SimpleSAMLphp¶
SimpleSAMLphp is an authentication and federation application that supports several protocols (SAML 2.0, Shibboleth 1.3, OpenID, …):
apt install simplesamlphp php-xml php-mbstring
a2enconf simplesamlphp
Service and Identity Providers¶
The easiest way to test it is to set up two different hosts: one that serves as Service Provider and the other as Identity Provider. The Debian package includes an “example-userpass” that can be used to test.
Ensure both hosts know about each other’s name (e.g. in /etc/hosts
or through a local dnsmasq).
The tests described here are based on the v1.19 upstream documentation, that used to be found at simplesamlphp.org/docs/1.19/ (git, archive.org).
In Debian, all the required configuration files can be found under
/etc/simplesamlphp/. The default admin password for the web GUI is
defined in /var/lib/simplesamlphp/secrets.inc.php. Place X.509
certificates under /etc/ssl/certs/.
The web GUI can be accessed at:
Note: (at least on bullseye) simplesamlphp administration login failed
(and also the test below between the IDP and SP) with a “too many
redirects” error, I could get it work by setting
'session.cookie.secure' => true,. However, this requires HTTPS.
On the Identity Provider
Follow the upstream documentation:
In config.php:
'enable.saml20-idp' => true,
'module.enable' => array(
'exampleauth' => TRUE,
'saml' => TRUE, // ENABLE THIS
'core' => NULL,
),
In authsources.php, comment the default-sp configuration, and
uncomment the 'example-userpass' array (test login/passwords).
Create a self-signed certificate:
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes \
-out /etc/ssl/certs/example.org.crt \
-keyout /etc/ssl/certs/example.org.pem
chown www-data: /etc/ssl/certs/example.org.pem
Initialize metadata/saml20-idp-hosted.php:
<?php
$metadata['__DYNAMIC:1__'] = [
'host' => '__DEFAULT__',
'privatekey' => 'example.org.pem',
'certificate' => 'example.org.crt',
'auth' => 'example-userpass',
];
In metadata/saml20-sp-remote.php, copy-paste the Service
Provider metadata (see below), that can be found in its Federation
web GUI page (prefix with <?php).
On the Service Provider
In authsources.php, make sure the default-sp configuration is
uncommented.
Once you have configured the identity provider, include its metadata
in /etc/simplesamlphp/metadata/saml20-idp-remote.php. To avoid
errors, copy+paste the Identity Provider metadata in SimpleSAMLphp
flat file format that can be found on the identity provider >
Federation tab > SAML 2.0 IdP Metadata.
Test the Authentication service using the web GUI on the Service
Provider > Authentication tab > Test configured authentication
sources. You should find there the default-sp, that points to the
Identidy Provider configured above. Verify that you can log in with
student : studentpass.
XML to SimpleSAMLphp¶
To test XML handling (partially), it is useful to use the XML to SimpleSAMLphp metadata converter tool that can be found in the Federation tab.
Test suite¶
The simplesamlphp test suite is not run at build time. It requires phpunit 4.8, which is older than the 7.5.6-1 version found in buster. One method to run the test suite is relying on composer to install the older dependencies. Unfortunately, composer is not packaged in Debian, so it has to be installed from https://getcomposer.org/. Once the dependencies are installed, the test suite can be run with:
./vendor/bin/phpunit -c tools/phpunit/phpunit.xml