|Table of Contents|
This document give These are instructions for installing the simpleSAMLphp framework . simpleSAMLphp is an alternative to using the Internet2 Shibboleth service provider software. This means that if you want to use simpleSAMLphp, then you do not have to install the Internet2 shibd software.
Download SimpleSAMLphpand configuring it to work with MyAccess. If your application is written in PHP, you may prefer to use simpleSAMLphp rather than Shibboleth.
These instructions assume you are using the Apache web server on a UNIX-like operating system. simpleSAMLphp will also work on Windows, but you will need to adjust the instructions. They were written for simpleSAMLphp 1.10.0, but will probably work on other versions.
For simpleSAMLphp to work, your PHP install needs to have the mcrypt module loaded. If you intend to use simpleSAMLphp with Drupal, you will also need the sqlite PHP module.
Download the latest version of simpleSAMLphp:
Unpack the archive into /opt and make a symbolic link without the version number:
cd Install it in /var, then sym link it to simplesamlphp: /opt sudo tar -xvzf ~/simplsamlphp-x.x.x.tar.gz sudo ln -s /var/simplesamlphp-1x.8x.1x /var/simplesamlphp
Apache has to know where SimpleSAMLphp is located. So, in ssl.conf add the following in the VirtualHost sectionThe www directory in the simpleSAMLphp distribution needs to be accessible through the web server. To do that, add the following line to your Apache configuration:
Alias /simplesaml /varopt/simplesamlphp/www
The restart Then reload your Apache configuration:
sudo /sbin/service httpd restart
See the "Configuring the SP" section of the following doc:
After you generate the X509 cert, edit config/authsources.php and make 'default-sp' section look like this:
// An authentication source which can authenticate against both SAML 2.0 // and Shibboleth 1.3 IdPs. 'default-sp' => array( 'saml:SP', 'apachectl graceful
On certain operating systems (Ubuntu, Debian) you may need to use "apache2ctl" instead of "apachectl".
Create SSL certificate
Generate an SSL certificate and key that simpleSAMLphp will use to secure communication with the UCSF MyAccess IdP. Run the following commands:
cd /opt/simplesamlphp/cert sudo openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Answer the questions, but don't worry too much about the answers. This information won't be visible to your users.
Edit the file /opt/simplesamlphp/config/authsources.php and make the following changes.
Configure SSL cert
Let simpleSAMLphp know about the SSL certificate and key you just created. Find the "default-sp" section, and add these lines:
'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
Still in the "default-sp" section, find the "entityID" line and set the value to the domain name of your app followed by "/simplesaml". For example:
'entityID' => 'https://hostnameYOUR-DOMAIN-HERE.ucsf.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'https://d5n1',
Specify an Identity Provider
Still in the "default-sp" section, find the "idp" line and set the value to match the MyAccess IdP you want to use. Unless you've been told otherwise, use the staging IdP.
- Production: urn:mace:incommon:ucsf.edu ()
Set Admin Password and Contact Info
'idp' => 'https://idp-stage.ucsf.edu/idp/shibboleth',
Set Admin Password
Close authconfig.php and open config.php. Find the auth.adminpassword line, and set it to a value of your choice. Please do not use the same password you use elsewhere at UCSF. For example:
'auth.adminpassword' to=> the'not passworda of your choosing, then set the following: good password',
Set Contact Information
Find the lines for technicalcontact_name and technicalcontact_email and set them to your name and email address, or those of the person who will be maintaining the application. For example:
'technicalcontact_name' => 'Your app or department nameJoe Schmo', 'technicalcontact_email' => 'email@example.com@ucsf.edu',
Convert Attribute Names
You'd probably rather deal with attribute names like "givenName" and "email" than "urn:oid:22.214.171.124" and "urn:oid:1.2.840.1135126.96.36.199", wouldn't you? simpleSAMLphp will convert them for you, but you have to tell it to. Find the "authproc.sp" section, and add this line:
51 'authproc.sp' => array( /* 10 => array( 'class' => 'core:AttributeMap', 'removeurnprefix' ), */ /* When called without parameters, it will fallback to filter attributes ‹the old way› * by checking the 'attributes' parameter in metadata on SP hosted and IdP remote. */ 50 => 'core:AttributeLimit', 51 => array('class' => 'core:AttributeMap', 'oid2name'), /* * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation. */ 60 => array('class' => 'core:GenerateGroups', 'eduPersonAffiliation'), // All users will be members of 'users' and 'members' 61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')), // Adopts language from attribute to use in UI 90 => 'core:LanguageAdaptor', ),
Convert MyAccess Metadata
Use the following URL to convert the MyAccess IdP metadata to simpleSAMLphp metadata: /admin/metadata-converter.php
Once parsed, you want the saml20-idp-remote metadata. Copy this and replace the contents of the following file:
Don't forget to put <?php at the top!
Also, for the SingleLogoutService, change it to look like this:
'SingleLogoutService' => 'https://d5n1.ucsf.edu/idp/shib_logout.jsp?url=https://hostname.ucsf.edu', //array ( //),
PHP needs to have mcrypt enabled, to do this, do the following (assuming you are on a Linux RedHat or CentOS system):
sudo yum -y install php-mcrypt.x86_64 sudo /sbin/service httpd restart
Integrate With MyAccess
At this point you are ready to integrate with MyAccess. You should open up a service ticket with ITS (http://help.ucsf.edu/ then click on "Submit a ticket for ITS or School of Nursing IT") and include the following information:
Subject indicating that the request is for "MyAccess Shibboleth test or production"
Attributes you want to get back from their IdP (and if you want ones that were not covered above, then you need to ask them for the OID for the attribute and configure it in attribute-map.xml)
URL for your metadata (so that they can download the metadata, or attach the metadata file to the ticket)
Indicate which attributes you would like to receive from MyAccess
Drupal Only: Change Session Store
If you are going to use simpleSAMLphp with Drupal, you need to change the way that simpleSAMLphp stores its session data. Find the store.type and store.sql.dsn lines and change them to this:
'store.type' => 'sql' 'store.sql.dsn' => 'sqlite:/tmp/simplesamlsessiondb.sq3'
For this to work, you will also need to have the SQLite PHP module installed.
Save SP Metadata
To integrate with MyAccess, you will need to send us a copy of your SP's metadata. You can get that by visiting this URL, replacing "hostname.ucsf.edu" with your site's domain name: