/wildcard.testlab.com.cer
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.testlab.com.pem
SSLEngine On
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /simplesaml /var/simplesamlphp/www/
<Directory /var/simplesamlphp/www/>
Require all granted
</Directory>
</VirtualHost>
</pre>
*Restart Apache
sudo a2ensite ssl
sudo a2enmod ssl
Line 61 ⟶ 225:
*Now the page should be available over https:
https://<ip-address-of-server>/simplesamlphp
|
Latest revision as of 09:36, 8 December 2018
Installing SAML Server
Source: helloitsliam.com,support.citrix.com, simplesamlphp.org, citrix.com
Installation
- Prerequisites:
Ubuntu Server - VM or Physical box Internet connectivity
- Update Ubuntu
sudo apt-get update sudo apt-get upgrade
- Install PHP, Apache2 & related libraries:
sudo apt-get install php7.0 apache2 php7.0-mcrypt php7.0-ldap php7.0-mysql libapache2-mod-php7.0 php-xml
- Installing SimpleSAMLphp binaries:
cd /var
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz
OR
sudo wget https://simplesamlphp.org/download?latest sudo mv download\?latest simplesamlphp.tar.gz
sudo tar zxf simplesamlphp-*.tar.gz sudo mv simplesamlphp-* simplesamlphp sudo rm -f simplesamlphp-*.tar.gz cd simplesamlphp/
Configuring SAML Server as IDP
Modify the below files as per given parameters depending on your environment:
- /var/simplesamlphp/config/config.php
'auth.adminpassword' => 'test@123', 'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g', 'technicalcontact_email' => 'test@testlab.com', 'timezone' => 'Asia/Kolkata', 'enable.saml20-idp' => true, 'enable.shib13-idp' => true, 'session.phpsession.cookiename' => null,
- /var/simplesamlphp/config/authsources.php
'my-ldap' => array( 'hostname' => 'ad.testlab.com', 'enable_tls' => FALSE, 'timeout' => 10, 'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com', 'search.enable' => TRUE, 'search.base' => 'cn=Users,dc=testlab,dc=com', 'search.attributes' => array('cn'), 'search.username' => 'test2', 'search.password' => 'Password@123', 'priv.read' => TRUE, 'priv.username' => 'test2', 'priv.password' => 'Password@123',
- /var/simplesamlphp/metadata/saml20-idp-hosted.php
'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem', 'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer', 'auth' => 'my-ldap',
Uncomment the below section:
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),
Disable the message signing as the NetScaler does not understand this signature type
'saml20.sign.response' => FALSE, 'saml20.sign.assertion' => FALSE,
- /var/simplesamlphp/metadata/saml20-sp-remote.php
Generate the metadata from the SP and paste in the end of this file:
$metadata['testlab-AD-CA'] = array ( 'entityid' => 'testlab-AD-CA', 'contacts' => array ( ), 'metadata-set' => 'saml20-sp-remote', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://samlvip.testlab.com/cgi/samlauth', 'index' => 255, ), ), 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://samlvip.testlab.com/cgi/tmlogout', ), ), 'keys' => array ( 0 => array ( 'encryption' => true, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => ' MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1 p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ /hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7 iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk 7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8 ', ), ), );
Configuring Apache Server
Pointing Apache to SimpleSAMLphp by editing below file:
- /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /simplesaml /var/simplesamlphp/www/ <Directory /var/simplesamlphp/www/> Require all granted </Directory> </VirtualHost>
- Now check if application is accessible over HTTP:
http://<ip-address-of-server>/simplesamlphp
Enabling SSL Access
- Generate Certificates
cd /etc/apache2/ sudo mkdir ssl
sudo openssl genrsa -des3 -out Certificate.key 4096 sudo openssl rsa -in Certificate.key -out Certificate.pem sudo openssl req -new -key Certificate.key -out Certificate.csr sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt
- Restart Apache
sudo a2enmod ssl sudo service apache2 restart
- Point Apache to use these Certificates by editing below config file:
- /etc/apache2/sites-available/000-default.conf
<VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html SSLCertificateFile /etc/apache2/ssl/wildcard.testlab.com.cer SSLCertificateKeyFile /etc/apache2/ssl/wildcard.testlab.com.pem SSLEngine On ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /simplesaml /var/simplesamlphp/www/ <Directory /var/simplesamlphp/www/> Require all granted </Directory> </VirtualHost>
- Restart Apache
sudo a2ensite ssl sudo a2enmod ssl sudo service apache2 restart
sudo phpenmod mcrypt sudo service apache2 restart
- Now the page should be available over https:
https://<ip-address-of-server>/simplesamlphp
- References
{{#widget:DISQUS
|id=networkm
|uniqid=SAML Server
|url=https://aman.awiki.org/wiki/SAML_Server
}}