2. SimpleSAMLphp IdP
Odprite mapo v katero želite namestiti SimpleSAMLphp, npr.:
cd /opt
Z uradne spletne strani SimplesamlPHP prenesite zadnjo verzijo.
Ustvarite nastavitvene datoteke s privzetimi vrednostmi:
cd /opt/simplesamlphp
cp -r config-templates/*.php config/
cp -r metadata-templates/*.php metadata/
V mapi
/opt/simplesamlphp imate sedaj nameščen SimpleSAMLphp.
S tem je namestitev končana, urediti je potrebno še nastavitve.
2.1 Vzorčne nastavitve:
Nastavitve, ki v spodnjih primerih niso omenjene lahko ostanejo nespremenjene. Med postopkom boste potrebovali t.i. "self-signed" certifikate, ki služijo podpisovanju SAML zahtevkov. V CN (Common Name) certifikata vpišite "ArnesAAI Federation - Primary IdP of Organization", IP oz FQDN/VHOST spletnega strežnika pa navedite v "Subject Alternative".
'auth.adminpassword' => 'geslo',
'admin.protectindexpage'=> true,
'admin.protectmetadata' => false,
/**
* A possible way to generate a random salt is by running the following command from a unix shell:
* tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
*/
'secretsalt' => '0123456789abcdefghijklmnopqrstuvwxyz',
'technicalcontact_name' => 'Administrator',
'technicalcontact_email' => 'podpora@domena.tld',
/*
* The timezone of the server. This option should be set to the timezone you want
* simpleSAMLphp to report the time in. The default is to guess the timezone based
* on your system timezone.
*
* See this page for a list of valid timezones: http://php.net/manual/en/timezones.php
*/
'timezone' => 'Europe/Ljubljana',
/*
* Enable
*
* Which functionality in simpleSAMLphp do you want to enable. Normally you would enable only
* one of the functionalities below, but in some cases you could run multiple functionalities.
* In example when you are setting up a federation bridge.
*/
'enable.saml20-idp' => true,
'enable.shib13-idp' => false,
'enable.adfs-sp' => false,
'enable.wsfed-sp' => false,
'enable.authmemcookie' => false,
/*
* Languages available, RTL languages, and what language is default
*/
'language.available' => array('sl', 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'fr', 'it', 'nl', 'lb', 'cs', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-BR', 'tr', 'ja', 'zh-tw', 'ru', 'et', 'he'),
'language.rtl' => array('ar','dv','fa','ur','he'),
'language.default' => 'en',
/*
* Authentication processing filters that will be executed for all IdPs
* Both Shibboleth and SAML 2.0
*/
'authproc.idp' => array(
/* Enable the authproc filter below to add URN Prefixces to all attributes
10 => array(
'lass' => 'core:AttributeMap', 'addurnprefix'
), */
/* Enable expirycheck module
*
* warndaysbefore - how many days before expiry date the "about to expire" warning will show to the user.
* date_format - date format in PHP Date() syntax
*
*/
10 => array(
'class' => 'expirycheck:ExpiryDate',
'netid_attr' => 'eduPersonPrincipalName',
'expirydate_attr' => 'schacExpiryDate',
'warndaysbefore' => '60',
'date_format' => 'd.m.Y',
),
// Enable the authproc filter below to automatically generated eduPersonTargetedID.
20 => 'core:TargetedID',
// Adopts language from attribute to use in UI
30 => 'core:LanguageAdaptor',
45 => array(
'class' => 'core:StatisticsWithAttribute',
'attributename' => 'realm',
'type' => 'saml20-idp-SSO',
),
/* When called without parameters, it will fallback to filter attributes ‹the old way›
* by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.
*/
49 => array('class' => 'core:AttributeMap', 'name2oid', '%duplicate'),
50 => array(
'class' => 'core:AttributeLimit',
'default' => TRUE,
'eduPersonTargetedID', 'eduPersonAffiliation',
),
/*
* Consent module is enabled (with no permanent storage, using cookies).
*/
90 => array(
'class' => 'consent:Consent',
'store' => 'consent:Cookie',
'focus' => 'yes',
'checked' => TRUE
),
// If language is set in Consent module it will be added as an attribute.
99 => 'core:LanguageAdaptor',
),
authsources.php (v mapi /opt/simplesamlphp/config/) - datoteka z nastavitvami avtentikacijskega vira (prikazani so samo izseki vsebine, ki jih je potrebno ustrezno nastaviti)
V primeru, da se imenik LDAP ne nahaja na istem strežniku kot IdP, je potrebno nastavitve ustrezno prilagoditi. Prav tako je takrat potrebno uporabiti varno (TLS) povezavo do imenika LDAP.
// Example of a LDAP authentication source.
'ldap' => array(
'ldap:LDAP',
// The hostname of the LDAP server.
'hostname' => 'localhost',
// Whether SSL/TLS should be used when contacting the LDAP server. //
'enable_tls' => FALSE,
// Whether debug output from the LDAP library should be enabled.
// Default is FALSE.
'debug' => FALSE,
// The timeout for accessing the LDAP server, in seconds.
// The default is 0, which means no timeout.
'timeout' => 0,
// Which attributes should be retrieved from the LDAP server.
// This can be an array of attribute names, or NULL, in which case
// all attributes are fetched.
'attributes' => array('cn', 'sn', 'o', 'facsimileTelephoneNumber', 'postalAddress',
'postalCode', 'registeredAddress', 'displayName', 'givenName',
'mail', 'mobile', 'preferredLanguage', 'eduPersonAffiliation',
'eduPersonPrimaryAffiliation','eduPersonScopedAffiliation', 'eduPersonPrincipalName', 'eduPersonEntitlement',
'schacMotherTongue', 'schacGender', 'schacDateOfBirth',
'schacPlaceOfBirth', 'schacCountryOfCitizenship', 'schacSn1',
'schacSn2', 'schacHomeOrganization', 'schacHomeOrganizationType',
'schacPersonalPosition', 'schacPersonalUniqueCode',
'schacPersonalUniqueID', 'schacUUID', 'schacExpiryDate'),
/*
* The pattern which should be used to create the users DN given the username.
* %username% in this pattern will be replaced with the users username.
*
* This option is not used if the search.enable option is set to TRUE.
*/
'dnpattern' => 'eduPersonPrincipalName=%username%,dc=organizacija,dc=si',
/*
* As an alternative to specifying a pattern for the users DN, it is possible to
* search for the username in a set of attributes. This is enabled by this option.
*/
'search.enable' => FALSE,
/*
* The DN which will be used as a base for the search.
* This can be a single string, in which case only that DN is searched, or an
* array of strings, in which case they will be searched in the order given.
*/
'search.base' => NULL,
/*
* The attribute(s) the username should match against.
*
* This is an array with one or more attribute names. Any of the attributes in
* the array may match the value the username.
*/
'search.attributes' => NULL,
/*
* The username & password the simpleSAMLphp should bind to before searching. If
* this is left as NULL, no bind will be performed before searching.
*/
'search.username' => "cn=root,dc=organizacija,dc=si",
'search.password' => "geslo",
// If the directory uses privilege separation,
// the authenticated user may not be able to retrieve
// all required attribures, a privileged entity is required
// to get them. This is enabled with this option.
'priv.read' => FALSE,
// The DN & password the simpleSAMLphp should bind to before
// retrieving attributes. These options are required if
// 'priv.read' is set to TRUE.
'priv.username' => NULL,
'priv.password' => NULL,
),
saml20-idp-hosted.php (v mapi /opt/simplesamlphp/metadata/) - datoteka z metapodatki vašega IdP (prikazani so samo izseki vsebine, ki jih je potrebno ustrezno nastaviti)
Navodila za izdelavo samopodpisanega certifikata se nahajajo na spletni strani tehnične dokumentacije.
$metadata['https://idp.organizacija.si/idp/20110921'] = array(
// The hostname of the server (VHOST) that this SAML entity will use.
'host' => 'idp.organizacija.si',
// X.509 key and certificate. Relative to the cert directory.
'privatekey' => 'idp.organizacija.si.key.pem',
'certificate' => 'idp.organizacija.si.crt.pem',
// Sign SAML requests
'redirect.sign' => true,
'redirect.validate' => false,
// Authentication plugin to use. login.php is the default one that uses LDAP.
'auth' => 'ldap',
// Show privacy policy - this will be shown on the consent page. %SPENTITYID%
'privacypolicy' => 'http://www.organizacija.si/pravila.html',
// Set attribute name format
'AttributeNameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
//Shibboleth Scope: all domains this IdP authenticates
'scope' => array ('organizacija.si', 'poddomena.organizacija.si', 'nasa-domena.si'),
)
Naslednji korak: Nastavitev osveževanja metapodatkov
