Einrichtung SimpleSAMLPhp

Vetrag mit DFN aufsetzen. Zertifikat für Shibboleth SP bei der zuständigen PKI beantragen.
Metadaten: Konvertieren und in saml20-idp-remote.php eintragen. (SAML2.0 Remote IdentityProvider)
Attribute siehe https://doku.tid.dfn.de/de:common_attributes und bei der Heimatorganisation anfragen
Installation: https://simplesamlphp.org/docs/stable/simplesamlphp-install
Grundkonfiguration: https://simplesamlphp.org/docs/stable/simplesamlphp-sp

Beispiele zur Konfiguration:

authsources.php

'default-sp' => [
        'saml:SP',	// The certs are located in the folder cert
		'privatekey' => 'saml.pem',  // -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
    	'certificate' => 'saml.crt', // -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----

        // The entity ID of this SP.
        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
        'entityID' => null,

        // The entity ID of the IdP this SP should contact.
        // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
        'idp' => null,

        // The URL to the discovery service.
        // Can be NULL/unset, in which case a builtin discovery service will be used.
        'discoURL' => null,

        /*
         * The attributes parameter must contain an array of desired attributes by the SP.
         * The attributes can be expressed as an array of names or as an associative array
         * in the form of 'friendlyName' => 'name'. This feature requires 'name' to be set.
         * The metadata will then be created as follows:
         * 
         */
		 
		'sign.logout' => true,
        
        'name' => [ // Will be added to the metadata administration and shown at the login at the IDP
            'de' => 'German title',
            'en' => 'English title',
        ],

        'attributes' => [
			'eduPersonAffiliation' => 'eduPersonAffiliation',	// To check which group the person is a member of
			'eduPersonUniqueId' => 'eduPersonUniqueId',			// To identify the person on the next login
			'givenName' => 'givenName',							// Ex. Max
			'mail' => 'mail',									// Ex. max@uni.edu
			'sn' => 'sn',										// Ex. Mustermann
			'orgZugMitarbeiterLang' => 'orgZugMitarbeiterLang',	// Special Attribute in the LDAP for the chair's name
			'uid' => 'uid'										// Unique ID of the Person	
        ],
		'contacts' => [
			[
				'contactType'       => 'support',
				'emailAddress'      => 'support@mail.com',
				'givenName'         => 'Some',
				'surName'           => 'Body',
				'telephoneNumber'   => '+49(0)89 32168',
			],
			[
				'contactType'       => 'other',
				'emailAddress'      => 'other@mail.com',
				'givenName'         => 'Another',
				'surName'           => 'Body'
			]
		],
		'authproc' => array( // Map oids to names
			50 => array(
				'class' => 'core:AttributeMap',
				'oid2name',
			),
		),
		'UIInfo' => [
			'DisplayName' => [
				'de' => 'German title',
				'en' => 'English title',
			],
			'Description' => [
				'de' => 'German description',
				'en' => 'English description',
			],
			'InformationURL' => [
				'de' => 'https://information.url',
				'en' => 'https://information.url/en/',
			],
			'PrivacyStatementURL' => [
				'de' => 'https://information.url/data-protection',
				'en' => 'https://information.url/en/data-protection',
			],
			'Logo' => [
				[
					'url'    => 'https://information.url/logo.jpg',
					'height' => 236,
					'width'  => 50,
				]
			],
		],
	],

Der use-case ist der Login von Angestellten in einen Merchandising-Shop, damit diesen Rabatte zugeordnet werden können. Da das Shopsystem die Session-Verwaltung selbst übernimmt mussten die Sessiondaten von SimpleSAMLphp in eine MySQL-Datenbank gespeichert werden.

config.php

    'secretsalt' => 'some_salt_please',
	'auth.adminpassword' => 'really_strong_password',

	'timezone' => 'Europe/Berlin',
 	'language.default' => 'de',

	'technicalcontact_name' => 'Technical Contact',
    'technicalcontact_email' => 'technical@mail.com',
    'store.type'                    => 'sql',
    'store.sql.dsn'                 => 'mysql:host=localhost;dbname=database',

    /*
     * The username and password to use when connecting to the database.
     */
    'store.sql.username' => 'user',
    'store.sql.password' => 'pass',

    /*
     * The prefix we should use on our tables.
     */
    'store.sql.prefix' => 'samlsp',

SimpleSAMLphp Service Provider API: https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api

Hier noch ein Codeschnipsel aus meinem Plugin:

<?php 
require_once($_SERVER['DOCUMENT_ROOT'] . '../simplesamlphp/lib/_autoload.php');
$as = new \SimpleSAML\Auth\Simple('default-sp');
$as->requireAuth(['saml:idp' => $config['SAMLIdp']]); // User will be redirected to IDP login page

$attributes = $as->getAttributes(); // After login the attributes will be populated, call it every time you want to

$as->logout(); //Call when user logs out to end the SAML session

Version #5
Erstellt: Thu, Jul 25, 2019 12:27 PM von Domi
Zuletzt aktualisiert: Tue, Aug 6, 2019 3:38 PM von Domi