With this tutorial we will configure a new simpleSAMLphp Identity Provider and connect it to OpenConext. The tutorial is divided in two parts:
- Configure simpleSAMLphp as IdP
- Register the new IdP in OpenConext
We assume that you already have a working OpenConext configuration with one or more connected service providers and installed simpleSAMLphp.
Configure simpleSAMLphp as IdP
If you do not have installed simpleSAMLphp yet, you can use this tutorial. If you have simpleSAMLphp installed and running, you can proceed to the next steps.
Enabling the Identity Provider functionality
The first that must be done is to enable the identity provider functionality. This is done by editing simpleSAMLphp/config/config.php. Enable the following options by changing their status to true:
'enable.saml20-idp' => true, 'enable.shib13-idp' => true,
The next step is to configure the way users authenticate on your IdP. Various modules in the modules/ directory provides methods for authenticating your users. An overview can be found here. We will use the exampleauth:UserPass authentication module. This module does not have any dependencies, and is therefore simple to set up.
Configuring the authentication module
The exampleauth:UserPass authentication module is part of the exampleauth module. This module isn’t enabled by default, so you will have to enable it. This is done by creating a file named enable in modules/exampleauth/.
On UNIX, this can be done by running (from the simpleSAMLphp installation directory):
The next step is to create an authentication source with this module. An authentication source is an authentication module with a specific configuration. Each authentication source has a name, which is used to refer to this specific configuration in the IdP configuration. Configuration for authentication sources can be found in config/authsources.php.
In this setup, this file should contain a single entry:
$config = array( 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('student'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), ), );
This configuration creates two users – student and employee, with the passwords studentpass and employeepass. The username and password is stored in the array index (student:studentpass for the student-user). The attributes for each user is configured in the array referenced by the index. For the student user, these are:
array( 'uid' => array('student'), 'eduPersonAffiliation' => array('member', 'student'), ),
The attributes will be returned by the IdP when the user logs on.
Configuring the IdP
The IdP is configured by the metadata stored in metadata/saml20-idp-hosted.php and metadata/shib13-idp-hosted.php. This is a minimal configuration of a SAML 2.0 IdP:
$metadata['__DYNAMIC:1__'] = array( 'host' => '__DEFAULT__', 'privatekey' => 'server.pem', 'certificate' => 'server.crt', 'auth' => 'example-userpass',); 'UIInfo' => array( 'DisplayName' => array( 'en' => 'University of Monnickendam', 'nl' => 'Universiteit van Monnickendam', ), 'Description' => array( 'en' => 'An IdP operated by University of Monnickendam', ), 'Keywords' => array( 'en' => array('university','monnickendam','uvm'), 'nl' => array('universiteit','monnickendam','uvm'), ), 'Logo' => array( array( 'url' => 'https://www.uvm.nl/universiteitvanmonnickendam.gif', 'height' => 51, 'width' => 107, ), ), ),
Using the uri NameFormat on attributes
The interoperable SAML 2 profile specifies that attributes should be delivered using the urn:oasis:names:tc:SAML:2.0:attrname-format:uri NameFormat. We therefore recommended enabling this in new installations. This can be done by adding the following to the saml20-idp-hosted configuration:
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),
Make sure that the logo is hosted on a SSL protected web server.
Adding SPs to the IdP
The IdP you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php and metadata/shib13-sp-remote.php. This is an example of a metadata/saml20-sp-remote.php metadata file for a simpleSAMLphp SP:
$metadata['https://engine.demo.openconext.nl/authentication/sp/metadata'] = array ( 'AssertionConsumerService' => 'https://engine.demo.openconext.nl/authentication/sp/consume-assertion', 'authproc' => array( /* add schacHomeOrganization attribute */ 10 => array( 'class' => 'core:AttributeAdd', 'schacHomeOrganization' => 'university.example.org', ), /* add the 'urn' prefix to all supported attributes (if available from authentication source) */ 90 => array( 'class' => 'core:AttributeMap', 'uid' => 'urn:mace:dir:attribute-def:uid', 'sn' => 'urn:mace:dir:attribute-def:sn', 'givenName' => 'urn:mace:dir:attribute-def:givenName', 'cn' => 'urn:mace:dir:attribute-def:cn', 'displayName' => 'urn:mace:dir:attribute-def:displayName', 'mail' => 'urn:mace:dir:attribute-def:mail', 'eduPersonPrincipalName' => 'urn:mace:dir:attribute-def:eduPersonPrincipalName', 'eduPersonEntitlement' => 'urn:mace:dir:attribute-def:eduPersonEntitlement', 'eduPersonAffiliation' => 'urn:mace:dir:attribute-def:eduPersonAffiliation', 'schacHomeOrganization' => 'urn:mace:terena.org:attribute-def:schacHomeOrganization', ), ), );
Register the new IdP in OpenConext
The first step is to get the IdP’s metadata. Navigate to the simpleSAMLphp admin page and go to the Federation tab. Below ‘Saml 2.0 IDP metadata’ click on ‘Show Metadata’. Copy the XML metadata to your clipboard.
Navigate to the OpenConext dashboard. Click on the ServiceRegistry button. Login with admin/secret and create a new connection. Paste the XML code in the ‘XML code here’-box and click on ‘create’.
Click on the newly created IdP and change its status from ‘test’ to ‘production’. On the tab “Metadata” add a name in the “name:en” and “name:nl” fields and save your configuration.
Test your setup by starting a new browser session and navigate to one of your configured SP’s. When you are prompted to login, you should now be able to choose your new IdP.