SAML Server: Difference between revisions
Content added Content deleted
(25 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Lab]] |
[[Category:Lab]] |
||
= Installing SAML Server = |
|||
__NOTOC__ |
|||
=How to create a SAML server for Lab Testing= |
|||
Source: [https://www.helloitsliam.com/2014/12/23/install-configure-and-test-simplesamlphp-for-authentication-testing/ helloitsliam.com],[https://support.citrix.com/article/CTX200271 support.citrix.com], [https://simplesamlphp.org/docs/stable/simplesamlphp-idp simplesamlphp.org], [https://www.citrix.com/blogs/2012/08/24/174193098/ citrix.com] |
Source: [https://www.helloitsliam.com/2014/12/23/install-configure-and-test-simplesamlphp-for-authentication-testing/ helloitsliam.com],[https://support.citrix.com/article/CTX200271 support.citrix.com], [https://simplesamlphp.org/docs/stable/simplesamlphp-idp simplesamlphp.org], [https://www.citrix.com/blogs/2012/08/24/174193098/ citrix.com] |
||
== Installation == |
|||
*Prerequisites: |
*Prerequisites: |
||
Line 19: | Line 19: | ||
*Installing SimpleSAMLphp binaries: |
*Installing SimpleSAMLphp binaries: |
||
cd /var |
cd /var |
||
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz |
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz |
||
sudo tar zxf simplesamlphp-1.14.12.tar.gz |
|||
OR |
|||
cd simplesamlphp-1.14.12/ |
|||
sudo |
sudo wget https://simplesamlphp.org/download?latest |
||
sudo |
sudo mv download\?latest simplesamlphp.tar.gz |
||
sudo tar zxf simplesamlphp-*.tar.gz |
|||
sudo mv simplesamlphp-* simplesamlphp |
|||
sudo rm -f simplesamlphp-*.tar.gz |
|||
cd simplesamlphp/ |
cd simplesamlphp/ |
||
== Configuring SAML Server as IDP == |
|||
sudo nano /var/simplesamlphp/config/config.php |
|||
Modify the below files as per given parameters depending on your environment: |
|||
sudo nano /var/simplesamlphp/config/authsources.php |
|||
sudo nano /var/simplesamlphp/metadata/saml20-idp-hosted.php |
|||
*; /var/simplesamlphp/config/config.php |
|||
'auth.adminpassword' => 'test@123', |
|||
'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g', |
|||
'technicalcontact_email' => 'test@testlab.com', |
|||
'timezone' => 'Asia/Kolkata', |
|||
'enable.saml20-idp' => true, |
|||
'enable.shib13-idp' => true, |
|||
'session.phpsession.cookiename' => null, |
|||
*; /var/simplesamlphp/config/authsources.php |
|||
'my-ldap' => array( |
|||
'hostname' => 'ad.testlab.com', |
|||
'enable_tls' => FALSE, |
|||
'timeout' => 10, |
|||
'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com', |
|||
'search.enable' => TRUE, |
|||
'search.base' => 'cn=Users,dc=testlab,dc=com', |
|||
'search.attributes' => array('cn'), |
|||
'search.username' => 'test2', |
|||
'search.password' => 'Password@123', |
|||
'priv.read' => TRUE, |
|||
'priv.username' => 'test2', |
|||
'priv.password' => 'Password@123', |
|||
*; /var/simplesamlphp/metadata/saml20-idp-hosted.php |
|||
'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem', |
|||
'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer', |
|||
'auth' => 'my-ldap', |
|||
Uncomment the below section: |
|||
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', |
|||
'authproc' => array( |
|||
// Convert LDAP names to oids. |
|||
100 => array('class' => 'core:AttributeMap', 'name2oid'), |
|||
), |
|||
Disable the message signing as the NetScaler does not understand this signature type |
|||
'saml20.sign.response' => FALSE, |
|||
'saml20.sign.assertion' => FALSE, |
|||
*; /var/simplesamlphp/metadata/saml20-sp-remote.php |
|||
Generate the metadata from the SP and paste in the end of this file: |
|||
<pre> |
|||
$metadata['testlab-AD-CA'] = array ( |
|||
'entityid' => 'testlab-AD-CA', |
|||
'contacts' => |
|||
array ( |
|||
), |
|||
'metadata-set' => 'saml20-sp-remote', |
|||
'AssertionConsumerService' => |
|||
array ( |
|||
0 => |
|||
array ( |
|||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', |
|||
'Location' => 'https://samlvip.testlab.com/cgi/samlauth', |
|||
'index' => 255, |
|||
), |
|||
), |
|||
'SingleLogoutService' => |
|||
array ( |
|||
0 => |
|||
array ( |
|||
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', |
|||
'Location' => 'https://samlvip.testlab.com/cgi/tmlogout', |
|||
), |
|||
), |
|||
'keys' => |
|||
array ( |
|||
0 => |
|||
array ( |
|||
'encryption' => true, |
|||
'signing' => true, |
|||
'type' => 'X509Certificate', |
|||
'X509Certificate' => ' |
|||
MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF |
|||
ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh |
|||
YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy |
|||
MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN |
|||
BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI |
|||
hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU |
|||
qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj |
|||
anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1 |
|||
p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b |
|||
On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ |
|||
/hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw |
|||
ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd |
|||
EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh |
|||
cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL |
|||
ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl |
|||
c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl |
|||
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w |
|||
gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD |
|||
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 |
|||
cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl |
|||
Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA |
|||
VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG |
|||
AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7 |
|||
iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd |
|||
Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW |
|||
fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq |
|||
cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk |
|||
7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8 |
|||
', |
|||
), |
|||
), |
|||
); |
|||
</pre> |
|||
== Configuring Apache Server == |
|||
Pointing Apache to SimpleSAMLphp by editing below file: |
|||
*; /etc/apache2/sites-available/000-default.conf |
|||
<pre> |
|||
<VirtualHost *:80> |
|||
ServerAdmin webmaster@localhost |
|||
DocumentRoot /var/www/html |
|||
ErrorLog ${APACHE_LOG_DIR}/error.log |
|||
CustomLog ${APACHE_LOG_DIR}/access.log combined |
|||
Alias /simplesaml /var/simplesamlphp/www/ |
|||
<Directory /var/simplesamlphp/www/> |
|||
Require all granted |
|||
</Directory> |
|||
</VirtualHost> |
|||
*Pointing Apache to SimpleSAMLphp |
|||
</pre> |
|||
sudo nano /etc/apache2/sites-available/000-default.conf |
|||
*Now check if application is accessible over HTTP: |
*Now check if application is accessible over HTTP: |
||
http://<ip-address-of-server>/simplesamlphp |
http://<ip-address-of-server>/simplesamlphp |
||
== Enabling SSL Access == |
|||
*Generate Certificates |
|||
cd /etc/apache2/ |
cd /etc/apache2/ |
||
Line 48: | Line 189: | ||
sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt |
sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt |
||
*Restart Apache |
|||
sudo a2enmod ssl |
sudo a2enmod ssl |
||
sudo service apache2 restart |
sudo service apache2 restart |
||
*Point Apache to use these Certificates by editing below config file: |
|||
sudo nano /etc/apache2/sites-available/000-default.conf |
|||
; /etc/apache2/sites-available/000-default.conf |
|||
<pre> |
|||
<VirtualHost *:443> |
|||
ServerAdmin webmaster@localhost |
|||
DocumentRoot /var/www/html |
|||
SSLCertificateFile /etc/apache2/ssl/wildcard.testlab.com.cer |
|||
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.testlab.com.pem |
|||
SSLEngine On |
|||
ErrorLog ${APACHE_LOG_DIR}/error.log |
|||
CustomLog ${APACHE_LOG_DIR}/access.log combined |
|||
Alias /simplesaml /var/simplesamlphp/www/ |
|||
<Directory /var/simplesamlphp/www/> |
|||
Require all granted |
|||
</Directory> |
|||
</VirtualHost> |
|||
</pre> |
|||
*Restart Apache |
|||
sudo a2ensite ssl |
sudo a2ensite ssl |
||
sudo a2enmod ssl |
sudo a2enmod ssl |
||
Line 61: | Line 225: | ||
*Now the page should be available over https: |
*Now the page should be available over https: |
||
https://<ip-address-of-server>/simplesamlphp |
https://<ip-address-of-server>/simplesamlphp |
||
Latest revision as of 09:36, 8 December 2018
Installing SAML Server
Source: helloitsliam.com,support.citrix.com, simplesamlphp.org, citrix.com
Installation
- Prerequisites:
Ubuntu Server - VM or Physical box Internet connectivity
- Update Ubuntu
sudo apt-get update sudo apt-get upgrade
- Install PHP, Apache2 & related libraries:
sudo apt-get install php7.0 apache2 php7.0-mcrypt php7.0-ldap php7.0-mysql libapache2-mod-php7.0 php-xml
- Installing SimpleSAMLphp binaries:
cd /var
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz
OR
sudo wget https://simplesamlphp.org/download?latest sudo mv download\?latest simplesamlphp.tar.gz
sudo tar zxf simplesamlphp-*.tar.gz sudo mv simplesamlphp-* simplesamlphp sudo rm -f simplesamlphp-*.tar.gz cd simplesamlphp/
Configuring SAML Server as IDP
Modify the below files as per given parameters depending on your environment:
- /var/simplesamlphp/config/config.php
'auth.adminpassword' => 'test@123', 'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g', 'technicalcontact_email' => 'test@testlab.com', 'timezone' => 'Asia/Kolkata', 'enable.saml20-idp' => true, 'enable.shib13-idp' => true, 'session.phpsession.cookiename' => null,
- /var/simplesamlphp/config/authsources.php
'my-ldap' => array( 'hostname' => 'ad.testlab.com', 'enable_tls' => FALSE, 'timeout' => 10, 'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com', 'search.enable' => TRUE, 'search.base' => 'cn=Users,dc=testlab,dc=com', 'search.attributes' => array('cn'), 'search.username' => 'test2', 'search.password' => 'Password@123', 'priv.read' => TRUE, 'priv.username' => 'test2', 'priv.password' => 'Password@123',
- /var/simplesamlphp/metadata/saml20-idp-hosted.php
'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem', 'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer', 'auth' => 'my-ldap',
Uncomment the below section:
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),
Disable the message signing as the NetScaler does not understand this signature type
'saml20.sign.response' => FALSE, 'saml20.sign.assertion' => FALSE,
- /var/simplesamlphp/metadata/saml20-sp-remote.php
Generate the metadata from the SP and paste in the end of this file:
$metadata['testlab-AD-CA'] = array ( 'entityid' => 'testlab-AD-CA', 'contacts' => array ( ), 'metadata-set' => 'saml20-sp-remote', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://samlvip.testlab.com/cgi/samlauth', 'index' => 255, ), ), 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://samlvip.testlab.com/cgi/tmlogout', ), ), 'keys' => array ( 0 => array ( 'encryption' => true, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => ' MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1 p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ /hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7 iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk 7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8 ', ), ), );
Configuring Apache Server
Pointing Apache to SimpleSAMLphp by editing below file:
- /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /simplesaml /var/simplesamlphp/www/ <Directory /var/simplesamlphp/www/> Require all granted </Directory> </VirtualHost>
- Now check if application is accessible over HTTP:
http://<ip-address-of-server>/simplesamlphp
Enabling SSL Access
- Generate Certificates
cd /etc/apache2/ sudo mkdir ssl
sudo openssl genrsa -des3 -out Certificate.key 4096 sudo openssl rsa -in Certificate.key -out Certificate.pem sudo openssl req -new -key Certificate.key -out Certificate.csr sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt
- Restart Apache
sudo a2enmod ssl sudo service apache2 restart
- Point Apache to use these Certificates by editing below config file:
- /etc/apache2/sites-available/000-default.conf
<VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html SSLCertificateFile /etc/apache2/ssl/wildcard.testlab.com.cer SSLCertificateKeyFile /etc/apache2/ssl/wildcard.testlab.com.pem SSLEngine On ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined Alias /simplesaml /var/simplesamlphp/www/ <Directory /var/simplesamlphp/www/> Require all granted </Directory> </VirtualHost>
- Restart Apache
sudo a2ensite ssl sudo a2enmod ssl sudo service apache2 restart
sudo phpenmod mcrypt sudo service apache2 restart
- Now the page should be available over https:
https://<ip-address-of-server>/simplesamlphp
- References
{{#widget:DISQUS
|id=networkm
|uniqid=SAML Server
|url=https://aman.awiki.org/wiki/SAML_Server
}}