Implement 'SimpleSAMLphp' Single Sign-On

SimpleSAMLPHP can be used to set up Single Sign-On if you are running linux based systems and not Microsoft Windows Active Directory. This article shows how to set up this Single Sign-On with Cezanne.

Set Up 'SimpleSAMLPHP' in Linux

1.   Open a Terminal window

Note:

  • Make sure that the servers clock shows the proper time (Timing is important for the saml connection).

2.   Run the following commands to install apache and php on your machine. When asked to continue in the installation of the applications type 'Y'

- Sudo apt-get update

- Sudo apt-get install apache2

- Sudo apt-get install php5

  • If this command fails try to run: sudo apt-get install php5 --fix-missing
  • It may also say that certain library files are unavailable (this is fine)

- Sudo apt-get install libapache2-mod-php5

- Sudo /etc/init.d/apache2 restart

This warning for installing / starting / restarting apache is fine:

- Sudo apt-get install php5-mcrypt

- Sudo apt-get install php5-Idap

- Sudo dpkg --list | grep php

  • This will return a list of packages installed for php

- Check that libapache2-mod-php5 is installed

- Check that php5-mcrypt is installed

- Check that php5-Idap is installed

3.   Make a new file called “phpinfo.php” in the directory /var/www

  • This is the default apache web route (May vary if already installed)
  • If you don't have permissions to a file of direction the following command will grant you access:

- Sudo chmod a+rwx /Path/Directory(or file)

- In this case: Sudo chmod a+rwx /var/www)

  • Inside this document add in the code:

4.   Open the php config file located in /etc/php5/apache2/php.ini

  • Inside this file move to the 'Dynamic Extensions' section
  • Add the mcrypt extension to the bottom of the section
  • Add this as the extension:
  • Copy the mcrypt.ini file from the directory /etc/php5/cont.d to /etc/php5/mods-available
  • In the terminal run the following commands:

- Sudo php5enmod mcrypt

  • May return error if mcrypt.ini is not in the correct directory

- Sudo service apache2 restart

5.   Go to your browser and go to the page localhost\phpinfo.php

  • Inside this page check that there are sections for: date, dom, hash, libxml, mcrypt, openssl, pcre, SPL, zlib

6.   Install simplesamlphp

  • In the terminal run the following command:

- Sudo apt-get install simplesamlphp

- Sudo apt-get update

7.   Create server certificates

Note:

  • This is self-signed and you probably want to use a corporate certificate instead - Testing only.
  • Make a new folder in the \var directory called certs
  • In the terminal run the following command:

- Sudo openssl req -newkey rsa:2048 -new -x509 -days 1460 -nodes -out /var/certs/simplesaml.crt -keyout /var/certs/simplesaml.pem

  • You will be asked to fill out credentials for the certificate. FIll them out as best as possible.

- Sudo openssl x509 -inform PEM -in /var/certs/simplesamlphp.crt > /var/certs/simplesamlpublic.crt

- Check the /var/certs directory. You should see all three files there

  • Simplesaml.crt : Certificate for use in simplesamlphp
  • Simplesaml.pem : Certificates private key for use in simplesamlphp
  • Simplesamlpublic.crt : Certificates public key to upload to Cezanne

8.   Configure apache

  • Open the apache2.conf file located in /etc/apache2
  • Add the Alias tag below the items with the <Directory> tags

Note:

  • The alias can be configured as a virtual host if required.
  • Create a new folder in the /usr/share/simplesamlphp/www called mysimplesaml
  • In the terminal run the following and restart the apache service

- Sudo a2enconf simplesamlphp

- Cd /usr/share/simplesamlphp/

- Sudo touch modules/exampleauth/enable

- Sudo service apache2 restart

  • In your browser go to localhost/simplesamlphp and you should see the simplesamlphp installation page

9.   Configure simplesamlphp config.php

  • Open the config.php in the directory /etc/simplesamlphp
  • Change the 'certdir' path to '/var/certs/'
  • Uncomment and change the 'auth.adminpassword'
  • Uncomment and change the 'secretsalt'

In the terminal to get a new secret salt run: sudo tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo

  • Change the technical contact name and e-mail addresses.
  • Change the 'enable.saml20-idp' setting to true (You will need to enable this for other forms of authentication you may want to use).
  • Change the 'enable.http_post' to True.

10.   Configure simplesamlphp authsources.php

Note:

  • This is only for testing please use your own authentication source.
  • Open the authsources.php in the directory /etc/simplesamlphp
  • Uncomment the section for 'example-userpass'
  • Edit that section until it looks like the code below:
  • Exampleusername and examplepassword can be set to anything for testing purposes.
  • Go to localhost/simplesamlphp in your browser and choose the authentication tab, then click the 'test configured authentication sources' option.
  • Choose 'example-userpass' from the next list.
  • Test the username and password you created above in this window.

11.   Configure simplesamlphp saml20-idp-hosted.php

  • Create a file called saml20-idp-hosted.php in the directory /etc/simplesamlphp/metadata
  • Add the below code to set up the identity provider

12.Configure simplesamlphp saml20-sp-remote.php

  • Create a file called saml20-sp-remote.php in the directory /etc/simplesamlphp/metadata
  • <<companyidentifier>> is unique to each client
Configure Cezanne
  • Log in to Cezanne as an HR Professional.
  • Navigate to: System Setup >> Security Settings >> Single Sign-On Configuration.
  • Check SAML 2.0 and select the advanced configuration option beside it.
  • Click Add New.
2. Configure Cezanne
  • Enter 'SimpleSAML' as the Display Name.
  • Change the SAML Binding to 'Redirect'.
  • Enter 'uid' in the User ID Attribute Name.
  • The Entity Identifier should be one of the following two options:

- http://SERVERNAME/simplesamlphp/saml2/idp/metadata.php

- http://LOCALIPADDRESS/simplesamlphp/saml2/idp/metadata.php

  • The Security Token Service Endpoint should be one of the following two options:

- http://SERVERNAME/simplesamlphp/saml2/idp/SSOService.php

- http://LOCALIPADDRESS/simplesamlphp/saml2/idp/SSOService.php

  • Also upload the Public Key Certificate that was made earlier (simplesamlpublic.crt).
  • Select Save and Close.
  • Search for a user you wish to set up for Single Sign-On
  • Navigate to: System Setup >> Manage Users >> User Settings >> Single Sign-On tab:
  • Select Add New in the SAML 2.0 Identifiers area
  • Choose 'SimpleSAML' for the Identity Provider and enter 'exampleusername' as the User Identifier (This links to the user we made in section 10)
  • Select Save.
  • Log out of Cezanne.
Test Single Sign-On with Cezanne
  • Navigate to the Login page for Cezanne.
  • Click the Enterprise button.
3. Test Single Sign-On with Cezanne
  • This should redirect to the simplesamlphp authentication page:

Note:

  • This redirect only happens once.
  • Log in as the 'exampleusername' created earlier
  • You should now be logged into Cezanne and setup for single sign-on using simplesamlphp!