Einrichtung SimpleSAMLPhp
- Vetrag mit DFN aufsetzen. Zertifikat für Shibboleth SP bei der zuständigen PKI beantragen.
- Metadaten: Konvertieren und in saml20-idp-remote.php eintragen. (SAML2.0 Remote IdentityProvider)
- Attribute siehe https://doku.tid.dfn.de/de:common_attributes und bei der Heimatorganisation anfragen
- Installation: https://simplesamlphp.org/docs/stable/simplesamlphp-install
- Grundkonfiguration: https://simplesamlphp.org/docs/stable/simplesamlphp-sp
Beispiele zur Konfiguration:
authsources.php
'default-sp' => [
'saml:SP', // The certs are located in the folder cert
'privatekey' => 'saml.pem', // -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
'certificate' => 'saml.crt', // -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => null,
// The entity ID of the IdP this SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => null,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => null,
/*
* The attributes parameter must contain an array of desired attributes by the SP.
* The attributes can be expressed as an array of names or as an associative array
* in the form of 'friendlyName' => 'name'. This feature requires 'name' to be set.
* The metadata will then be created as follows:
*
*/
'sign.logout' => true,
'name' => [ // Will be added to the metadata administration and shown at the login at the IDP
'de' => 'German title',
'en' => 'English title',
],
'attributes' => [
'eduPersonAffiliation' => 'eduPersonAffiliation', // To check which group the person is a member of
'eduPersonUniqueId' => 'eduPersonUniqueId', // To identify the person on the next login
'givenName' => 'givenName', // Ex. Max
'mail' => 'mail', // Ex. max@uni.edu
'sn' => 'sn', // Ex. Mustermann
'orgZugMitarbeiterLang' => 'orgZugMitarbeiterLang', // Special Attribute in the LDAP for the chair's name
'uid' => 'uid' // Unique ID of the Person
],
'contacts' => [
[
'contactType' => 'support',
'emailAddress' => 'support@mail.com',
'givenName' => 'Some',
'surName' => 'Body',
'telephoneNumber' => '+49(0)89 32168',
],
[
'contactType' => 'other',
'emailAddress' => 'other@mail.com',
'givenName' => 'Another',
'surName' => 'Body'
]
],
'authproc' => array( // Map oids to names
50 => array(
'class' => 'core:AttributeMap',
'oid2name',
),
),
'UIInfo' => [
'DisplayName' => [
'de' => 'German title',
'en' => 'English title',
],
'Description' => [
'de' => 'German description',
'en' => 'English description',
],
'InformationURL' => [
'de' => 'https://information.url',
'en' => 'https://information.url/en/',
],
'PrivacyStatementURL' => [
'de' => 'https://information.url/data-protection',
'en' => 'https://information.url/en/data-protection',
],
'Logo' => [
[
'url' => 'https://information.url/logo.jpg',
'height' => 236,
'width' => 50,
]
],
],
],
Der use-case ist der Login von Angestellten in einen Merchandising-Shop, damit diesen Rabatte zugeordnet werden können. Da das Shopsystem die Session-Verwaltung selbst übernimmt mussten die Sessiondaten von SimpleSAMLphp in eine MySQL-Datenbank gespeichert werden.
config.php
'secretsalt' => 'some_salt_please',
'auth.adminpassword' => 'really_strong_password',
'timezone' => 'Europe/Berlin',
'language.default' => 'de',
'technicalcontact_name' => 'Technical Contact',
'technicalcontact_email' => 'technical@mail.com',
'store.type' => 'sql',
'store.sql.dsn' => 'mysql:host=localhost;dbname=database',
/*
* The username and password to use when connecting to the database.
*/
'store.sql.username' => 'user',
'store.sql.password' => 'pass',
/*
* The prefix we should use on our tables.
*/
'store.sql.prefix' => 'samlsp',
SimpleSAMLphp Service Provider API: https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
Hier noch ein Codeschnipsel aus meinem Plugin:
<?php
require_once($_SERVER['DOCUMENT_ROOT'] . '../simplesamlphp/lib/_autoload.php');
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth(['saml:idp' => $config['SAMLIdp']]); // User will be redirected to IDP login page
$attributes = $as->getAttributes(); // After login the attributes will be populated, call it every time you want to
$as->logout(); //Call when user logs out to end the SAML session