Logging in to SimpleSAMLphp using Identity Server¶
This section explains how to configure the WSO2 Identity Server with SimpleSAMLphp as a service provider. Initially, it is necessary to setup SimpleSAMLphp as a service provider. The steps below are tested with Ubuntu.
Scenario¶
- A user tries to access a protected resource
- SimpleSAMLphp checks the authorization for the resource
- If the user is not authenticated, sends a SAML2 authentication request to the Identity server via the user agent
- Identity server authenticates the user and sends the authentication response back via the user agent
- SimpleSAMLphp validate the authenticate response and authorize the access to the protected resource
- User receives the protected resource
To setup SimpleSAMLphp as a service provider¶
-
Install Apache.
# apt-get install apache2
-
Install PHP and related extensions.
# apt-get install php5 # apt-get install php5-cli # apt-get install php5-common # apt-get install php5-curl # apt-get install php-pear # apt-get install php5-mcrypt
Info
For Ubuntu users, please install the following extension as well:
# apt-get install php5-json
-
Install SimpleSAMLphp using the following commands.
# sudo mkdir /var/simplesamlphp/ # cd /var/simplesamlphp/ # wget https://github.com/simplesamlphp/simplesamlphp/releases/download/simplesamlphp-1.11.0/simplesamlphp-1.11.0.tar.gz # tar xvf simplesamlphp-1.11.0.tar.gz # mv simplesamlphp-1.11.0 simplesamlphp # cd simplesamlphp # cp -r metadata-templates/*.php metadata/ # cp -r config-templates/*.php config
-
Configure SimpleSAMLphp web in Apache.
# cd /var/www/html # ln -s /var/simplesamlphp/simplesamlphp/www simplesaml
-
Start Apache.
# apachectl start
-
Access the SimpleSAMLphp web app from the following location: http://localhost/simplesaml.
-
Set the SimpleSAMLphp administrator login configuration as follows:
# cd /var/simplesamlphp/simplesamlphp # vi config/config.php
- Now look for ' auth.adminpassword ' and change its value from the default and save the file.
- Click on ' Login as administrator ' from the web page
http://localhost/simplesaml
to test the configured value.
-
Add a Service Provider to SimpleSAMLphp.
# cd /var/simplesamlphp/simplesamlphp # vi config/authsources.php
-
Add the following section to the file and save.
'wso2-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => 'simplesaml', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'https://localhost:9443/samlsso', // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, ),
Here we assume WSO2 IS is running in localhost on 9443.
-
-
Add the Identity Provider metadata.
# cd /var/simplesamlphp/simplesamlphp # vi metadata/saml20-idp-remote.php
-
Add the following section to the file and save.
$metadata['https://localhost:9443/samlsso'] = array( 'name' => array( 'en' => 'WSO2 IS', 'no' => 'WSO2 IS', ), 'description' => 'Login with WSO2 IS SAML2 IdP.', 'SingleSignOnService' => 'https://localhost:9443/samlsso', 'SingleLogoutService' => 'https://localhost:9443/samlsso', 'certFingerprint' => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d' );
-
Note that metadata ['
https://localhost:9443/samlsso
'] should match the value of 'idp' in step 8. -
Note that "6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d" is the thumbprint of the default certificate ships with WSO2 IS. SAML2 Response is signed with this certificate.
-
-
Install WSO2 Identity Server. The WSO2 Identity Server is available for download here.
-
Start WSO2 Identity Server and add a Service Provider under SAML SSO.
-
Issuer:simplesaml
-
Assertion Consumer URL: http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/wso2-sp
-
Enable Single Logout: True
-
SLO Response URL: http://localhost/simplesamlphp/www/module.php/saml/sp/saml2-logout.php/wso2-sp
Keep the defaults for the rest.
-
-
In the Main menu of the management console , click Resident under Identity Providers.
-
On the page that appears, open the SAML2 Web SSO Configuration section under Inbound Authentication Configuration.
-
The ID value of the identity provider should be the SAML endpoint of the Identity Server:
https://{yourhost}:{port}/samlsso
Test SimpleSAMLphp¶
- Go to http://localhost/simplesaml and then to " Authentication " and click on " Test configured authentication sources "
- Pick " wso2-sp ". You are redirected to WSO2 IS SAML2 IdP for login.
For more information on SimpleSAMLphp, click https://simplesamlphp.org/docs/stable/
Top