- Requirements Hardware
- Software that will be installed
- Installation
- Configuration
- Configure SSL on Apache2
- Configure SimpleSAMLphp
- Configure the Identity Provider
- Configure Metadata
- Configure Attribute Release Policies
- Configure SAML Metadata Credentials
- Configure the authentication source
- Configure automatic download of Federation Metadata
- Add translations of the new 'schacHomeOrganizationType' attribute
- Enable UTF-8 on IdP metadata (to avoid encoding problems with accents)
- Download IdP Metadata
- Register IdP on IDEM Entity Registry
- Appendix A - How to manage sessions with Memcache
- Appendix B - How to collect useful-statistics
- Utility
- Authors
- CPU: 2 Core
- RAM: 4 GB
- HDD: 20 GB
- ca-certificates
- ntp
- vim
- apache2 (>= 2.4)
- php php-curl php-dom php-mbstring php-dev libmcrypt-dev php-pear build-essential
- memcached php-memcached
- openssl
- cron
- curl
The software installation provided by this guide is intended to run by ROOT user so...
sudo su -
-
Change the default mirror with the GARR ones:
sed -i 's/deb.debian.org/debian.mirror.garr.it/g' /etc/apt/sources.list
apt update && apt upgrade
-
Install the required packages:
apt install ca-certificates vim openssl
-
Modify your
/etc/hosts
:-
vim /etc/hosts
127.0.1.1 ssp-idp.example.org ssp-idp
(Replace
ssp-idp.example.org
with your SP Full Qualified Domain Name) -
-
Be sure that your firewall doesn't block traffic on port 443 (or you can't access to your IdP)
-
Import SSL credentials:
- Import SSL Certificate into:
/etc/ssl/certs/ssp-idp.example.org.crt
- Import SSL Key into:
/etc/ssl/private/ssp-idp.example.org.key
- Import SSL CA:
/usr/local/share/ca-certificates/ssl-ca.crt
- Run the command:
update-ca-certificates
- Import SSL Certificate into:
-
Become ROOT:
sudo su
-
Prepare the environment:
-
apt install apache2 ntp php php-curl php-dom php-mbstring libmcrypt-dev curl cron build-essential --no-install-recommends
-
-
Install SimpleSAMLphp:
cd /var/
-
wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.19.5/simplesamlphp-1.19.5.tar.gz
tar xzf simplesamlphp-1.19.5.tar.gz
mv simplesamlphp-1.19.5 simplesamlphp
-
Create a new directory for IdP:
mkdir /var/www/html/ssp-idp.example.org
sudo chown -R www-data: /var/www/html/ssp-idp.example.org
-
Create a new Virtualhost file as follows:
vim /etc/apache2/sites-available/ssp-idp.example.org-ssl.conf
# Configure Apache2 to redirect all HTTP traffic to HTTPS <VirtualHost *:80> ServerName "ssp-idp.example.org" Redirect permanent "/" "https://ssp-idp.example.org/" </VirtualHost> <IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) <VirtualHost _default_:443> ServerName ssp-idp.example.org ServerAdmin admin@example.org DocumentRoot /var/www/html/ssp-idp.example.org #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" SSLHonorCipherOrder on # Disable SSL Compression SSLCompression Off # OCSP Stapling, only in httpd/apache >= 2.3.3 SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # Enable HTTP Strict Transport Security with a 2 year duration Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;preload" SSLCertificateFile /etc/ssl/certs/ssp-idp.example.org.crt SSLCertificateKeyFile /etc/ssl/private/ssp-idp.example.org.key SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt # Enable and Redirect to SimpleSamlPhp - Apache 2.4 configuration SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config Alias /simplesaml /var/simplesamlphp/www RedirectMatch ^/$ /simplesaml <Directory /var/simplesamlphp/www> <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory> </VirtualHost> </IfModule>
-
Enable the following Apache2 modules:
a2enmod ssl
- To support SSL protocola2enmod headers
- To control of HTTP request and response headers.a2enmod alias
- To manipulation and control of URLs as requests arrive at the server.a2enmod include
- To process files before they are sent to the client.a2enmod negotiation
- Essential Apache modulea2ensite ssp-idp.example.org-ssl.conf
a2dissite 000-default.conf
systemctl restart apache2.service
-
Verify the strength of your IdP's machine on:
-
OPTIONAL STEPS: If you want to host your IdP's Information/Privacy pages on the IdP itself, follow the next steps:
-
Create all needed files with:
-
vim /var/www/html/ssp-idp.example.org/info_page.html
<html> <head><title>Information Page</title></head> <body> <h1>Put here IdP Information page content</h1> </body> </html>
-
vim /var/www/html/ssp-idp.example.org/privacy_page.html
<html> <head><title>Privacy Page</title></head> <body> <h1>Put here IdP Privacy page content</h1> </body> </html>
-
touch /var/www/html/ssp-idp.example.org/logo.png
(80x60 px or bigger with the same aspect-ratio) -
touch /var/www/html/ssp-idp.example.org/favicon.png
(16x16 px or bigger with the same aspect-ratio)
-
-
Replace them with the correct content.
-
-
Assign the ownership of the SimpleSAMLphp logs to Apache user:
chown www-data /var/simplesamlphp/log
-
Generate some useful opaque strings:
-
User Admin Password (
auth.adminpassword
):php /var/simplesamlphp/bin/pwgen.php
-
Secret Salt (
secretsalt
):tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null ; echo
-
-
Change SimpleSAMLphp configuration:
-
vim /var/simplesamlphp/config/config.php
'baseurlpath' => 'simplesaml/', /* ...other things... */ 'technicalcontact_name' => 'Technical Contact', 'technicalcontact_email' => 'service.support@example.com', /* ...other things... */ 'secretsalt' => '#_YOUR_SECRET_SALT_HERE_#', /* ...other things... */ 'auth.adminpassword' => '#_YOUR_USER_ADMIN_PASSWORD_#', /* ...other things... */ 'admin.protectindexpage' => true, /* ...other things... */ 'logging.level' => 'SimpleSAML\Logger::NOTICE', 'logging.handler' => 'syslog', /* ...other things... */ 'enable.saml20-idp' => true, /* ...other things ... */ 'theme.header' = '#_YOUR_ORGANIZATION_NAME_#', /* ...other things ... */ // Comment out all content of "authproc.idp" because we will use the 'authproc' into 'saml20-idp-hosted.php' metadata /* ...other things... */ 'store.type' => 'phpsession',
-
vim /etc/rsyslog.d/22-ssp-log.conf
# SimpleSAMLphp logging local5.* /var/log/simplesamlphp.log # Notice level is reserved for statistics only... local5.=notice /var/log/simplesamlphp.stat
-
sudo systemctl restart rsyslog.service
-
-
Check Login on the SSP appliance and retrieve the IdP "Entity ID" from "Fedearation" tab:
https://ssp-idp.example.org/
-
Configure a SMTP server to send mail only (Example):
-
apt install mailutils postfix --no-install-recommends
(Internet Site => Insert your IdP FQDN) -
vim /etc/postfix/main.cf
/* ...other things... */ inet_interfaces = localhost /* ...other things... */
-
systemctl restart postfix.service
-
-
if MDX IDEM is not used, set PHP
memory_limit
to '1024M' or more to allow the download of huge metadata files (like eduGAIN):-
vim /etc/php/7.3/mods-available/ssp.ini
; configuration for SSP ; priority=20 memory_limit = 1024M
-
sudo phpenmod ssp
-
systemctl restart apache2.service
-
-
vim /var/simplesamlphp/metadata/saml20-idp-hosted.php
$metadata['__DYNAMIC:1__'] = [ 'host' => '__DEFAULT__', 'privatekey' => 'ssp-idp.key', 'certificate' => 'ssp-idp.crt', 'scope' => ['<INSERT-HERE-IDP-SCOPE>'], // Usually the scope is the domain name 'userid.attribute' => 'uid', // useless: added only to avoid error messages on the log file 'UIInfo' => [ 'DisplayName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-IDP-DISPLAY-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-IDP-DISPLAY-NAME>', ], 'Description' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-IDP-DESCRIPTION>', 'it' => '<INSERT-HERE-THE-ITALIAN-IDP-DESCRIPTION>', ], 'InformationURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-INFORMATION-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ITALIAN-INFORMATION-PAGE-URL>', ], 'PrivacyStatementURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-PRIVACY-POLICY-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ITALIAN-PRIVACY-POLICY-PAGE-URL>', ], 'Logo' => [ [ 'url' => '<INSERT-HERE-THE-80X60-LOGO-URL>', 'height' => 60, 'width' => 80, ], [ 'url' => '<INSERT-HERE-THE-16X16-LOGO-URL>', 'height' => 16, 'width' => 16, ], ], ], 'OrganizationName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-ORGANIZATION-NAME>', ], 'OrganizationDisplayName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-DISPLAY-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-ORGANIZATION-DISPLAY-NAME>', ], 'OrganizationURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-PAGE-URL>', ], /*Uncomment the following to use the uri NameFormat on attributes.*/ 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', /* eduPersonTargetedID with oid NameFormat is a raw XML value */ 'attributeencodings' => ['urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw'], 'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' ], 'authproc' => [ // Generate the transient NameID. 1 => [ 'class' => 'saml:TransientNameID', ], // Generate the persistent NameID 2 => [ 'class' => 'saml:PersistentNameID', 'attribute' => 'uid', // the source attribute needed by the NameID generation ], // Add schacHomeOrganization for domain of entity 10 => [ 'class' => 'core:AttributeAdd', 'schacHomeOrganization' => '<INSERT-HERE-YOUR-DOMAIN-NAME>', 'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:eu:higherEducationalInstitution', ], // Add eduPersonPrincipalName 11 => [ 'class' => 'core:ScopeAttribute', 'scopeAttribute' => 'schacHomeOrganization', 'sourceAttribute' => 'uid', 'targetAttribute' => 'eduPersonPrincipalName', ], // Add eduPersonScopedAffiliation 12 => [ 'class' => 'core:ScopeAttribute', 'scopeAttribute' => 'eduPersonPrincipalName', 'sourceAttribute' => 'eduPersonAffiliation', 'targetAttribute' => 'eduPersonScopedAffiliation', ], // Enable this authproc filter to automatically generated eduPersonTargetedID/persistent nameID 20 => [ 'class' => 'saml:PersistentNameID2TargetedID', 'attribute' => 'eduPersonTargetedID', 'nameId' => true, ], // Adopts language from attribute to use in UI 30 => 'core:LanguageAdaptor', 45 => [ 'class' => 'core:StatisticsWithAttribute', 'attributename' => 'realm', 'type' => 'saml20-idp-SSO', ], // The Attribute Limit will be use to release all possibile values supported by IdP // Remember to comment out the same part with "50" on config/config.php file or no attributes will be released 50 => [ 'class' => 'core:AttributeLimit', 'uid','givenName','sn','cn','mail','displayName','mobile', 'title','preferredLanguage','telephoneNumber', 'schacMotherTongue','schacPersonalTitle','schacHomeOrganization', 'schacHomeOrganizationType','schacUserPresenceID','schacPersonalPosition', 'schacPersonalUniqueCode','schacPersonalUniqueID', 'eduPersonPrincipalName','eduPersonEntitlement', 'eduPersonTargetedID','eduPersonOrcid','eduPersonOrgDN','eduPersonOrgUnitDN', 'eduPersonScopedAffiliation','eduPersonAffiliation' => [ 'student', 'staff', 'member', 'alum', 'affiliate', 'library-walk-in', 'faculty', // NO IDEM 'employee', // NO IDEM ], ], // Convert the attributes' names into OID because // SSP will use them from parsed metadata on the $attributes array. 51 => ['class' => 'core:AttributeMap','name2oid'], // IDEM Attribute Filter: // IDEM SPs + Entity Category SPs + Custom SPs 60 =>[ 'class' => 'core:PHP', 'code' => ' $config_dir = apache_getenv("SIMPLESAMLPHP_CONFIG_DIR"); include($config_dir."/idem-attribute-filter.php"); ' ], // Convert the attributes' names into Name // to be able to see their names on the Consent page 80 => ['class' => 'core:AttributeMap','oid2name'], // Consent module is enabled (with no permanent storage, using cookies) 90 => [ 'class' => 'consent:Consent', 'store' => 'consent:Cookie', 'focus' => 'yes', 'checked' => false ], // If language is set in Consent module it will be added as `preferredLanguage` attribute 99 => 'core:LanguageAdaptor', // Convert LDAP names to oids needed to send attributes to the SP 100 => ['class' => 'core:AttributeMap', 'name2oid'], ], ];
⚠️ These rules have been tested on a Test Federation: Be careful to use without having understood them before!
The following rules are set with the
idem-attribute-filter.php
file used by thesaml20-idp-hosted.php
file.IDEM + Entity Category + Custom SPs Attribute Release Policies:
- Release "
eduPersonTargetedID
" ONLY IF the preferred "<md:NameIDFormat>
" of the SP IS NOT the "persistent
" ones.- Release the "
eduPersonScopedAffiliation
" to all IDEM SPs- Release all required (
isRequired="true"
) attributes to all IDEM SPs- Release all required (
isRequired="true"
) attributes to all CoCo SP (if the EC is supported)- Release all R&S subset attributes:
givenName
,sn
,displayName
,eduPersonScopedAffiliation
,eduPersonPrincipalName
,eduPersonTargetedID
- Release attributes to those SPs that do not requrest attributes by their metadata, or that has needed to receive a specific value for one or more attributes
-
Download IDEM ARP into SimpleSAMLphp
config
directory:cd /var/simplesamlphp/config
sudo wget https://registry.idem.garr.it/idem-conf/simplesamlphp/SSP1/idem-attribute-filter.php
-
Change the
require
line intoidem-attribute-filter.php
by setting the correct path of theattributemap.php
file
-
vim /var/simplesamlphp/cert/ssp-idp-credentials.cnf
:[req] default_bits=4096 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=ssp-idp.key [dn] CN=ssp-idp.example.org [ext] subjectAltName = DNS:ssp-idp.example.org, \ URI:https://ssp-idp.example.org/idp/simplesaml subjectKeyIdentifier=hash
-
cd /var/simplesamlphp/cert
-
openssl req -new -x509 -config ssp-idp-credentials.cnf -text -out ssp-idp.crt -days 3650
-
chown -R www-data: /var/simplesamlphp/cert
-
chmod 400 /var/simplesamlphp/cert/ssp-idp.key
-
Enable LDAP PHP module:
apt install php-ldap
systemctl restart apache2.service
-
Enable ldap:LDAP Authentication Source:
-
vim /var/simplesamlphp/config/authsources.php
<?php $config = [ // This is a authentication source which handles admin authentication. 'admin' => [ 'core:AdminPassword', ], // LDAP authentication source. 'ldap' => [ 'ldap:LDAP', 'hostname' => 'ldap.example.org', 'enable_tls' => true, 'debug' => false, 'timeout' => 0, 'port' => 389, 'referrals' => true, 'attributes' => null, 'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org', 'search.base' => 'ou=people,dc=example,dc=org', 'search.attributes' => ['uid'], 'search.username' => '<LDAP_USER_DN_USED_FOR_QUERIES>', 'search.password' => '<LDAP_USER_PASSWORD>', ], ];
-
-
Connect LDAP to the IdP:
-
vim /var/simplesamlphp/metadata/saml20-idp-hosted.php
/* ...other things before end of file...*/ 'auth' => 'ldap', ];
-
-
Try the LDAP Authentication Source on:
-
https://ssp-idp.example.org/simplesaml/module.php/core/authenticate.php
(Replace
ssp-idp.example.org
with your IDP Full Qualified Domain Name)
-
-
IDEM MDX (recommended): https://mdx.idem.garr.it/
-
IDEM MDS (legacy):
-
Load CRON module:
cd /var/simplesamlphp
cp modules/cron/config-templates/module_cron.php config/
-
Load METAREFRESH module:
cd /var/simplesamlphp
cp modules/metarefresh/config-templates/config-metarefresh.php config/
-
Enable CRON & METAREFRESH modules:
-
vim /var/simplesamlphp/config/config.php
/* ...other things... */ 'module.enable' => [ 'exampleauth' => 'false', 'core' => 'true', 'saml' => 'true', 'cron' => true, 'metarefresh' => true, 'consent' => true, ], /* ...other things... */
-
-
Test it:
cd /var/simplesamlphp/modules/metarefresh/bin
./metarefresh.php -s http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml > metarefresh-test.txt
-
Generate the CRON
<SECRET>
:tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null ; echo
-
Change the CRON configuration file:
-
vim /var/simplesamlphp/config/module_cron.php
<?php /* * Configuration for the Cron module. */ $config = [ 'key' => '<SECRET>', 'allowed_tags' => ['hourly'], 'debug_message' => TRUE, 'sendemail' => TRUE, ]; ?>
-
-
Insert the following Cron job to the crontab file (
crontab -e
):# Run cron: [hourly] 01 * * * * root curl --silent "https://idp.example.org/simplesaml/module.php/cron/cron.php?key=<SECRET>&tag=hourly" > /dev/null 2>&1
-
Configure METAREFRESH:
-
vim /var/simplesamlphp/config/config-metarefresh.php
<?php $config = [ /* * Global blacklist: entityIDs that should be excluded from ALL sets. */ #'blacklist' = array( # 'http://my.own.uni/idp' #), /* * Conditional GET requests * Efficient downloading so polling can be done more frequently. * Works for sources that send 'Last-Modified' or 'Etag' headers. * Note that the 'data' directory needs to be writable for this to work. */ #'conditionalGET' => TRUE, 'sets' => [ 'idem' => [ 'cron' => ['hourly'], 'sources' => [ [ 'src' => 'http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml', 'certificates' => [ '/var/simplesamlphp/cert/federation-cert.pem', ], 'template' => [ 'tags' => ['idem'], 'authproc' => [ 51 => ['class' => 'core:AttributeMap', 'oid2name'], ], ], /* * The sets of entities to load, any combination of: * - 'saml20-idp-remote' * - 'saml20-sp-remote' * - 'shib13-idp-remote' * - 'shib13-sp-remote' * - 'attributeauthority-remote' * * All of them will be used by default. */ 'types' => ['saml20-sp-remote'], // Load only SAML v2.0 SP from metadata ], ], 'expireAfter' => 864000, // Maximum 10 days cache time (3600*24*10) 'outputDir' => 'metadata/', /* * Which output format the metadata should be saved as. * Can be 'flatfile' or 'serialize'. 'flatfile' is the default. */ 'outputFormat' => 'flatfile', ], ], ];
-
-
Change SimpleSAMLphp configuration to load the new metadata provider:
-
vim /var/simplesamlphp/config/config.php
'metadata.sources' => [ ['type' => 'flatfile'], ],
-
-
Remove not needed files from:
cd /var/simplesamlphp/metadata ; rm !(saml20-idp-hosted.php)
-
Download the Federation signing certificate:
-
wget https://md.idem.garr.it/certs/idem-signer-20241118.pem -O /var/simplesamlphp/cert/federation-cert.pem
-
-
Check the validity of the signing certificate:
-
cd /var/simplesamlphp/cert
-
openssl x509 -in federation-cert.pem -fingerprint -sha1 -noout
(sha1: 0E:21:81:8E:06:02:D1:D9:D1:CF:3D:4C:41:ED:5F:F3:43:70:16:79)
-
openssl x509 -in federation-cert.pem -fingerprint -md5 -noout
(md5: 73:B7:29:FA:7C:AE:5C:E7:58:1F:10:0B:FC:EE:DA:A9)
-
-
Go to 'https://ssp-idp.example.org/simplesaml/module.php/core/frontpage_federation.php' and forcing download of the Federation metadata by pressing on
Metarefresh: fetch metadata
or wait 1 day
-
-
vim /var/simplesamlphp/dictionaries/attributes.definition.json
/* ...other things... */ "attribute_schachomeorganization":{ "en": "Home organization domain name" }, "attribute_schachomeorganizationtype":{ "en": "Home organization type" }, /* ...other things... */
(Pay attention also to "commas"!)
-
vim /var/simplesamlphp/dictionaries/attributes.translation.json
/* ...other things before the end of file... */ "attribute_schachomeorganizationtype":{ "it": "Tipo di Organizzazione" } }
(Pay attention also to "commas"!)
-
vim /var/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php
/* ...other things... */ public static function create() { return new \DOMDocument('1.0','utf-8'); } }
https://ssp-idp.example.org/simplesaml/saml2/idp/metadata.php
(change ssp-idp.example.org
to you IDP full qualified domain name)
- Go to
https://registry.idem.garr.it
and follow "Insert a New Identity Provider into the IDEM Test Federation" (your entity has to be approved by an IDEM Federation Operator before become part of IDEM Test Federation)
-
Install needed packages:
sudo apt install memcached php-memcached
-
Enable PHP memcached module:
sudo phpenmod memcached
-
Restart Apache:
sudo systemctl restart apache2.service
-
Enable memcache on simplesamlphp:
-
vim /var/simplesamlphp/config/config.php
/* ...other things... */ 'store.type' => 'memcache', /* ...other things... */
-
Follow https://simplesamlphp.org/docs/stable/statistics:statistics
- The Mozilla Observatory: The Mozilla Observatory has helped over 240,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.
- Marco Malavolti (marco.malavolti@garr.it)