simplesamlphp-install.txt

simpleSAMLphp Installation and Configuration
============================================

<!-- 
	This file is written in Markdown syntax. 
	For more information about how to use the Markdown syntax, read here:
	http://daringfireball.net/projects/markdown/syntax
-->

  * Version: `$Id$`



simpleSAMLphp news and documentation
------------------------------------

This document is part of the simpleSAMLphp documentation suite.

 * [List of all simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
 * [Latest news about simpleSAMLphp](http://rnd.feide.no/taxonomy/term/4). (Also conatins an RSS feed)
 * [simpleSAMLphp homepage](http://rnd.feide.no/simplesamlphp)


Developement version
--------------------

This document is about the latest stable version of simpleSAMLphp.
If you want to install the developement version, look at the instructions for [installing simpleSAMLphp from Subversion](http://rnd.feide.no/content/installing-simplesamlphp-subversion).


Prerequisites
-------------

 * Some webserver capable of executing PHP scripts.
 * PHP version >= 5.2.0.
 * Suppoort for the following PHP extensions:
   * Always required: `date`, `dom`, `hash`, `libxml`, `openssl`, `pcre`, `SPL`, `zlib`
   * When encrypting assertions: `mcrypt`
   * When authenticating against LDAP server: `ldap`
   * When authenticating against RADIUS server: `radius`
   * When saving session information to memcache-server: `memcache`
   * When using database:
     * Always: `PDO`
     * Database driver: (`mysql`, `pgsql`, ...)

What actual packages are required for the various extensions varies between different platforms and distributions.


Download and install simpleSAMLphp
----------------------------------

The most recent relase of simpleSAMLphp is found at [code.google.com/p/simplesamlphp/](http://code.google.com/p/simplesamlphp/).
To obtain the latest stable version, download the archive file listed under Featured Dowloads.

Go to the directory where you want to install simpleSAMLphp, and extract the archive file you just downloaded:

    cd /var
    tar xzf simplesamlphp-1.x.y.tar.gz
    mv simplesamlphp-1.x.y simplesamlphp

## Upgrading from a previous version of simpleSAMLphp

Extract the new version:

    cd /var
    tar xzf simplesamlphp-1.x.y.tar.gz

Copy the configuration files from the previous version:

    cd /var/simplesamlphp-1.x.y
    rm -rf config metadata
    cp -rv ../simplesamlphp/config config
    cp -rv ../simplesamlphp/metadata metadata

Replace the old version with the new version:

    cd /var
    mv simplesamlphp simplesamlphp.old
    mv simplesamlphp-1.x.y simplesamlphp


If the format of the config files or metadata has changed from your previous version of simpleSAMLphp (check the revision log), you may have to update your configuration and metadata after updating the simpleSAMLphp code:


### Upgrading configuration files

A good approach is to run a `diff` between your preivous `config.php` file and the new `config.php` file located in `config-templates/config.php`, and apply relevant modifications to the new template. This will ensure that all new entries in the latest version of config.php are included, as well as preserve your local modifications.

There is a link to a configuration check utility from the frontpage of your simpleSAMLphp installation page. The name of the link is "simpleSAMLphp configuration check". Then you will get a list of all configuration files in your `config/` directory. Click through the files, and you will get a report on superfluous and missing entries in the configuration file. What is done under the hood is that simpleSAMLphp looks up the `config-templates/` directory and compares to your real config. Although not all option is required to have in the configuration files, it's a good thumb rule to include them nontheless, so you simply see what configuration is possible.


### Upgrading metadata files

Most likely the metadata format is backwards compatible. If not, you should receive a very clear error message at startup indicating how and what you need to update. You should look through the metadata in the metadata-templates directory after the upgrade to see whether recommended defaults have been changed.


Configuring Apache
------------------

Examples below assume that simpleSAMLphp is installed in the default location, `/var/simplesamlphp`. You may choose another location, but this requires a path update in a few files. See Appendix for details ‹Installing simpleSAMLphp in alternative locations›.

The only subdirectories of `simpleSAMLphp` that needs to be accessible from the web is `www`. There are several ways of putting the simpleSAMLphp depending on the way web sites are structured on your apache web server. Here is what I believe is the best configuration.

Find the Apache configuration file for the virtual hosts where you want to run simpleSAMLphp. The configuration may look like this:

    <VirtualHost *>
            ServerName service.example.com
            DocumentRoot /var/www/service.example.com
    
            Alias /simplesaml /var/simplesamlphp/www
    </VirtualHost>

Note the `Alias` directive, which gives control to simpleSAMLphp for all urls matching `http(s)://service.example.com/simplesaml/*`. simpleSAMLphp makes several SAML interfaces available on the web; all of them are included in the `www` subdirectory of your simpleSAMLphp installation. You can name the alias whatever you want, but the name must be specified in the `config.php` file of simpleSAML as described in [the section called “simpleSAMLphp configuration: config.php”](#sect.config "simpleSAMLphp configuration: config.php"). Here is an example of how this configuration may look like in `config.php`:

    $config = array (
    [...]
            'baseurlpath'                   => 'simplesaml/',

simpleSAMLphp configuration: config.php
---------------------------------------

There is a few steps that you should edit in the main configuration
file, `config.php`, right away:

-  Set a administrator password. This is needed to access some of the pages in your simpleSAMLphp installation web interface.

		'auth.adminpassword'        => 'setnewpasswordhere',

-  Set a secret salt. This should be a random string. Some parts of the simpleSAMLphp needs this salt to generate cryptographically secure hashes. SimpleSAMLphp will give an error if the salt is not changed from the default value. The command below can help you to generated a random string on (some) unix systems:

		tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo

    Here is an example of the config option:

		'secretsalt' => 'randombytesinsertedhere',

-  
    Set technical contact information. This information will be
    available in the generated metadata. The e-mail address will also
    be used for receiving error reports sent automatically by
    simpleSAMLphp. Here is an example:

		'technicalcontact_name'     => 'Andreas Åkre Solberg',
		'technicalcontact_email'    => 'andreas.solberg@uninett.no',

-  
    If you use simpleSAMLphp in a country where english is not
    widespread, you may want to change the default language from
    english to something else:

		'language.default'      => 'no',

-  
    Set the timezone which you use:

        'timezone' => 'Europe/Oslo',

    * [List of Supported Timezones at php.net](http://php.net/manual/en/timezones.php)


Configuring PHP
---------------

### Sending e-mails from PHP

Some parts of simpleSAMLphp will allow you to send e-mails. In example sending error reports to technical admin, as well as sending in metadata to the federation administrators. If you want to make use of this functionality, you should make sure your PHP installation is configured to be able to send e-mails. It's a common problem that PHP is not configured to send e-mails properly. The configuration differs from system to system. On UNIX, PHP is using sendmail, on Windows SMTP.


Enable modules
--------------

If you want to enable some of the modules that are installed with simpleSAMLphp, but are disabled by default, you should create an empty file in the module directory named `enable`.

    # Enabling the consent module
    cd modules
    ls -l
    cd consent
    touch enable

If you later want to disable the module, rename the `enable` file
to `disable`.

    cd modules/consent
    mv enable disable



The simpleSAMLphp installation webpage
--------------------------------------

After installing simpleSAMLphp, you can access the homepage of your installation, which contains some information and a few links to the test services. The url of an installation can be e.g.:

	https://service.example.org/simplesaml/

The exact link depends on how you set it up with Apache, and off course on your hostname.

### Warning

Don't click on any of the links yet, because they require you to
either have setup simpleSAMLphp as an Service Provider or as an
Identity Provider.

Here is an example screenshot of what the simpleSAMLphp page looks
like:

![Screenshot of the simpleSAMLphp installation page.](http://rnd.feide.no/doc/resources/simplesamlphp-install/screenshot-installationpage.png)

### Check your PHP environment

At the bottom of the installation page are some green lights. simpleSAML runs some tests to see whether required and recommended prerequisites are met. If any of the lights are red, you may have to add some extensions or modules to PHP, e.g. you need the PHP LDAP extension to use the LDAP authentication module.

## Next steps

You have now successfully installed simpleSAMLphp, and the next steps depends on whether you want to setup a service provider, to protect a website by authentication or if you want to setup an identity provider and connect it to a user catalog. Documentation on bridging between federation protocols is found in a separate document.

-  [Setting up simpleSAMLphp as a service provider](http://rnd.feide.no/content/using-simplesamlphp-service-provider)
-  [Setting up simpleSAMLphp as an identity provider](http://rnd.feide.no/content/using-simplesamlphp-identity-provider)
-  [Setting up simpleSAMLphp with Google Apps for Eduation](http://rnd.feide.no/content/simplesamlphp-idp-google-apps-education)
-  [Advanced simpleSAMLphp features](http://rnd.feide.no/content/simplesamlphp-advanced-features)
-  [simpleSAMLphp maintenance and configuration](http://rnd.feide.no/content/simplesamlphp-maintenance-and-configuration)


Support
-------

If you need help to make this work, or want to discuss simpleSAMLphp with other users of the software, you are fortunate: Around simpleSAMLphp there is a great Open source community, and you are welcome to join! The forums are open for you to ask questions, contribute answers other further questions, request improvements or contribute with code or plugins of your own.

-  [simpleSAMLphp homepage (at Feide RnD)](http://rnd.feide.no/simplesamlphp)
-  [List of all available simpleSAMLphp documentation](http://rnd.feide.no/view/simplesamlphpdocs)
-  [Join the simpleSAMLphp user's mailing list](http://rnd.feide.no/content/simplesamlphp-users-mailinglist)
-  [Visit and contribute to the simpleSAMLphp wiki](https://ow.feide.no/simplesamlphp:start)




Installing simpleSAMLphp in alternative locations
-------------------------------------------------

There may be several reasons why you want to install simpleSAMLphp
in an alternative way.

1.	You are installing simpleSAMLphp in a hosted environment where you
	do not have root access, and cannot change Apache configuration.
	Still you can install simpleSAMLphp - keep on reading.

2.	You have full permissions to the server, but cannot edit Apache
	configuration for some reason, polictics, policy or whatever.


The SimpleSAMLphp code contains one folder named `simplesamlphp`. In this folder there are a lot of subfolders for library, metadata, configuration and much more. One of these folders is named `www`. This and *only this* folder should be exposed on the web. The reccomended configuration is to put the whole `simplesamlphp` folder outside the webroot, and then link in the `www` folder by using the `Alias` directive, as described in [the section called “Configuring Apache”](#sect.apacheconfig "Configuring Apache"). But this is not the only possible way.

As an example, let's see how you can install simpleSAMLphp in your home directory on a shared hosting server.

Extract the simpleSAMLphp archive in your home directory:

    cd ~
    tar xzf simplesamlphp-1.x.y.tar.gz
    mv simplesamlphp-1.x.y simplesamlphp

Then you can try to make a symlink into the `public\_html` directory.

    cd ~/public_html
    ln -s ../simplesamlphp/www simplesaml

Next, you need to update the configuration of paths in `simplesamlphp/config/config.php`:

And, then we need to set the `baseurlpath` parameter to match the base path of the URLs to the content of your `www` folder:

    'baseurlpath' => '~andreas/simplesaml/',

Now, you can go to the URL of your installation and check if things work:

    http://yourcompany.com/~andreas/simplesaml/


### Tip

Symlinking may fail, because some Apache configurations do not allow you to link in files from outside the public\_html folder. If so, move the folder instead of symlinking:

    cd ~/public_html
    mv ../simplesamlphp/www simplesaml

Now you have the following directory structure.

-   `~/simplesamlphp`

-  
    `~/public_html/simplesaml` where `simplesaml` is the `www`
    directory from the `simplesamlphp` installation directory, either
    moved or a symlink.


Now, we need to make a few configuration changes. First, let's edit
`~/public_html/simplesaml/_include.php`:

Change the two lines from:

    require_once(dirname(dirname(__FILE__)) . '/lib/_autoload.php');

to something like:

    require_once('/home/andreas/simplesamlphp/lib/_autoload.php');

And then at the end of the file, you need to change another line
from:

    $configdir = dirname(dirname(__FILE__)) . '/config';

to:

    $configdir = '/home/andreas/simplesamlphp/config';



### Note

In a future version of simpleSAMLphp we'll make this a bit easier, and let you only change the path one place, instead of three as described above.