Overview

The goal of this walk through is to install SimpleSAML twice to work on a SAML authentication between two systes.

We could have an application on one side using SimpleSAML SP and a LDAP, AD, CAS, etc plugged in SimpleSAML configure as an IdP.

Installation of Simple SAML (1)

Download simplesaml.

Untar the package in a folder of your application, for example /var/www/myapp/library/simplesaml

Edit your app’s Virtual Host so that /simplesaml is accessible


1
2
3
4
5
    Alias /simplesaml /Users/samo/Workspace/simplesamlphp/www
    <Directory "/Users/samo/Workspace/simplesamlphp/www">
        Order deny,allow
        Allow from all
    </Directory>

Restart Apache if necessary

Setting Up your SP

Edit SimpleSAML’s config file in config/config.php Set the ‘debug’ to ‘TRUE’ Set an admin password ‘auth.adminpassword’ to the password of your choice Set the ‘secretsalt’ Define ‘technicalcontact_name’ and ‘technicalcontact_email’

Installation of Simple SAML (2)

Untar the simple package again, this time, in another folder for example /var/www/simplesaml

Choose a URL for your IdP for example http://auth.saml.net and add this to your hosts file

Create a virtual host for your IdP, it will look something like


1
2
3
4
5
6
7
8
9
10
11
12
13
<VirtualHost *:80>
    ServerAdmin <your_email>
    ServerName  auth.saml.net
    AddDefaultCharset UTF-8
    DocumentRoot /var/www/simplesaml
    Alias /simplesaml /var/www/simplesaml/www
    <Directory /var/www/simplesaml/www>
        Options Indexes FollowSymlinks multiViews
        AllowOverride None
        Order deny,allow
        allow from all
    </Directory>
</VirtualHost>

Setting Up your IdP

Again, begin by editing the SimpleSAML config file and repeat the steps listed above This time, you must also set ‘enable.saml20-idp’ to ‘true’

Since all this is just for development and test purposes, I setup my IdP to an exampleauth. The login / password will be matched against a plain list of accounts defined in the authources.php file. First, you need to enable the exempleauth module by doing touch /var/www/simplesaml/modules/exampleauth/enable Second, edit your authsources.php file (in the config directory) and create your users based on the following example :


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

'example-userpass' => array(
    'exampleauth:UserPass',
    'user1:pwd' => array(
        'uid' => array('user1'),
        'mail' => 'user1@test.com',
        'first_name' => 'User',
        'last_name' => 'One'
    ),
    'user2:pwd' => array(
        'uid' => array('user2'),
        'mail' => 'user2@test.com',
        'first_name' => 'User',
        'last_name' => 'Two'
    )
),

Next, make sure that the content of metadata/saml2-idp-hosted.php is


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$metadata['__DYNAMIC:1__'] = array(
    /*
     * The hostname of the server (VHOST) that will use this SAML entity.
     *
     * Can be '__DEFAULT__', to use this entry by default.
     */
    'host' => '__DEFAULT__',

    /* X.509 key and certificate. Relative to the cert directory. */
    'privatekey' => 'server.pem',
    'certificate' => 'server.crt',

    /*
     * Authentication source to use. Must be one that is configured in
     * 'config/authsources.php'.
     */
    'auth' => 'example-userpass',

    /* Uncomment the following to use the uri NameFormat on attributes. */
    /*
    'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
    'authproc' => array(
        // Convert LDAP names to oids.
        100 => array('class' => 'core:AttributeMap', 'name2oid'),
    ),
    */
);

Connecting the dots

Now, let’s connect SP and IdP together. Browse to your IdP for example : auth.saml.net/simplesaml. Connect using the admin password defined in your configuration Click on the Federation tab You should see a SAML 2.0 IdP Metadata line, click on [show metadata] below and copy the metadata URL which should look something like http://auth.saml.net/simplesaml/saml2/idp/metadata.php

Back to the SP, edit the file config/authsources.php and add the declaration of your IdP based on this code sample :


1
2
3
4
5
6
7
8

'default-sp' => array(
    'saml:SP',
    'entityID'    => 'http://auth.saml.net',
    'idp'         => 'http://auth.saml.net/simplesaml/saml2/idp/metadata.php',
    'ssoPortalUrl'=> 'http://auth.saml.net/simplesaml/saml2/idp/SSOService.php',
),

Back to your browser, copy the content of the box “SimpleSAMLphp flat file format” and paste it in the file metadata/saml20-idp-remote.php of your SP.

Back to the browser, go to your applications’s SimpleSAML setup for example http://myapp.localhost.net/simplesaml. Login using the password defined in the configuration file. Browse to the Federation tab and click on the [show metadata] link for your default-sp/

Copy the content of the “SimpleSAMLphp flat flie format” box and paste it in the IdP metadata/saml20-sp-remote.php file.

Test

That should be all for the setup, now you can test it by browsing to your SP side SimpleSAML for example

http://myapp.localhost.net/simplesaml

Login using the password defined in the admin and click on the authentication tab. Click on the link “Test configured authentication sources” and click on your IdP declaration in the list of authsources. This will perform a test SAML authentication process.

Congratulations !

If it failed, you should check the logs of both your SimpleSAML and try and get help on the SimpleSamlPHP mailing list.

Time to code

Now that everything works between the SP and the IdP it is time to integrate the SAML auth to your application. You can do so by adding code similar to this to your authentication process :


1
2
3
4
require_once('/lib/simplesamlphp/lib/_autoload.php');
SimpleSAML_Configuration::setConfigDir('/lib/simplesaml/config/saml');
$authService = new SimpleSAML_Auth_Simple($selectedIdp);
$authService->requireAuth();

That’s it !

Filed under: Computing

Tagged with: , , , , ,

Liked this page?

Tweet it

Subscribe to the RSS feed or sign up for the newsletter now.

Posts related to Installing SimpleSAMLphp and use it as SP and IdP (for development env. only)

19 Comments to "Installing SimpleSAMLphp and use it as SP and IdP (for development env. only)"

  1. Comment by sulliwane on January 10, 2013 at 2:29 pm Reply

    Thank you, great tutorial !

    btw, did you ever try to manage auth of MediaWiki with SAML (and simpleSamlPhp) ?

    I checked 3 different MW plugins, but never succeded so far…

    • Comment by shalfon on December 10, 2013 at 9:45 pm Reply

      Sorry, I didn’t test with MediaWiki.

  2. Comment by Sindhura on May 6, 2013 at 1:45 pm Reply

    Hi,

    This tutorial is really helpful for me to start with SAML.
    Can you please provide me with the same sort of tutorial ,if you have ,for installation and configuration of simplesaml (SP,IDP,integration) for windows 7 IIS 7.5 server.

    Thanks in advance!

    • Comment by shalfon on December 10, 2013 at 9:46 pm Reply

      Actually I’ve worked on this on a Windows environnement as well though it was to setup ADFS as an IdP. I have no tutorial at this time for the SP part. I’ll try and write up the IdP setup part sometimes though

  3. Comment by SoundHunter on October 29, 2013 at 12:04 pm Reply

    Thanks a lot mate!
    I had huge trouble configuring SimpleSAMl as SP and IdP.
    Now it works perfectly. Good tutorial, had to check a few things more than once, but I guess that’s normal for someone starting with SimpleSAML 😉

    Greets SoundHunter

  4. Comment by opensas on November 2, 2013 at 2:21 am Reply

    Excellent tutorial, I will sure give it a try. I know it’s simple, but it would be great if you could include the command to create the x.509 cert and key (I found this guide: http://www.microhowto.info/howto/create_a_self_signed_ssl_certificate.html)

    I would like to ask what would you modify for a production setup (besides using exampleauth, of course…)

    • Comment by shalfon on December 10, 2013 at 9:47 pm Reply

      Thanks for sharing this information here.
      For production you just need to not use the default certificates which come by default in simplesaml but since you genereted your own, you should be ready to go

  5. Comment by Andres on December 3, 2013 at 5:34 pm Reply

    Im getting this error tring to do your tutorial men.

    Parse error: syntax error, unexpected T_FUNCTION in C:\AppServ\www\ProveedorServicioSSO\lib\simplesaml\modules\core\lib\Auth\Process\GenerateGroups.php on line 139

    Can you tell me what going on? Thanks BTW

  6. Comment by Gongda on December 10, 2013 at 7:09 pm Reply

    Great tutorial. Thanks for all the efforts.

    Could you be more specific about how to test? Such as test admin and default-sp. As for default-sp, what username and what password should I enter if I follow your example exactly?

    Thanks,

    Gong

    • Comment by shalfon on December 10, 2013 at 11:47 pm Reply

      Sorry I do not understand the question. The user login and pass for the example auth are declared in authsources.php

  7. Comment by Gongda on December 11, 2013 at 3:39 pm Reply

    The Admin password is set. But what is the username and password for log in with default-sp option?

    Thanks.

    • Comment by shalfon on December 11, 2013 at 4:23 pm Reply

      OK, I see, the password is declared in the configuration file of simplesaml. Hope this helps

  8. Comment by Sourabh D on December 31, 2013 at 2:35 pm Reply

    I have two machines connected by LAN. Using IP I have followed all your above steps and authenticated properly. Now how do I check that login into one computer gets automatically logged to another and I want to know how SSOService.php gets called from SP to IdP.

    One more question – In whole simplesaml lib, what would it affect if I redirect http://SSOService.php to https://SSOService.php

  9. Comment by ARVIND on June 26, 2014 at 12:02 pm Reply

    what is process of sso in php?

  10. Comment by Martyn Bissett on September 27, 2014 at 11:06 am Reply

    Hi, thanks for putting a great tutorial together. In the final snippet to integrate SAML auth into my app, what should I put for $selectedIdp? ‘default-sp’? Also, I get an error:

    Fatal error: Uncaught exception ‘Exception’ with message ‘Missing configuration file: simplesaml/config/saml/config.php’ in /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php:103
    Stack trace:
    #0 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php(167): SimpleSAML_Configuration::loadFromFile(‘simplesaml/conf…’, true)
    #1 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php(229): SimpleSAML_Configuration::getConfig()
    #2 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Session.php(226): SimpleSAML_Configuration::getInstance()
    #3 /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Auth/Simple.php(72): SimpleSAML_Session::getSessionFromRequest()
    #4 /var/www/sso_sp/auth.php(9): SimpleSAML_Auth_Simple->requireAuth()
    #5 {main}
    thrown in /var/www/sso_sp/simplesamlphp/lib/SimpleSAML/Configuration.php on line 103

    Missing config file? Why?

  11. Comment by www.mediaboer.nl on January 25, 2015 at 12:57 pm Reply

    Everything is very open with a precise description of the issues.
    It was truly informative. Your website is very useful.

    Thank you for sharing!

  12. Comment by Telefonos De Tarotistas on May 1, 2015 at 5:41 pm Reply

    Wow, that’s what I was seeking for, what a information! existing here at this webpage, thanks admin of this website.

  13. Comment by Dhaval Bhavsar on May 22, 2015 at 5:10 am Reply

    Hi,

    I like these tutorial and also if you can provide me IDP initiate Login process same like above example then it’s very help full to me.

    Thanks

  14. Comment by Mark on March 17, 2016 at 2:07 pm Reply

    Good afternoon Samantha,

    Many thanks for this informative tutorial. It doesn’t work for SimplsSAMLphp 1.14.1 but of all the SimpleSAMLphp tutorials on the web right now, that is the simplest and nearest to working ‘out-of-the-box’.

    As far as I can see the only changes needed to make this work for v1.14.1 are to remove the line ‘ssoPortalUrl’=> ‘http://auth.saml.net/simplesaml/saml2/idp/SSOService.php’, from the SP file config/authsources.php. and to set the VirtualHost Directory entries to ‘Require all granted’ for both IdP and SP.

    Apart from that everything works as expected.

    Thanks you.

    Mark

Name (required)

Email (required)

Website

Leave a Reply

  • About Me


    photo of Samantha Halfon Samantha Halfon
    Software Engineer
    blueKiwi software
    Paris, France
    I enjoy playing with my computer(s), listening to Bob Dylan (and related artists) and watching movies (especially if they were directed by Martin Scorsese or John Cassavetes). Sometimes, I play a little guitar... If not doing any of the above, I am either riding a small red bike around Paris, or, making videos. About my videomaking please check out World Wide Angle and its blog.