- Requirements
- Notes
- Configure the environment
- Configure APT Mirror
- Install Instructions
- Configuration Instructions
- Appendix A - How to manage sessions with Memcached
- Appendix B - How to collect useful statistics
- Appendix C - How to upgrade all modules
- Utility
- Authors
- CPU: 2 Core (64 bit)
- RAM: 2 GB
- HDD: 20 GB
- OS: Ubuntu 22.04 (jammy)
- ca-certificates
- ntp
- vim
- apache2 (>= 2.4)
- php (>= 7.4 for SSP v2.0.x, >=8.0.0 for SSP v2.1.x)
- php extensions (date,dom,hash,intl,json,libxml,mbstring,openssl,pcre,SPL,zlib,ldap extensions)
- zip
- unzip
- composer
- memcached (optional)
- openssl
- cron
- curl
- git
- rsyslog
- logrotate
- SSL Credentials: HTTPS Certificate & Key
- Logo:
- size: 80x60 px (or other that respect the aspect-ratio)
- format: PNG
- style: with a transparent background
- Favicon:
- size: 16x16 px (or other that respect the aspect-ratio)
- format: PNG
- style: with a transparent background
This HOWTO uses example.org
and idp.example.org
to provide this guide with example values.
Please remember to replace all occurencences of the example.org
value with the IdP domain name
and idp.example.org
value with the Full Qualified Name of the Identity Provider.
-
Become ROOT:
sudo su -
-
Be sure that your firewall is not blocking the traffic on port 443 and 80 for the IdP server.
-
Set the IdP hostname:
(ATTENTION: Replace
idp.example.org
with your IdP Full Qualified Domain Name and<HOSTNAME>
with the IdP hostname)-
vim /etc/hosts
<YOUR SERVER IP ADDRESS> idp.example.org <HOSTNAME>
-
hostnamectl set-hostname <HOSTNAME>
-
Debian Mirror List: https://www.debian.org/mirror/list
Ubuntu Mirror List: https://launchpad.net/ubuntu/+archivemirrors
-
Become ROOT:
sudo su -
-
(only for italian institutions) Change the default mirror to the GARR ones:
-
Debian 12 - Deb822 file format:
bash -c 'cat > /etc/apt/sources.list.d/garr.sources <<EOF Types: deb deb-src URIs: https://debian.mirror.garr.it/debian/ Suites: bookworm bookworm-updates bookworm-backports Components: main Types: deb deb-src URIs: https://debian.mirror.garr.it/debian-security/ Suites: bookworm-security Components: main EOF'
-
Ubuntu:
bash -c 'cat > /etc/apt/sources.list.d/garr.list <<EOF deb https://ubuntu.mirror.garr.it/ubuntu/ jammy main deb-src https://ubuntu.mirror.garr.it/ubuntu/ jammy main EOF'
-
-
Update packages:
apt update && apt-get upgrade -y --no-install-recommends
-
Become ROOT:
sudo su -
-
Install useful packages:
apt install vim wget ca-certificates openssl ntp fail2ban rsyslog logrotate --no-install-recommends
-
Become ROOT:
sudo su -
-
Prepare the environment:
apt install git zip unzip apache2 php php-mbstring php-date php-intl php-xml php-curl libpcre3 libpcre3-dev zlib1g zlib1g-dev curl cron --no-install-recommends
-
Download Composer setup:
wget "https://getcomposer.org/installer" -O /usr/local/src/composer-setup.php
-
Install Composer:
-
php /usr/local/src/composer-setup.php --install-dir=/usr/local/bin --filename=composer
NOTE: To update Composer use:
composer self-update
-
-
Create the required directories:
mkdir -p /var/simplesamlphp/cert /var/simplesamlphp/config /var/simplesamlphp/metadata /var/simplesamlphp/data
-
Install SimpleSAMLphp:
cd /var/simplesamlphp
composer require simplesamlphp/simplesamlphp --update-no-dev
- To the question "Do you trust "simplesamlphp/composer-module-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]" answer
y
-
Load
config
andmetadata
configuration files into/var/simplesamlphp
:cp -r /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/config-templates/config.php /var/simplesamlphp/config/config.php
cp -r /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/metadata-templates/saml20-idp-hosted.php /var/simplesamlphp/metadata/saml20-idp-hosted.php
-
Become ROOT:
sudo su -
-
Create the DocumentRoot:
mkdir /var/www/html/$(hostname -f) chown -R www-data: /var/www/html/$(hostname -f) echo '<h1>It Works!</h1>' > /var/www/html/$(hostname -f)/index.html
-
Create the Virtualhost file (please pay attention: you need to edit this file and customize it, check the internal initial comment):
wget https://registry.idem.garr.it/idem-conf/simplesamlphp/IDP2/apache2/idp.example.org.conf -O /etc/apache2/sites-available/$(hostname -f).conf
-
Put SSL credentials in the right place:
- HTTPS Server Certificate (Public Key) inside
/etc/ssl/certs/$(hostname -f).crt
- HTTPS Server Key (Private Key) inside
/etc/ssl/private/$(hostname -f).key
- Add CA Cert into
/etc/ssl/certs
:-
If GARR TCS or GEANT TCS is used:
wget -O /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem https://crt.sh/?d=2475254782 wget -O /etc/ssl/certs/SectigoRSAOrganizationValidationSecureServerCA.crt https://crt.sh/?d=924467857 cat /etc/ssl/certs/SectigoRSAOrganizationValidationSecureServerCA.crt >> /etc/ssl/certs/GEANT_OV_RSA_CA_4.pem rm /etc/ssl/certs/SectigoRSAOrganizationValidationSecureServerCA.crt
-
If ACME (Let's Encrypt) is used:
ln -s /etc/letsencrypt/live/<SERVER_FQDN>/chain.pem /etc/ssl/certs/ACME-CA.pem
-
- HTTPS Server Certificate (Public Key) inside
-
Configure the right privileges for the SSL Certificate and Key used by HTTPS:
chmod 400 /etc/ssl/private/$(hostname -f).key chmod 644 /etc/ssl/certs/$(hostname -f).crt
(
$(hostname -f)
will provide your IdP Full Qualified Domain Name) -
Enable the following Apache2 modules and VirtualHost:
a2enmod ssl
- To support SSL protocola2enmod headers
- To control of HTTP request and response headers.a2enmod alias
- To manipulation and control of URLs as requests arrive at the server.a2enmod include
- To process files before they are sent to the client.a2enmod negotiation
- Essential Apache modulea2ensite $(hostname -f).conf
- Enable SSP IdP VirtualHosta2dissite 000-default.conf default-ssl
- Disable HTTP & HTTPS default VirtualHostsystemctl restart apache2.service
-
Check that IdP works:
- https://idp.example.org/simplesaml
-
Verify the strength of your IdP's machine on:
-
OPTIONAL STEPS: If you want to host your IdP's Information/Privacy pages on the IdP itself, follow the steps:
-
Create all needed files:
-
vim /var/www/html/$(hostname -f)/info_page.html
<html> <head><title>Information Page</title></head> <body> <h1>Put here IdP Information page content</h1> </body> </html>
-
vim /var/www/html/$(hostname -f)/privacy_page.html
<html> <head><title>Privacy Page</title></head> <body> <h1>Put here IdP Privacy page content</h1> </body> </html>
-
touch /var/www/html/$(hostname -f)/logo.png
(80x60 px or bigger with the same aspect-ratio) -
touch /var/www/html/$(hostname -f)/favicon.png
(16x16 px or bigger with the same aspect-ratio)
-
-
Replace them with the correct content.
-
-
Become ROOT:
sudo su -
-
Generate secrets:
-
<USER_ADMIN_PASSWORD>' (
auth.adminpassword`):php /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/bin/pwgen.php
-
<SECRET_SALT>
(secretsalt
):tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null ; echo
-
-
Change SimpleSAMLphp configuration:
-
vim /var/simplesamlphp/config/config.php
'baseurlpath' => 'simplesaml/', // ...other configuration settings... 'loggingdir' => null, 'datadir' => '/var/simplesamlphp/data/', 'tempdir' => '/tmp/simplesaml', // ...other configuration settings... 'certdir' => '/var/simplesamlphp/cert/', // ...other configuration settings... 'technicalcontact_name' => 'Technical Contact', 'technicalcontact_email' => '[email protected]', // ...other configuration settings... 'secretsalt' => '<SECRET_SALT>', // ...other configuration settings... 'auth.adminpassword' => '<USER_ADMIN_PASSWORD>', // ...other configuration settings... 'logging.level' => 'SimpleSAML\Logger::NOTICE', 'logging.handler' => 'syslog', // ...other configuration settings... 'enable.saml20-idp' => true, // ...other configuration settings... 'theme.header' = '<ORGANIZATION_NAME>', // ...other configuration settings... /* * Comment out line "50 => 'core:AttributeLimit'," into "authproc.idp" section * because we will use core:AttributeLimit into the "authproc" section on "metadata/saml20-idp-hosted.php" */ // ...other configuration settings... 'metadatadir' => '/var/simplesamlphp/metadata', // ...other configuration settings... 'store.type' => 'phpsession',
-
vim /etc/rsyslog.d/22-ssp-log.conf
# SimpleSAMLphp logging local5.* /var/log/simplesamlphp.log # Notice level is reserved for statistics only... local5.=notice /var/log/simplesamlphp.stat
-
systemctl restart rsyslog.service
-
-
Enable Log rotation for Statistics logs:
-
sudo vim /etc/logrotate.d/simplesamlphp
/var/log/simplesamlphp.stat { monthly missingok rotate 12 compress dateext dateformat .%Y-%m postrotate systemctl reload rsyslog endscript }
-
sudo systemctl restart logrotate.service
-
-
Create the
authsources.php
file:-
vim /var/simplesamlphp/config/authsources.php
<?php $config = [ // This is a authentication source which handles admin authentication. 'admin' => [ 'core:AdminPassword', ], ];
-
-
Install Consent module:
composer require simplesamlphp/simplesamlphp-module-consent --update-no-dev
-
Enable Consent module:
-
vim /var/simplesamlphp/config/config.php
// ...other configuration settings... 'module.enable' => [ 'exampleauth' => false, 'core' => true, 'admin' => true, 'saml' => true, 'consent' => true, ], // ...other configuration settings...
-
-
Check if the module is enabled on the Administration page :
https://idp.example.org/simplesaml/admin
-
Configure a SMTP server to send mail only (Example):
-
apt install mailutils postfix --no-install-recommends
(Internet Site => Insert your IdP FQDN) -
vim /etc/postfix/main.cf
// ...other configuration settings... inet_interfaces = localhost // ...other configuration settings...
-
systemctl restart postfix.service
-
-
Become ROOT:
sudo su -
-
Generate
md-sign-enc-cert.crt
andmd-sign-enc-cert.key
:-
vim /var/simplesamlphp/cert/ssp-md-credentials.cnf
:(Replace
idp.example.org
with your IDP Full Qualified Domain Name)[req] default_bits=4096 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=md-sign-enc-cert.key [dn] CN=idp.example.org [ext] subjectAltName=DNS:idp.example.org, \ URI:https://idp.example.org/simplesaml/module.php/saml/idp/metadata subjectKeyIdentifier=hash
-
cd /var/simplesamlphp/cert
-
openssl req -new -x509 -config ssp-md-credentials.cnf -out md-sign-enc-cert.crt -days 3650
-
chown -R www-data: /var/simplesamlphp/cert
-
chmod 400 /var/simplesamlphp/cert/md-sign-enc-cert.key
-
-
Become ROOT:
sudo su -
-
Configure the IdP metadata:
-
vim /var/simplesamlphp/metadata/saml20-idp-hosted.php
$metadata['https://idp.example.org/simplesaml/module.php/saml/idp/metadata'] = [ 'host' => '__DEFAULT__', 'privatekey' => 'md-sign-enc-cert.key', 'certificate' => 'md-sign-enc-cert.crt', 'scope' => ['<IDP-SCOPE-1>','<IDP-SCOPE-2>'], //Usually the scopes are the domain names belonging the institution 'UIInfo' => [ 'DisplayName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-IDP-DISPLAY-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-IDP-DISPLAY-NAME>', ], 'Description' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-IDP-DESCRIPTION>', 'it' => '<INSERT-HERE-THE-ITALIAN-IDP-DESCRIPTION>', ], 'InformationURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-INFORMATION-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ITALIAN-INFORMATION-PAGE-URL>', ], 'PrivacyStatementURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-PRIVACY-POLICY-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ITALIAN-PRIVACY-POLICY-PAGE-URL>', ], 'Logo' => [ [ 'url' => '<INSERT-HERE-THE-80X60-LOGO-URL>', 'height' => 60, 'width' => 80, ], [ 'url' => '<INSERT-HERE-THE-16X16-LOGO-URL>', 'height' => 16, 'width' => 16, ], ], ], 'OrganizationName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-ORGANIZATION-NAME>', ], 'OrganizationDisplayName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-DISPLAY-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-ORGANIZATION-DISPLAY-NAME>', ], 'OrganizationURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-PAGE-URL>', ], /* eduPersonTargetedID with oid NameFormat is a raw XML value, ma potrebbe essere 'base64' */ 'attributeencodings' => ['urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw'], /* The <LogoutResponse> message MUST be signed if the HTTP POST or Redirect binding is used */ 'sign.logout' => true, /* Enable SingleLogoutService HTTP-POST binding */ 'SingleLogoutServiceBinding' => [ 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ], 'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' ], 'authproc' => [ // Generate the transient NameID. 1 => [ 'class' => 'saml:TransientNameID', ], // Generate the persistent NameID 2 => [ 'class' => 'saml:PersistentNameID', 'identifyingAttribute' => 'uid', //the source attribute needed by the NameID generation 'NameQualifier' => true, 'SPNameQualifier' => true, ], // Add schacHomeOrganization for domain of entity 10 => [ 'class' => 'core:AttributeAdd', 'schacHomeOrganization' => '<INSERT-HERE-YOUR-DOMAIN-NAME>', 'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:eu:higherEducationalInstitution', ], // Add eduPersonPrincipalName 11 => [ 'class' => 'core:ScopeAttribute', 'scopeAttribute' => 'schacHomeOrganization', 'sourceAttribute' => 'uid', 'targetAttribute' => 'eduPersonPrincipalName', ], // Add eduPersonScopedAffiliation 12 => [ 'class' => 'core:ScopeAttribute', 'scopeAttribute' => 'eduPersonPrincipalName', 'sourceAttribute' => 'eduPersonAffiliation', 'targetAttribute' => 'eduPersonScopedAffiliation', ], // Add subject-id // The value of the "identifyingAttribute" MUST CONTAINS ONLY ALPHA or DIGIT characters and "=" or "-" symbols 13 => [ 'class' => 'saml:SubjectID', 'identifyingAttribute' => 'uid', 'scopeAttribute' => 'schacHomeOrganization', ], // Add pairwise-id // The value of the "identifyingAttribute" MUST CONTAINS ONLY ALPHA or DIGIT characters and "=" or "-" symbols 14 => [ 'class' => 'saml:PairwiseID', 'identifyingAttribute' => 'uid', 'scopeAttribute' => 'schacHomeOrganization', ], // Enable this authproc filter to automatically generated eduPersonTargetedID/persistent nameID 20 => [ 'class' => 'saml:PersistentNameID2TargetedID', 'attribute' => 'eduPersonTargetedID', 'nameId' => true, ], // The Attribute Limit will be use to release all possibile values supported by IdP to SPs // Remember to Comment out the line "50 => 'core:AttributeLimit'," into "authproc.idp" section in the "config/config.php" file // or no attribute will be released. 50 => [ 'class' => 'core:AttributeLimit', 'uid','givenName','sn','cn','mail','displayName','mobile', 'title','preferredLanguage','telephoneNumber', 'schacMotherTongue','schacPersonalTitle','schacHomeOrganization', 'schacHomeOrganizationType','schacUserPresenceID','schacPersonalPosition', 'schacPersonalUniqueCode','schacPersonalUniqueID', 'eduPersonPrincipalName','eduPersonEntitlement', 'urn:oasis:names:tc:SAML:attribute:subject-id', 'urn:oasis:names:tc:SAML:attribute:pairwise-id', 'eduPersonTargetedID','eduPersonOrcid','eduPersonOrgDN','eduPersonOrgUnitDN', 'eduPersonScopedAffiliation' => [ 'regex' => true, '/^student@.*/', '/^staff@.*/', '/^member@.*/', '/^alum@.*/', '/^affiliate@.*/', '/^library-walk-in@.*/', '/^faculty@.*/', // NO IDEM '/^employee@.*/', // NO IDEM ], 'eduPersonAffiliation' => [ 'student', 'staff', 'member', 'alum', 'affiliate', 'library-walk-in', 'faculty', // NO IDEM 'employee', // NO IDEM ], ], // IDEM Attribute Filter: // IDEM SPs + Entity Category SPs + Custom SPs 60 =>[ 'class' => 'core:PHP', 'code' => ' $config_dir = apache_getenv("SIMPLESAMLPHP_CONFIG_DIR"); include($config_dir."/idem-attribute-filter.php"); ' ], // Consent module is enabled with persistence. // In order to generate the privacy preserving hashes in the consent module, // is needed to pick one attribute that is always available and that is unique to all users. // An example of such an attribute is uid or eduPersonPrincipalName. // // This setup uses Cookies as storage backend. 90 => [ 'class' => 'consent:Consent', 'identifyingAttribute' => 'uid', 'focus' => 'yes', 'checked' => true, 'store' => 'consent:Cookie', 'attributes.exclude' => ['uid'] ], 91 => [ 'class' => 'core:PHP', 'code' => 'unset($attributes["uid"]);' ], // If language is set in Consent module it will be added as 'preferredLanguage' attribute 99 => 'core:LanguageAdaptor', // Convert LDAP names to oids needed to send attributes to the SP 100 => ['class' => 'core:AttributeMap', 'name2oid'], ], 'auth' => 'example-userpass'; // ... other things ... ];
-
-
NOTE: Remember to Comment out the line "50 => 'core:AttributeLimit'," into "authproc.idp" section because we will use
core:AttributeLimit
into the "authproc" section onmetadata/saml20-idp-hosted.php
to limit the attributes released. If you keep the line no attributes will be released.
⚠️ These rules have been tested on a Test Federation: Be careful to use without having understood them before!
The following rules are set with the
idem-attribute-filter.php
file used by thesaml20-idp-hosted.php
file.IDEM + Entity Category + Custom SPs Attribute Release Policies:
- Release "
eduPersonTargetedID
" ONLY IF the preferred "<md:NameIDFormat>
" of the SP IS NOT the "persistent
" ones.- Release the "
eduPersonScopedAffiliation
" to all IDEM SPs- Release all required (
isRequired="true"
) attributes to all IDEM SPs- Release all required (
isRequired="true"
) attributes to all CoCo SP (if the EC is supported)- Release all R&S subset attributes:
givenName
,sn
,displayName
,eduPersonScopedAffiliation
,eduPersonPrincipalName
,eduPersonTargetedID
- Release attributes to those SPs that do not requrest attributes by their metadata, or that has needed to receive a specific value for one or more attributes
-
Download IDEM ARP into SimpleSAMLphp
config
directory:sudo wget https://registry.idem.garr.it/idem-conf/simplesamlphp/IDP2/config/idem-attribute-filter.php -O /var/simplesamlphp/config/idem-attribute-filter.php
-
Change the
require
line intoidem-attribute-filter.php
by setting the correct path of thename2oid.php
file if differs on your instance.
-
Become ROOT:
sudo su -
-
Enable LDAP PHP module:
apt install php-ldap --no-install-recommends
systemctl restart apache2.service
-
Install the SimpleSAMLphp LDAP module:
cd /var/simplesamlphp
composer require simplesamlphp/simplesamlphp-module-ldap --update-no-dev
-
Check that you can reach the Directory from your IDP server:
-
For OpenLDAP:
-
StartTLS or Plain LDAP:
ldapsearch -x -H <LDAP-URI> -D 'cn=idpuser,ou=system,dc=example,dc=org' -w '<IDPUSER-PASSWORD>' -b 'ou=people,dc=example,dc=org' '(&(objectClass=inetOrgPerson)(uid=<USERNAME-USED-IN-THE-LOGIN-FORM>))'
-
SSL:
ldapsearch -x -H <LDAP-URI> -D 'cn=idpuser,ou=system,dc=example,dc=org' -w '<IDPUSER-PASSWORD>' -b 'ou=people,dc=example,dc=org' '(&(objectClass=inetOrgPerson)(uid=<USERNAME-USED-IN-THE-LOGIN-FORM>))'
- the baseDN (
-b
parameter) ==>ou=people,dc=example,dc=org
(branch containing the registered users):
corresponds tosearch.base
authsource LDAP setting. - the bindDN (
-D
parameter) ==>cn=idpuser,ou=system,dc=example,dc=org
(distinguished name for the user that can made queries on the LDAP, read only is sufficient):
corresponds tosearch.username
authsource LDAP setting. - the Search Filter ==>
(&(objectClass=inetOrgPerson)(uid=<USERNAME-USED-IN-THE-LOGIN-FORM>))
:
corresponds to `search.filter' authsource LDAP setting.
- the baseDN (
-
-
For Active Directory:
ldapsearch -x -H <LDAP-URI> -D 'CN=idpuser,CN=Users,DC=ad,DC=example,DC=org' -w '<IDPUSER-PASSWORD>' -b 'CN=Users,DC=ad,DC=example,DC=org' '(sAMAccountName=<USERNAME-USED-IN-THE-LOGIN-FORM>)'
- the baseDN (
-b
parameter) ==>CN=Users,DC=ad,DC=example,DC=org
(branch containing the registered users):
corresponds tosearch.base
authsource LDAP setting. - the bindDN (
-D
parameter) ==>CN=idpuser,CN=Users,DC=ad,DC=example,DC=org
(distinguished name for the user that can made queries on the LDAP, read only is sufficient):
corresponds tosearch.username
authsource LDAP setting. - the Search Filter
(&(objectClass=inetOrgPerson)(uid=<USERNAME-USED-IN-THE-LOGIN-FORM>))
:
corresponds to `search.filter' authsource LDAP setting.
- the baseDN (
-
-
Add the
ldap:Ldap
Authentication Source:-
vim /var/simplesamlphp/config/authsources.php
NOTE: Replace the list provided into the
attributes
array with the attributes released by institutional LDAP/AD,
and allexample
values with the correct one.<?php $config = [ // This is a authentication source which handles admin authentication. 'admin' => [ 'core:AdminPassword', ], // LDAP authentication source. 'ldap' => [ 'ldap:Ldap', 'connection_string' => 'ldap://ldap.example.org', 'encryption' => 'none', 'version' => 3, 'ldap.debug' => true, 'options' => [ /** * Set whether to follow referrals. * AD Controllers may require 0x00 to function. * Possible values are 0x00 (NEVER), 0x01 (SEARCHING), * 0x02 (FINDING) or 0x03 (ALWAYS). */ 'referrals' => 0x03, 'network_timeout' => 3, ], 'connector' => '\SimpleSAML\Module\ldap\Connector\Ldap', // Pay attention on 'eduPersonTargetedID', 'eduPersonPrincipalName', 'eduPersonScopedAffiliation', 'schacHomeOrganization' and 'schacHomeOrganizationType' // Because they will be managed by the Authentication Process Filter inside metadata/saml20-idp-hosted.php // If you need to manage them directly on your Directory Service, remove the AuthProcFilter number 10,11,12,20 from metadata/saml20-idp-hosted.php 'attributes' => ['uid','sn','givenName','cn','displayName','mail','eduPersonAffiliation','eduPersonEntitlement'], 'search.filter' => '(&(objectClass=inetOrgPerson)(uid=%username%))', 'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org', 'search.enable' => false, 'search.base' => [ 'ou=people,dc=example,dc=org', ], 'search.scope' => 'sub', 'search.attributes' => ['uid'], 'search.username' => '<LDAP-DN-OF-USER-THAT-PERFORMS-QUERIES-ON-DIRECTORY>', 'search.password' => '<QUERY-USER-PASSWORD>', ], ];
-
-
Connect LDAP to the IdP:
-
vim /var/simplesamlphp/metadata/saml20-idp-hosted.php
/* ...other things before end of file...*/ 'auth' => 'ldap', ];
-
-
Enable the SimpleSAMLphp LDAP module:
-
vim /var/simplesamlphp/config/config.php
/* ...other configuration settings...*/ 'module.enable' => [ 'exampleauth' => false, 'core' => true, 'admin' => true, 'saml' => true, 'consent' => true, 'ldap' => true, ], /* ...other configuration settings...*/
-
-
Try the LDAP Authentication Source on:
-
https://idp.example.org/simplesaml/module.php/admin/test
(Replace
idp.example.org
with your IDP Full Qualified Domain Name)
-
-
https://idp.example.org/simplesaml/module.php/saml/idp/metadata
(Replace
idp.example.org
with your IDP Full Qualified Domain Name)
Follow these steps ONLY IF your organization is connected to the GARR Network
-
Register you IdP metadata on IDEM Entity Registry (your entity have to be approved by an IDEM Federation Operator before become part of IDEM Test Federation):
https://registry.idem.garr.it/
-
Configure the IdP to retrieve the Test Federation Metadata:
- Follow the instructions on: https://mdx.idem.garr.it/
-
Wait that your IdP Metadata is approved by an IDEM Federation Operator into the metadata stream and the next steps provided by the operator itself.
-
Follow the instructions provided by IDEM.
-
Become ROOT:
sudo su -
-
Install needed packages:
apt install memcached php-memcached --no-install-recommends
-
Enable PHP memcached module:
phpenmod memcached
-
Restart Apache:
systemctl restart apache2.service
-
Enable memcache on simplesamlphp:
-
vim /var/simplesamlphp/config/config.php
// ...other configuration settings... 'store.type' => 'memcache', // ...other configuration settings...
-
DOC: SimpleSAMLphp statistics module
-
Enable the 'statistics' and the 'cron' modules:
-
vim /var/simplesamlphp/config/config.php
/* ...other configuration settings...*/ 'module.enable' => [ 'exampleauth' => false, 'core' => true, 'admin' => true, 'saml' => true, 'consent' => true, 'ldap' => true, 'statistics' => true, 'cron' => true, ], /* ...other configuration settings...*/
-
-
Install the 'statistics' module:
cd /var/simplesamlphp
composer require simplesamlphp/simplesamlphp-module-statistics --update-no-dev
-
Configure the 'statistics' and
cron
module-
statistics:
cp /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/modules/statistics/config-templates/module_statistics.php /var/simplesamlphp/config/module_statistics.php
-
cron:
cp /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/modules/cron/config/module_cron.php.dist /var/simplesamlphp/config/module_cron.php
-
-
Prepare the environment for 'statistics' module:
mkdir /var/simplesamlphp/stats
chown www-data /var/simplesamlphp/stats
(required to allow SimpleSAMLphp to write datas)chown www-data /var/log/simplesamlphp.stat
(require to allow SimpleSAMLphp to read datas)
-
Replace the word
secret
with your personal opaque value into:sed -i "s/secret/$(tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null ; echo)/g" /var/simplesamlphp/config/module_cron.php
-
Copy the suggestion for a crontab file from the location
/simplesaml/module.php/cron/info
into your crontab:crontab -e
- Paste the suggestion before the end of file
-
Move into the installation dir:
cd /var/simplesamlphp
-
Update all Composer packages with:
sudo composer update
-
The Mozilla Observatory: The Mozilla Observatory has helped over 240,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.
- Marco Malavolti ([email protected])