SimpleSAMLphp installation on Ubuntu 18.04
SAML (short for Security Assertion Markup Language) is a standard which allows single sign on authentication in different applications scattered throughout the landscape.
Wanting to learn more about it I came across SimpleSAMLphp which can act as an Identity provider (IDP). The IDP connects to data sources like LDAP, SQL, etc. for it's user data and authentication.
The following steps explain the installation of SimpleSAMLphp on Ubuntu 18.04 (and likely beyond) in a test environment. I've set up a simple VM and assigned it the hostname shibidp.test.lab
. After the base installation run:
WARNING: This guide describes a TEST setup which is not secure enough for production.
Installing requirements
Let's start by laying the foundation:
# Install all system dependencies
apt -y install php-xml php-mbstring php-curl php-memcache php-ldap memcached apache2 mysql-server php-date php-xml php-json php-mysql libapache2-mod-php
# Enable Apache modules
a2enmod ssl php7.2
# Generate a self singed certificate (testing only, use LetsEncrypt or another trusted soruce for production!)
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem -days 365
# Start and enable daemons
systemctl restart apache2 mysql memcached
systemctl enable apache2 mysql memcached
# Run the MySQL Installation
mysql_secure_installation
Run through the interactive MySQL Setup as needed. Maybe disable the password validation plugin as I'm using very insecure passwords in this test setup.
Install SimpleSAMLphp
Download and install the application:
# Download SimpleSAMLphp and extract to it's final destination
wget https://simplesamlphp.org/download?latest -O ~/simplesaml-latest.tar.gz
tar xf ~/simplesaml-latest.tar.gz
mv ~/simplesamlphp-1.* /var/simplesamlphp
Configure SimpleSAMLphp
The application should already work out of the box and you can log in as the administrator with the password 123
. However it may be beneficial to change some of the following settings:
Edit /var/simplesamlphp/config/config.php
and set the following values:
auth.adminpassword
- Set a password. If you'd like to encrypt it (recommended) run/var/simplesamlphp/bin/pwgen.php
and use it's output as a value here.secretsalt
- A secret key. Useopenssl rand -base64 32
to generate a random value to go here.production
- Default value is set to true, as this is for testing I did change it to false. That way your UI will show a warning that it's not productive. Could prevent accidents.trusted.url.domains
- A list of trusted domains. I added the FQDN to this.enable.saml20-idp
- Set this to true
Configure Apache
Create a new vhost configuration (e.g. /etc/apache2/sites-available/shibidp-ssl.conf
):
<VirtualHost *:443>
ServerName shibidp.test.lab
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/ssl/private/cert.pem
SSLCertificateKeyFile /etc/ssl/private/key.pem
SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
Alias /simplesaml /var/simplesamlphp/www
<Directory /var/simplesamlphp/www/>
Require all granted
</Directory>
</VirtualHost>
After saving your configuration (change as required) enable it:
a2ensite shibidp-ssl
systemctl reload apache2
Login to SimpleSAMLphp
You should now be able to browse to https://shibidp.test.lab/simplesaml/ (or the hostname you configured) and see the app running.
Under the tab Configuration
you'll find Login as administrator
. Use this with your chosen password.
Don't worry about some missing PHP modules like predis. They're not needed for this setup.
Prepare user data
This setup uses MySQL as it's source of user data. This could be almost anything however. Any other SQL database, LDAP, etc. all work.
The following snippet creates a database called auth
with a users
table. A new MySQL user called authuser
with the password authuser
with access to that database is created. Finally three user accounts are created with the password 123
each.
mysql -e "CREATE DATABASE auth DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
GRANT ALL ON auth.* TO 'authuser'@'localhost' IDENTIFIED BY 'authuser';
CREATE TABLE auth.users(username VARCHAR(30), password VARBINARY(30));
INSERT INTO auth.users(username, password) VALUES
('user1', AES_ENCRYPT('123','secret')),
('user2', AES_ENCRYPT('123','secret')),
('user3', AES_ENCRYPT('123','secret'));
FLUSH PRIVILEGES;"
Connect SimpleSAMLphp to MySQL
Finally we need to connect the application to the data source. Edit /var/simplesamlphp/config/authsources.php
and add:
'example-sql' => [
'sqlauth:SQL',
'dsn' => 'mysql:host=localhost;port=5432;dbname=auth',
'username' => 'authuser',
'password' => 'authuser',
'query' => 'SELECT username FROM users WHERE username = :username AND AES_DECRYPT(password,"secret") = :password',
],
( You can find the right spot by searching the file for example-sql
. Just replace the example.
Test your SAML authentication
To test if everything works go back to the SimpleSAMLphp interface and open the Authentication
tab. Here you'll find Test configured authentication sources
. Click on it and you should see a short list containing example-sql
.
This is the data source we configured in the previous step. Use it to authenticate. Try user1
with password 123
. This should lead you to another page showing the user data. When done click on Logout
to kill the session.