SP – SimpleSAMLphp

In this tutorial, we will set up a simple Service Provider (SP), written in PHP, and connect it to the OpenConext infrastructure. The goal of this tutorial is to enable federated logins via OpenConext for a simple PHP test file.

The tutorial assumes you are using a Linux environment; however, there is no reason to assume that this approach won’t work on different operating systems that support PHP.

Create a Service Provider
SimpleSAMLphp
Add new SP to OpenConext
Protect the SP

Create a Service Provider

First we need to create a simple page that will act as our SP for this tutorial. To do this, save the following code as test.php and make sure it is available from https://sp.demo.openconext.org/simplesaml/test.php

(Please change the url to match your installation. Note that in this example we will use the one above.)

<?php
 # do nothing for now...
 print "Hello world";
?>

SimpleSAMLphp

We are going to use simpleSAMLphp to enable federated logins via OpenConext for our simple test php file. SimpleSAMLphp is a very powerful product that can be used in a number of roles in an identity federation (e.g., as IdP, SP, etc).

To set up simpleSAMLphp to allow OpenConext users to log in, we need to set up simpleSAMLphp as an SP. Below, we will go through the process step by step.

First download and set up simpleSAMLphp as described on this page. In particular, you need to

Download and unpack simpleSAMLphp into /var/simplesamlphp (step 4)
Configure Apache (step 6)
Configure simpleSAMLphp (step 7)

Once you’ve set up simpleSAMLphp, check that it works by visiting https://sp.demo.openconext.org/simplesaml. You should get a site that looks like this:

As a simple first check to see if everything is configured correctly so far, click on configuration–>sanity check. This should tell you that everything was fine:

Next, we need to configure simpleSAMLphp as an SP for OpenConext.

First, we need to create a key pair. All SAML requests to and from OpenConext will be signed using SSL. The SSL certificated used for this does not need to be signed by a CA. A key and certificate can be generated using the following OpenSSL command:

$ openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -text -out saml.crt -keyout saml.key

The resulting key and certificate files look like this:

saml.key

saml.cert

Copy the two files to the cert directory of simplesamlphp: /var/simplesamlphp/cert/

Next, configure the authsources.php configuration file. The file is located under /var/simplesamlphp/config/.

The default config file has a lot of example code, for authentication against Google, Facebook, etc. We just want to have a username/password based admin login, and a SAML authentication source (which will be connected to OpenConext).

Replace the existing code with the following:

<?php
  $config = array(
    // This is a authentication source which handles admin authentication.
    'admin' => array(
    'core:AdminPassword',
  ),

  // An authentication source which can authenticate against OpenConext
  'default-sp' => array(
   'saml:SP',
   'privatekey' => 'saml.key',
   'certificate' => 'saml.crt',
   'idp' => 'https://engine.demo.openconext.org/authentication/idp/metadata',
  ),
);
?>

Next, get the OpenConext IdP metadata (in XML form) from https://engine.demo.openconext.org/authentication/idp/metadata via your OpenConext instance.

SimpleSAMLphp can convert this XML metadata file to a proper simpleSAMLphp configuration file: go to https://sp.demo.openconext.org/simplesaml.

In the Federation tab, choose “XML to simpleSAMLphp metadata converter”.

Copy the IdP metadata to the clipboard, to be sure you have the correct format choose “View Page Source” in your browser and copy the complete XML structure.

Paste the XML data into the text field, and press Parse.

The resulting Converted Metadata should be put into the simpleSAMLphp configuration file /var/simplesamlphp/metadata/saml20-idp-remote.php.

The contents can vary slightly, but the file should look approximately like this:

<?php
$metadata['https://engine.demo.openconext.org/authentication/idp/metadata'] = array (
 'entityid' => ' https://engine.demo.openconext.org/authentication/idp/metadata',
 'contacts' => array (),
 'metadata-set' => 'saml20-idp-remote',
 'expire' => 1320764961,
 'SingleSignOnService' => array (
 0 => array (
 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
 'Location' => ' https://engine.demo.openconext.org/authentication/idp/single-sign-on',
 ),
 ),
 'SingleLogoutService' => array (),
 'ArtifactResolutionService' => array (),
 'keys' => array (
 0 => array (
 'encryption' => false,
 'signing' => true,
 'type' => 'X509Certificate',
 'X509Certificate' => 'MIIDyzCCArOgAwIBAgIJAMzixtXMUH1NMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNVBAYTAk5MMRAwDgYDVQ…
 ),
 1 => array (
 'encryption' => true,
 'signing' => false,
 'type' => 'X509Certificate',
 'X509Certificate' => lpXi2WJqO85H85LqJOtgn2WPI3P2Tx32Cq1WXCYkxLaPI….',
 ),
 ),
);
?>

Now we can test the SP side of the setup: in the simpleSAMLphp interface of your SP, go to “Authentication“, “Test configured authentication sources“, and choose “default SP“.

You should then be redirected to OpenConext. If everything is configured correctly, you should get the “Unknown Application” error message.

The error occurs because OpenConext does not know your SP yet, and therefore will not allow its users to log onto your SP.

However, the fact that you are redirected to OpenConext signifies that the configuration of the SP is correct.

Add new SP to OpenConext

Now we need to register the new service provider in OpenConext. To do that, we need to get the metadata from simpleSAMLphp.

Navigate to your simpleSAMLphp installation via: https://sp.demo.openconext.org/simplesaml/

Go to the “Federation” tab and click “Show metadata” copy the metadata XML to the clipboard.

Next, navigate to OpenConext and click on “Service Registry”. Login using admin/secret.

Click on “Create connection”, paste the XML code in the “Put the XML here”-field and click “Create”.

Click on the link of the newly added service provider and change the state from “test” to “production”.

Go to the Metadata tab and add a name (e.g. “Demo SP”) in the name:en and name:nl fields.

Go to the tab “Identity Provider (IdP)” and make sure the “Allow All” option is checked.

Save the configuration.

If everything is configured correctly, you can now use OpenConext to authenticate and get access to your service provider.

To test this, open a new browser session and navigate to the test.php page, you will be asked to authenticate.

After authentication OpenConext will show you the attributes that will be send to the SP if you agree, you will be redirected to the test.php page.

Protect the SP

To protect the added SP, we need to add some extra lines of code to the test.php file:

<?php
 require_once('/var/simplesamlphp/lib/_autoload.php');
 $as = new SimpleSAML_Auth_Simple('default-sp');
 $as->requireAuth();
 $attributes = $as->getAttributes();
?>
<html>
<head><title>My First Service Provider in PHP</title></head>
<body>
<h1>My First SP</h1>
<p>Hello world!</p>
<h2>Your attributes:</h2>
<pre><?php print_r($attributes); ?></pre>
</body>
</html>

SP – SimpleSAMLphp