Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Table of Contents

Overview

This document give These are instructions for installing the simpleSAMLphp framework . simpleSAMLphp is an alternative to using the Internet2 Shibboleth service provider software. This means that if you want to use simpleSAMLphp, then you do not have to install the Internet2 shibd software.

Install simpleSAMLphp

Download SimpleSAMLphpand configuring it to work with MyAccess. If your application is written in PHP, you may prefer to use simpleSAMLphp rather than Shibboleth.

These instructions assume you are using the Apache web server on a UNIX-like operating system. simpleSAMLphp will also work on Windows, but you will need to adjust the instructions. They were written for simpleSAMLphp 1.10.0, but will probably work on other versions.

For simpleSAMLphp to work, your PHP install needs to have the mcrypt module loaded. If you intend to use simpleSAMLphp with Drupal, you will also need the sqlite PHP module.

Install simpleSAMLphp

Download the latest version of simpleSAMLphp:

http://code.google.com/p/simplesamlphp/downloads/

Unpack the archive into /opt and make a symbolic link without the version number:

Code Block
cd Install it in /var, then sym link it to simplesamlphp:
/opt
sudo tar -xvzf ~/simplsamlphp-x.x.x.tar.gz
sudo ln -s /var/simplesamlphp-1x.8x.1x /var/simplesamlphp

Configure Apache

Apache has to know where SimpleSAMLphp is located. So, in ssl.conf add the following in the VirtualHost sectionThe www directory in the simpleSAMLphp distribution needs to be accessible through the web server. To do that, add the following line to your Apache configuration:

Code Block

Alias /simplesaml /varopt/simplesamlphp/www

The restart Then reload your Apache configuration:

Code Block

sudo /sbin/service httpd restart

Configure SP

See the "Configuring the SP" section of the following doc:

http://simplesamlphp.org/docs/

After you generate the X509 cert, edit config/authsources.php and make 'default-sp' section look like this:

Code Block

// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs.
'default-sp' => array(
     'saml:SP',
     'apachectl graceful

On certain operating systems (Ubuntu, Debian) you may need to use "apache2ctl" instead of "apachectl".

Create SSL certificate

Generate an SSL certificate and key that simpleSAMLphp will use to secure communication with the UCSF MyAccess IdP. Run the following commands:

Code Block
cd /opt/simplesamlphp/cert
sudo openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Answer the questions, but don't worry too much about the answers. This information won't be visible to your users.

Configure simpleSAMLphp

Edit the file /opt/simplesamlphp/config/authsources.php and make the following changes.

Configure SSL cert

Let simpleSAMLphp know about the SSL certificate and key you just created. Find the "default-sp" section, and add these lines:

Code Block
'privatekey' => 'saml.pem',
     'certificate' => 'saml.crt',
     // The entity ID of this SP.
     // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
     

Set entityID

Still in the "default-sp" section, find the "entityID" line and set the value to the domain name of your app followed by "/simplesaml". For example:

Code Block
'entityID' => 'https://hostnameYOUR-DOMAIN-HERE.ucsf.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp',

     // The entity ID of the IdP this should SP should contact.
     // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
     'idp' => 'https://d5n1',

Specify an Identity Provider

Still in the "default-sp" section, find the "idp" line and set the value to match the MyAccess IdP you want to use. Unless you've been told otherwise, use the staging IdP.

  • Production: urn:mace:incommon:ucsf.edu (https://dp.ucsf.edu/idp/shibboleth is deprecated and should no longer be used)
  • Staginghttps://idp-stage.ucsf.edu/idp/shibboleth
  • Developmenthttps://idp-dev.ucsf.edu/idp/shibboleth

...

Set Admin Password and Contact Info

...

 For example:

Code Block
'idp' => 'https://idp-stage.ucsf.edu/idp/shibboleth',

 

Set Admin Password

Close authconfig.php and open config.php. Find the auth.adminpassword line, and set it to a value of your choice. Please do not use the same password you use elsewhere at UCSF. For example: 

Code Block
'auth.adminpassword' to=> the'not passworda of your choosing, then set the following:

good password', 

Set Contact Information

Find the lines for technicalcontact_name and technicalcontact_email and set them to your name and email address, or those of the person who will be maintaining the application. For example:

Code Block
'technicalcontact_name'     => 'Your app or department nameJoe Schmo',
'technicalcontact_email'    => 'yourjoe.supportschmo@ucsf.email@ucsf.edu',

...

Convert Attribute Names

You'd probably rather deal with attribute names like "givenName" and "email" than "urn:oid:2.5.4.42" and "urn:oid:1.2.840.113549.1.9.1", wouldn't you? simpleSAMLphp will convert them for you, but you have to tell it to. Find the "authproc.sp" section, and add this line:

Code Block
51 'authproc.sp' => array(
        /*
        10 => array(
                'class' => 'core:AttributeMap', 'removeurnprefix'
        ),
        */

        /* When called without parameters, it will fallback to filter attributes ‹the old way›
         * by checking the 'attributes' parameter in metadata on SP hosted and IdP remote.
         */
        50 => 'core:AttributeLimit', 
        51 => array('class' => 'core:AttributeMap', 'oid2name'),
        /*
         * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation.
         */
        60 => array('class' => 'core:GenerateGroups', 'eduPersonAffiliation'),
        // All users will be members of 'users' and 'members'   
        61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')),
        
        // Adopts language from attribute to use in UI
        90 => 'core:LanguageAdaptor',

),

Convert MyAccess Metadata

Use the following URL to convert the MyAccess IdP metadata to simpleSAMLphp metadata: /admin/metadata-converter.php

Once parsed, you want the saml20-idp-remote metadata. Copy this and replace the contents of the following file:

Code Block

/var/simplesamlphp/metadata/saml20-idp-remote.php

Don't forget to put <?php at the top!

Also, for the SingleLogoutService, change it to look like this:

Code Block

'SingleLogoutService' => 'https://d5n1.ucsf.edu/idp/shib_logout.jsp?url=https://hostname.ucsf.edu',
//array (
//),

Configure PHP

PHP needs to have mcrypt enabled, to do this, do the following (assuming you are on a Linux RedHat or CentOS system):

Code Block

sudo yum -y install php-mcrypt.x86_64
sudo /sbin/service httpd restart

Integrate With MyAccess

At this point you are ready to integrate with MyAccess. You should open up a service ticket with ITS (http://help.ucsf.edu/ then click on "Submit a ticket for ITS or School of Nursing IT") and include the following information:

Subject indicating that the request is for "MyAccess Shibboleth test or production"
Attributes you want to get back from their IdP (and if you want ones that were not covered above, then you need to ask them for the OID for the attribute and configure it in attribute-map.xml)
URL for your metadata (so that they can download the metadata, or attach the metadata file to the ticket)
Indicate which attributes you would like to receive from MyAccess

...

oid2name'),

Drupal Only: Change Session Store

If you are going to use simpleSAMLphp with Drupal, you need to change the way that simpleSAMLphp stores its session data. Find the store.type and store.sql.dsn lines and change them to this:

Code Block
'store.type' => 'sql'
'store.sql.dsn' => 'sqlite:/tmp/simplesamlsessiondb.sq3'

For this to work, you will also need to have the SQLite PHP module installed.

Load Metadata

Download the attached saml20-idp-remote.php and shib13-idp-remote.php files and save them into /opt/simplesamlphp/metadata/. 

Save SP Metadata

To integrate with MyAccess, you will need to send us a copy of your SP's metadata. You can get that by visiting this URL, replacing "hostname.ucsf.edu" with your site's domain name:

https://hostname.ucsf.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp