Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Table of Contents

Overview

This document give instructions for installing the simpleSAMLphp framework. simpleSAMLphp is an alternative to using the Internet2 Shibboleth service provider software. This means that if you want to use simpleSAMLphp, then you do not have to install the Internet2 shibd software.

Install simpleSAMLphp

Download SimpleSAMLphp:

http://code.google.com/p/simplesamlphp/downloads/

...

Code Block
Install it in /var, then sym link it to simplesamlphp:
ln -s /var/simplesamlphp-1.8.1 /var/simplesamlphp
{code}

h3. Configure Apache

Apache has to know where SimpleSAMLphp is located. So, in ssl.conf add the following in the VirtualHost section:
{code}

Configure Apache

Apache has to know where SimpleSAMLphp is located. So, in ssl.conf add the following in the VirtualHost section:

Code Block
Alias /simplesaml /var/simplesamlphp/www
{code}

The

...

restart

...

Apache:

...

}
Code Block
sudo /sbin/service httpd restart
{code}

h3. Configure SP

See the "Configuring the SP" section of the following doc:

[

Configure SP

See the "Configuring the SP" section of the following doc:

http://simplesamlphp.org/docs/1.8/simplesamlphp-sp

...

After

...

you

...

generate

...

the

...

X509

...

cert,

...

edit

...

config/authsources.php

...

and

...

make

...

'default-sp'

...

section

...

look

...

like

...

this:

...

}
Code Block
// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs.
'default-sp' => array(
     'saml:SP',
     'privatekey' => 'saml.pem',
     'certificate' => 'saml.crt',
     // The entity ID of this SP.
     // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
     'entityID' => 'https://hostname.ucsf.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp',

     // The entity ID of the IdP this should SP should contact.
     // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
     'idp' => 'https://idp-stage.ucsf.edu/idp/shibboleth',

     // The URL to the discovery service.
     // Can be NULL/unset, in which case a builtin discovery service will be used.
     'discoURL' => NULL,
),
{code}

{note:title=Attention}
Be sure to replace {{hostname}} above with the name of your server. Also, if you are integrating with MyAccess production, replace {{
Note
titleAttention

Be sure to replace hostname above with the name of your server. Also, if you are integrating with MyAccess production, replace idp-stage.ucsf.edu

}}

with

{{

dp.ucsf.edu

}}

.

Of

course,

this

is

if

you

are

just

integrating

with

MyAccess.

If

this

is

a

federated

app

and

you

need

to

integrate

with

multiple

IdPs,

then

leave

it

as

{{

NULL

}}. {note} h3. Set Admin Password and Contact Info {code}

.

Set Admin Password and Contact Info

Code Block
In /var/simplesamlphp/config/config.php set 'auth.adminpassword' to the password of your choosing, then set the following:

'technicalcontact_name'     => 'Your app or department name',
'technicalcontact_email'    => 'your.support.email@ucsf.edu',
{code}

Also,

...

set

...

oid2name

...

attribute

...

mapper

...

in

...

the

...

authproc.sp

...

section.

...

It

...

should

...

look

...

like

...

this:

...

}
Code Block
'authproc.sp' => array(
        /*
        10 => array(
                'class' => 'core:AttributeMap', 'removeurnprefix'
        ),
        */

        /* When called without parameters, it will fallback to filter attributes ‹the old way›
         * by checking the 'attributes' parameter in metadata on SP hosted and IdP remote.
         */
        50 => 'core:AttributeLimit',
        /* Map OIDs to names, as we can remember names easier than numbers. */
        51 => array('class' => 'core:AttributeMap', 'oid2name'),
        /*
         * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation.
         */
        60 => array('class' => 'core:GenerateGroups', 'eduPersonAffiliation'),
        // All users will be members of 'users' and 'members'   
        61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')),
        
        // Adopts language from attribute to use in UI
        90 => 'core:LanguageAdaptor',

),
{code}

{note:title=Attention}
If you are setting up this {{simpleSAMLphp}} installation to work with Drupal, then you need to configure something other than {{phpsession}} as the session storage mechanism. The easiest thing to do is use {{sqlite}} (although, this may require you to configure the SQLite PHP module in {{php.ini}}). To do this, set the following in the "Configure the datastore for simpleSAMLphp" of {{config.php}}:

{code}
Note
titleAttention

If you are setting up this simpleSAMLphp installation to work with Drupal, then you need to configure something other than phpsession as the session storage mechanism. The easiest thing to do is use sqlite (although, this may require you to configure the SQLite PHP module in php.ini). To do this, set the following in the "Configure the datastore for simpleSAMLphp" of config.php:

Code Block

'store.type' => 'sql'
'store.sql.dsn' => 'sqlite:/path/to/simplesamlsessiondb.sq3'
{code}

Make

sure

that

Apache

can

write

to

the

path

and

db

file

specified

above.

{note:} h3. MyAccess Metadata Depending on whether or not you are integrating with MyAccess stage or production, you will want to take the code from one of the sections below and put it in the following file: {code}

MyAccess Metadata

Depending on whether or not you are integrating with MyAccess stage or production, you will want to take the code from one of the sections below and put it in the following file:

Code Block
/var/simplesamlphp/metadata/saml20-idp-remote.php
{code}

Below

...

are

...

simpleSAMLphp-friendly

...

versions

...

of

...

the

...

MyAccess

...

IdP

...

metadata.

...

Stage

...

metadata

...

}
Code Block
<?php

$metadata['https://idp-stage.ucsf.edu/idp/shibboleth'] = array (
  'entityid' => 'https://idp-stage.ucsf.edu/idp/shibboleth',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:mace:shibboleth:1.0:profiles:AuthnRequest',
      'Location' => 'https://idp-stage.ucsf.edu/idp/profile/Shibboleth/SSO',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://idp-stage.ucsf.edu/idp/profile/SAML2/POST/SSO',
    ),
    2 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
      'Location' => 'https://idp-stage.ucsf.edu/idp/profile/SAML2/POST-SimpleSign/SSO',
    ),
    3 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://idp-stage.ucsf.edu/idp/profile/SAML2/Redirect/SSO',
    ),
  ),
  'SingleLogoutService' => 'https://idp-stage.ucsf.edu/idp/pre_logout.jsp?url=https://hostname.ucsf.edu',
  'ArtifactResolutionService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding',
      'Location' => 'https://idp-stage.ucsf.edu:8443/idp/profile/SAML1/SOAP/ArtifactResolution',
      'index' => 1,
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
      'Location' => 'https://idp-stage.ucsf.edu:8443/idp/profile/SAML2/SOAP/ArtifactResolution',
      'index' => 2,
    ),
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => true,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => '
MIICSTCCAbKgAwIBAgIES6G0XDANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDTALBgNVBAoTBFVDU0YxDjAMBgNVBAsTBU9B
QUlTMRYwFAYDVQQDEw1kNW4xLnVjc2YuZWR1MB4XDTEwMDMxODA1MDQyOFoXDTIwMDMxNTA1MDQy
OFowaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ0w
CwYDVQQKEwRVQ1NGMQ4wDAYDVQQLEwVPQUFJUzEWMBQGA1UEAxMNZDVuMS51Y3NmLmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsOc8xqTk6GD3WIaw/qheJ+YTXWTKdt831hxcnSenjRg1
PwnXmfIOmO/sACyGUF3UWJiaboHZZTxVCsVziTB8y6g3fI88yE2hudJDRKEL90m9l3m/LKmWN6MZ
WiEnd5GvpfDU497hJkC3hemG7Vwq0Ui/1vSx9lFmQ7585yQAQQMCAwEAATANBgkqhkiG9w0BAQUF
AAOBgQA2aFehGkLM7C9xDWBmwqS2HdbMeYnmItkl7ye8bNjuNB6G80wAtER8KcPwEHElHThbMM0J
KBCPTzogMRseLFGsHKP1msFkZe1rYcwKt5Nkrkp6A5rLqxrioCvc+vNwod+R99RZz2gCZPJvaqM0
5WaQ9pcTT6yB31fqqd2xrLFEjA==
                    ',
    ),
  ),
  'scope' => 
  array (
    0 => 'ucsf.edu',
  ),
);

{code}

h4. Production metadata

{code}

Production metadata

Code Block
<?php

$metadata['https://dp.ucsf.edu/idp/shibboleth'] = array (
  'entityid' => 'https://dp.ucsf.edu/idp/shibboleth',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:mace:shibboleth:1.0:profiles:AuthnRequest',
      'Location' => 'https://dp.ucsf.edu/idp/profile/Shibboleth/SSO',
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://dp.ucsf.edu/idp/profile/SAML2/POST/SSO',
    ),
    2 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign',
      'Location' => 'https://dp.ucsf.edu/idp/profile/SAML2/POST-SimpleSign/SSO',
    ),
    3 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://dp.ucsf.edu/idp/profile/SAML2/Redirect/SSO',
    ),
  ),
  'SingleLogoutService' => 'https://dp.ucsf.edu/idp/pre_logout.jsp?url=https://hostname.ucsf.edu',
  'ArtifactResolutionService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding',
      'Location' => 'https://dp.ucsf.edu:8443/idp/profile/SAML1/SOAP/ArtifactResolution',
      'index' => 1,
    ),
    1 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
      'Location' => 'https://dp.ucsf.edu:8443/idp/profile/SAML2/SOAP/ArtifactResolution',
      'index' => 2,
    ),
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => true,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => '
MIIDFzCCAf+gAwIBAgIUW2hLRYSTq6yflHpRZ5ZBXty14rYwDQYJKoZIhvcNAQEFBQAwFjEUMBIG
A1UEAxMLZHAudWNzZi5lZHUwHhcNMDkwODI5MDQwMzU5WhcNMjkwODI5MDQwMzU5WjAWMRQwEgYD
VQQDEwtkcC51Y3NmLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+WY9j/fuME
Q2u4mKKeU5LXO+mi7BKKkJP3PUN0Iz4whL/M9uTR+C7x6DCVbi4CXNia8hmoNbWIKCKto9UJT/e+
Y4y+dZjC4TLcIvdUog7x4/3qlcwI76jkomyL5uy2/7Ow+l/pmX99wph+K4/d8EpwE3NTXcFOVv1D
8M3pUrVEfT1aoAm7p4SXS3uohM7KDXTljqtxImt/Q+cRFBImNyp7YTFp37024eMwtNfLJxEajodI
FOCCYP6DmN5I1RWTF808BPPbkt7agjuz50pCdXHxfgnCfUmHeeUz4yLI6cgOWkB9JISN567vAH68
IInM9with782aIsVLf2Fs5pQqxECAwEAAaNdMFswOgYDVR0RBDMwMYILZHAudWNzZi5lZHWGImh0
dHBzOi8vZHAudWNzZi5lZHUvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFDfsmZZFJeq4xHogyRDy
+1N69EEKMA0GCSqGSIb3DQEBBQUAA4IBAQBiK5W3RyQc/LL+FOy9mQIFzmobtJCGYUHwn/jMzZ+F
diV688MOA94AHGnxlvjjlVE7sjI83XgUK80IpLWz1QtCN9Pcwo5M0tNCxOFAkIe1xRadZmN4LpFO
enH8vd5TF7DjrozFivFC4+l/mTTW4hfl+RaR34zgrzBAv+fUNrq7cNrid11w0h17HNqD964TR4Qp
hmFyIrFR9skSs+41ScRMa4c7Svel8p4f+ptoATHSlSm0OZayjktgJp4o+Ld8xiH8Q5oLQ/qNG0hx
9IRMaum9h0HCnxwHKsrxcJW2/A/CVhaVlj4Jp/B3Zs13i2Wc6VGZGK1rfVetLqSnvfVPnT+h
                    ',
    ),
  ),
  'scope' => 
  array (
    0 => 'ucsf.edu',
  ),
);
{code}

{note:title=Attention}
Be sure to replace {{hostname}} in the {{SingleLogoutService}} section with with the name of your server.
{note}

h3. Configure PHP

PHP needs to have mcrypt enabled, to do this, do the following (assuming you are on a Linux RedHat or CentOS system):
{code}
Note
titleAttention

Be sure to replace hostname in the SingleLogoutService section with with the name of your server.

Configure PHP

PHP needs to have mcrypt enabled, to do this, do the following (assuming you are on a Linux RedHat or CentOS system):

Code Block
sudo yum -y install php-mcrypt.x86_64
sudo /sbin/service httpd restart
{code}

h3. Integrate With MyAccess

At this point you are ready to integrate with MyAccess. You should open up a service ticket with ITS ([

Integrate With MyAccess

At this point you are ready to integrate with MyAccess. You should open up a service ticket with ITS (http://help.ucsf.edu/

...

then

...

click

...

on

...

"Submit

...

a

...

ticket

...

for

...

ITS

...

or

...

School

...

of

...

Nursing

...

IT")

...

and

...

include

...

the

...

following

...

information:

...

Subject

...

indicating

...

that

...

the

...

request

...

is

...

for

...

"MyAccess

...

Shibboleth

...

test

...

or

...

production

...

"

...


Attributes

...

you

...

want

...

to

...

get

...

back

...

from

...

their

...

IdP

...

(and

...

if

...

you

...

want

...

ones

...

that

...

were

...

not

...

covered

...

above,

...

then

...

you

...

need

...

to

...

ask

...

them

...

for

...

the

...

OID

...

for

...

the

...

attribute

...

and

...

configure

...

it

...

in

...

attribute-map.xml)

...


URL

...

for

...

your

...

metadata

...

(so

...

that

...

they

...

can

...

download

...

the

...

metadata,

...

or

...

attach

...

the

...

metadata

...

file

...

to

...

the

...

ticket)

...


Indicate

...

which

...

attributes

...

you

...

would

...

like

...

to

...

receive

...

from

...

MyAccess

...

To

...

get

...

the

...

metadata

...

for

...

your

...

simpleSAMLphp

...

installation,

...

go

...

to

...

the

...

following

...

URL

...

(you

...

will

...

have

...

to

...

authenticate

...

to

...

simpleSAMLphp

...

using

...

the

...

password

...

you

...

used

...

in

...

the

...

configuration

...

when

...

installing

...

simpleSAMLphp):

...

https://hostname.ucsf.edu/simplesaml/module.php/saml/sp/metadata.php/default-sp

...