Prerequisites
- Some webserver capable of executing PHP scripts.
- PHP version >= 5.4.0.
- Support for the following PHP extensions:
- Always required:
date
,dom
,hash
,libxml
,openssl
,pcre
,SPL
,zlib
,json
,mbstring
- When automatically checking for latest versions, and used by some modules:
cURL
- When authenticating against LDAP server:
ldap
- When authenticating against RADIUS server:
radius
- When using native PHP session handler:
session
- When saving session information to a memcache server:
memcache
- Always required:
- When using databases:
- Always:
PDO
- Database driver: (
mysql
,pgsql
, ...)
- Always:
- Support for the following PHP packages:
- When saving session information to a Redis server:
predis
What actual packages are required for the various extensions varies between different platforms and distributions.
Installation Steps
1. Install the Prerequisites Extensions
2. Download and Extract the SimpleSAMLphp installer
3. Create an HTTPD Configuration File
Alias /sso /var/www/simplesamlphp/www <Directory /var/www/simplesamlphp/www> <IfModule !mod_authz_core.c> # For Apache 2.2: Order allow,deny Allow from all </IfModule> <IfModule mod_authz_core.c> # For Apache 2.4: Require all granted </IfModule> </Directory>
4. Restart the HTTPD Service
5. Edit SimpleSAMLphp Configuration File
- Find auth.adminpassword , set the admin password.
- Find baseurlpath , set to 'sso/'
- Find secretsalt , set the key for the salt.
- Find admin.protectindexpage , set to true.
- Find technicalcontact_name and technicalcontact_email , set them with appropriate values. Use a service email address rather than a personal email.
- Find timezone , set with a preferred time zone from this list of timezones for PHP . For example: 'Etc/UTC'
- Find enable.saml20-idp , set to true.
- Find metadata.sources, add the following lines:
- Find the following lines, and uncomment it:
Enable the Consent module:
6. Check the Initial Installation and Config
By using your web browser, open the SimpleSAMLphp installation by accessing the following url: https://<your hostname>/sso . You will be asked to login as administrator. Please do so and you will see the following screen after a successful authentication:
Click the Configuration tab to check the config and installation:
7. Connect with Directory Services
Edit the authsources.php file
Add the following entry:
8. Perform Authentication Test
Back to the web browser, click at the "Authentication" tab and select "Test configured authentication sources". Select "Directory-Services" as the user database that you want to test:
Perform authentication test by entering user's username and password. Upon successful, you will see the Directory Service returns the user's attribute to the SimpleSAMLphp.
9. Ingest SIFULAN and eduGAIN Metadata
Enable and configure the metarefresh
and cron
modules:
Create a folder to "cache" the Federation metadata files:
Download SIFULAN's metadata signing certificate:
Create metarefresh module' config file:
Edit the metadata "cron" configuration file:
Replace the default secret key with another key string. You can use the following command to generate a random string as the secret key:
Back to the web browser, click at the "Configuration" tab and select "Cron module information page". Select one from the three options (by copying them) from the suggested crontab entry to allow a periodic metadata download from SIFULAN Federation. Run the crontab editor and paste the option:
To start fetching the metadata from the SIFULAN, from the web browser and click at the "Federation" tab and click the "Metarefresh: fetch metadata" link at the bottom part of the page. Once done, simply press the "back" button at the web browser to see the result.
10. Configure IdP Metadata
Generate a long term self signed certificate:
Edit the saml20-idp-hosted.php
11. Metadata Registration
To get your IdP metadata, in your SimpleSAMLphp installation page, click at the "Federation" tab and click "Show Metadata" at the "SAML 2.0 IdP Metadata" section.
SimpleSAMLphp provides three options in regards to your IdP metadata:
- Dynamic/Direct link to the metadata
- Metadata in XML format
- Metadata in SimpleSAMLphp format.
Typically, option 2 is chosen as it provides better compatibility with other SAML middleware. Select and copy the metadata (which later you are going to paste it at the Federation Manager portal).
Please click here for the tutorial on how you can register your metadata with SIFULAN Federation.
12. Customizing the Theme
You can use the SimpleSAMLphp Theme Generator to customize the theme. You can find the tutorial from here.