In this tutorial, we will set up a simple Service Provider (SP), written in PHP, and connect it to the OpenConext infrastructure. The goal of this tutorial is to enable federated logins via OpenConext for a simple PHP test file.
The tutorial assumes you are using a Linux environment; however, there is no reason to assume that this approach won’t work on different operating systems that support PHP.
First we need to create a simple page that will act as our SP for this tutorial. To do this, save the following code as test.php and make sure it is available from https://sp.demo.openconext.org/simplesaml/test.php
(Please change the url to match your installation. Note that in this example we will use the one above.)
<?php # do nothing for now... print "Hello world"; ?>
We are going to use simpleSAMLphp to enable federated logins via OpenConext for our simple test php file. SimpleSAMLphp is a very powerful product that can be used in a number of roles in an identity federation (e.g., as IdP, SP, etc).
To set up simpleSAMLphp to allow OpenConext users to log in, we need to set up simpleSAMLphp as an SP. Below, we will go through the process step by step.
First download and set up simpleSAMLphp as described on this page. In particular, you need to
- Download and unpack simpleSAMLphp into /var/simplesamlphp (step 4)
- Configure Apache (step 6)
- Configure simpleSAMLphp (step 7)
Once you’ve set up simpleSAMLphp, check that it works by visiting https://sp.demo.openconext.org/simplesaml. You should get a site that looks like this:
As a simple first check to see if everything is configured correctly so far, click on configuration–>sanity check. This should tell you that everything was fine:
Next, we need to configure simpleSAMLphp as an SP for OpenConext.
First, we need to create a key pair. All SAML requests to and from OpenConext will be signed using SSL. The SSL certificated used for this does not need to be signed by a CA. A key and certificate can be generated using the following OpenSSL command:
$ openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -text -out saml.crt -keyout saml.key
The resulting key and certificate files look like this:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC2Zgy8bZ0x1L7L FGYflfL3F0WIYLenLyvOG7bw9e4rzBZ/5YXusvpWw9CY/urSO6xN4f3O8L+EW51W 85RTazP+NdSzkryVG2V4SZwvM7c1fkGaQqnKyyBAXpSjS4xENYaRhzyFvh51f38v rp1sgnrRGFYJntBBrADzTSTzq7nI4bWjz7UQvVZ3lSgP4s8SuJsGkX959kfP/8wi ZI8zfRKIbwd4iZ2sdYtSqvDSz5YVvce6spOJTKrRvMseBAAdC7srzvbANmogCAMG PuOtg1rgHEX5TmSlGNX40xoo7SFpO//FYT4PfDyhAoGBALvMVcr28kAYzPoPlkm+ gHIjVtJm4zUsuqBqPfqUsr9TOEBN50qeNvoCv/QqbcYzJjuF5OlQEgowYp5nrJkY 4fhYOiCUqgGDHo7EMkHzOT1ktYdwa5xl9mnzz4Aher0ftGpi61sK+pJVS7QCjWR7 pf8YP6CtlNDXPXQP7oc6X573 -----END PRIVATE KEY-----
-----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIJAKviyW6kGYN2MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTQwMTE1MTI0ODUwWhcNMjQwMTE1MTI0ODUwWjBF MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB nyiaw+NyNrrEX1yriKPbVn+qipBuG0M0rNjY4Lza+SFn9xr2G9fntY4tMk/HaCkJ urk8YHHQTJCLl/PjA5O+mTYwVNy/hJT/K0qYP7b7OJm2VHF9DWGsmdFQHbu3UdZr 1GcoHLByzT4j2Vgr0qE5j14wtCEqFsM8wUNRGsHE2hFI0sIzx+utvg7CMBP9QHuH ORcK+rzjhjUrbccksvFXRDM2pRRakjmiVvdbt1THJL6+WaJsxen0msoGEXjoYjJl pg== -----END CERTIFICATE-----
Copy the two files to the cert directory of simplesamlphp: /var/simplesamlphp/cert/
Next, configure the authsources.php configuration file. The file is located under /var/simplesamlphp/config/.
The default config file has a lot of example code, for authentication against Google, Facebook, etc. We just want to have a username/password based admin login, and a SAML authentication source (which will be connected to OpenConext).
Replace the existing code with the following:
<?php $config = array( // This is a authentication source which handles admin authentication. 'admin' => array( 'core:AdminPassword', ), // An authentication source which can authenticate against OpenConext 'default-sp' => array( 'saml:SP', 'privatekey' => 'saml.key', 'certificate' => 'saml.crt', 'idp' => 'https://engine.demo.openconext.org/authentication/idp/metadata', ), ); ?>
Next, get the OpenConext IdP metadata (in XML form) from https://engine.demo.openconext.org/authentication/idp/metadata via your OpenConext instance.
SimpleSAMLphp can convert this XML metadata file to a proper simpleSAMLphp configuration file: go to https://sp.demo.openconext.org/simplesaml.
In the Federation tab, choose “XML to simpleSAMLphp metadata converter”.
Copy the IdP metadata to the clipboard, to be sure you have the correct format choose “View Page Source” in your browser and copy the complete XML structure.
Paste the XML data into the text field, and press Parse.
The resulting Converted Metadata should be put into the simpleSAMLphp configuration file /var/simplesamlphp/metadata/saml20-idp-remote.php.
The contents can vary slightly, but the file should look approximately like this:
<?php $metadata['https://engine.demo.openconext.org/authentication/idp/metadata'] = array ( 'entityid' => ' https://engine.demo.openconext.org/authentication/idp/metadata', 'contacts' => array (), 'metadata-set' => 'saml20-idp-remote', 'expire' => 1320764961, 'SingleSignOnService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => ' https://engine.demo.openconext.org/authentication/idp/single-sign-on', ), ), 'SingleLogoutService' => array (), 'ArtifactResolutionService' => array (), 'keys' => array ( 0 => array ( 'encryption' => false, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => 'MIIDyzCCArOgAwIBAgIJAMzixtXMUH1NMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAk5MMRAwDgYDVQ… ), 1 => array ( 'encryption' => true, 'signing' => false, 'type' => 'X509Certificate', 'X509Certificate' => lpXi2WJqO85H85LqJOtgn2WPI3P2Tx32Cq1WXCYkxLaPI….', ), ), ); ?>
Now we can test the SP side of the setup: in the simpleSAMLphp interface of your SP, go to “Authentication“, “Test configured authentication sources“, and choose “default SP“.
You should then be redirected to OpenConext. If everything is configured correctly, you should get the “Unknown Application” error message.
The error occurs because OpenConext does not know your SP yet, and therefore will not allow its users to log onto your SP.
However, the fact that you are redirected to OpenConext signifies that the configuration of the SP is correct.
Now we need to register the new service provider in OpenConext. To do that, we need to get the metadata from simpleSAMLphp.
Navigate to your simpleSAMLphp installation via: https://sp.demo.openconext.org/simplesaml/
Go to the “Federation” tab and click “Show metadata” copy the metadata XML to the clipboard.
Next, navigate to OpenConext and click on “Service Registry”. Login using admin/secret.
Click on “Create connection”, paste the XML code in the “Put the XML here”-field and click “Create”.
Click on the link of the newly added service provider and change the state from “test” to “production”.
Go to the Metadata tab and add a name (e.g. “Demo SP”) in the name:en and name:nl fields.
Go to the tab “Identity Provider (IdP)” and make sure the “Allow All” option is checked.
Save the configuration.
If everything is configured correctly, you can now use OpenConext to authenticate and get access to your service provider.
To test this, open a new browser session and navigate to the test.php page, you will be asked to authenticate.
After authentication OpenConext will show you the attributes that will be send to the SP if you agree, you will be redirected to the test.php page.
To protect the added SP, we need to add some extra lines of code to the test.php file:
<?php require_once('/var/simplesamlphp/lib/_autoload.php'); $as = new SimpleSAML_Auth_Simple('default-sp'); $as->requireAuth(); $attributes = $as->getAttributes(); ?> <html> <head><title>My First Service Provider in PHP</title></head> <body> <h1>My First SP</h1> <p>Hello world!</p> <h2>Your attributes:</h2> <pre><?php print_r($attributes); ?></pre> </body> </html>