SAML (short for Security Assertion Markup Language) is a standard which allows single sign on authentication in different applications scattered throughout the landscape.

Wanting to learn more about it I came across SimpleSAMLphp which can act as an Identity provider (IDP). The IDP connects to data sources like LDAP, SQL, etc. for it’s user data and authentication.

The following steps explain the installation of SimpleSAMLphp on Ubuntu 18.04 (and likely beyond) in a test environment. I’ve set up a simple VM and assigned it the hostname shibidp.test.lab. After the base installation run:

WARNING: This guide describes a TEST setup which is not secure enough for production.

Installing requirements

Let’s start by laying the foundation:

# Install all system dependencies
apt -y install php-xml php-mbstring php-curl php-memcache php-ldap memcached apache2 mysql-server php-date php-xml php-json php-mysql libapache2-mod-php

# Enable Apache modules
a2enmod ssl php7.2

# Generate a self singed certificate (testing only, use LetsEncrypt or another trusted soruce for production!)
openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem -days 365

# Start and enable daemons
systemctl restart apache2 mysql memcached
systemctl enable apache2 mysql memcached

# Run the MySQL Installation
mysql_secure_installation

Run through the interactive MySQL Setup as needed. Maybe disable the password validation plugin as I’m using very insecure passwords in this test setup.

Install SimpleSAMLphp

Download and install the application:

# Download SimpleSAMLphp and extract to it's final destination
wget https://simplesamlphp.org/download?latest -O ~/simplesaml-latest.tar.gz
tar xf ~/simplesaml-latest.tar.gz
mv ~/simplesamlphp-1.* /var/simplesamlphp

Configure SimpleSAMLphp

The application should already work out of the box and you can log in as the administrator with the password 123. However it may be beneficial to change some of the following settings:

Edit /var/simplesamlphp/config/config.php and set the following values:

  • auth.adminpassword - Set a password. If you’d like to encrypt it (recommended) run /var/simplesamlphp/bin/pwgen.php and use it’s output as a value here.
  • secretsalt - A secret key. Use openssl rand -base64 32 to generate a random value to go here.
  • production - Default value is set to true, as this is for testing I did change it to false. That way your UI will show a warning that it’s not productive. Could prevent accidents.
  • trusted.url.domains - A list of trusted domains. I added the FQDN to this.
  • enable.saml20-idp - Set this to true

Configure Apache

Create a new vhost configuration (e.g. /etc/apache2/sites-available/shibidp-ssl.conf):

<VirtualHost *:443>
        ServerName shibidp.test.lab

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /etc/ssl/private/cert.pem
        SSLCertificateKeyFile /etc/ssl/private/key.pem

        SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config

        Alias /simplesaml /var/simplesamlphp/www
        <Directory /var/simplesamlphp/www/>
                Require all granted
        </Directory>
</VirtualHost>

After saving your configuration (change as required) enable it:

a2ensite shibidp-ssl
systemctl reload apache2

Login to SimpleSAMLphp

You should now be able to browse to https://shibidp.test.lab/simplesaml/ (or the hostname you configured) and see the app running.

Under the tab Configuration you’ll find Login as administrator. Use this with your chosen password.

Don’t worry about some missing PHP modules like predis. They’re not needed for this setup.

Prepare user data

This setup uses MySQL as it’s source of user data. This could be almost anything however. Any other SQL database, LDAP, etc. all work.

The following snippet creates a database called auth with a users table. A new MySQL user called authuser with the password authuser with access to that database is created. Finally three user accounts are created with the password 123 each.

mysql -e "CREATE DATABASE auth DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
GRANT ALL ON auth.* TO 'authuser'@'localhost' IDENTIFIED BY 'authuser';
CREATE TABLE auth.users(username VARCHAR(30), password VARBINARY(30));
INSERT INTO auth.users(username, password) VALUES
('user1', AES_ENCRYPT('123','secret')),
('user2', AES_ENCRYPT('123','secret')),
('user3', AES_ENCRYPT('123','secret'));
FLUSH PRIVILEGES;"

Connect SimpleSAMLphp to MySQL

Finally we need to connect the application to the data source. Edit /var/simplesamlphp/config/authsources.php and add:

    'example-sql' => [
        'sqlauth:SQL',
        'dsn' => 'mysql:host=localhost;port=5432;dbname=auth',
        'username' => 'authuser',
        'password' => 'authuser',
        'query' => 'SELECT username FROM users WHERE username = :username AND AES_DECRYPT(password,"secret") = :password',
    ],

( You can find the right spot by searching the file for example-sql. Just replace the example.

Test your SAML authentication

To test if everything works go back to the SimpleSAMLphp interface and open the Authentication tab. Here you’ll find Test configured authentication sources. Click on it and you should see a short list containing example-sql.

This is the data source we configured in the previous step. Use it to authenticate. Try user1 with password 123. This should lead you to another page showing the user data. When done click on Logout to kill the session.

Additional Resources