Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
simplesamlphp-idp.md 10.30 KiB

SimpleSAMLphp Identity Provider QuickStart

This guide will describe how to configure SimpleSAMLphp as an identity provider (IdP). You should previously have installed SimpleSAMLphp as described in the SimpleSAMLphp installation instructions

Enabling the Identity Provider functionality

The first that must be done is to enable the identity provider functionality. This is done by editing config/config.php. The option enable.saml20-idp controls whether SAML 2.0 IdP support is enabled. Enable it by assigning true to them:

'enable.saml20-idp' => true,

Authentication module

The next step is to configure the way users authenticate on your IdP. Various modules in the modules/ directory provides methods for authenticating your users. This is an overview of those that are included in the SimpleSAMLphp distribution:

authcrypt:Hash
Username & password authentication with hashed passwords.
authcrypt:Htpasswd
Username & password authentication against .htpasswd file.
authX509:authX509userCert
Authenticate against a LDAP database with a SSL client certificate.
exampleauth:UserPass
Authenticate against a list of usernames and passwords.
exampleauth:Static
Automatically log in as a user with a set of attributes.
ldap:LDAP
Authenticates an user to a LDAP server.
ldap:LDAPMulti
Authenticates an user to one of several LDAP server. The user can choose the LDAP server from a dropdown list.
sqlauth:SQL
Authenticate an user against a database.
radius:Radius
Authenticates an user to a Radius server.
multiauth:MultiAuth
Allow the user to select from a list of authentication sources.
saml:SP
Authenticate against a SAML IdP. Can be used for bridging.
authYubiKey:YubiKey
Authenticate with an YubiKey.
authfacebook:Facebook
Authenticate with a Facebook ID.
authtwitter:Twitter
Authenticate with your Twitter account using the Twitter OAuth API.
papi:PAPI
Authenticate by means of the PAPI protocol.

In this guide, we will use the exampleauth:UserPass authentication module. This module does not have any dependencies, and is therefore simple to set up.

Configuring the authentication module

The exampleauth:UserPass authentication module is part of the exampleauth module. This module isn't enabled by default, so you will have to enable it. In config.php, search for the module.enable key and set exampleauth to true:

    'module.enable' => [
         'exampleauth' => true,

    ],

The next step is to create an authentication source with this module. An authentication source is an authentication module with a specific configuration. Each authentication source has a name, which is used to refer to this specific configuration in the IdP configuration. Configuration for authentication sources can be found in config/authsources.php.

In this setup, this file should contain a single entry:

<?php
$config = [
	'example-userpass' => [
		'exampleauth:UserPass',
		'student:studentpass' => [
			'uid' => ['student'],
			'eduPersonAffiliation' => ['member', 'student'],
		],
		'employee:employeepass' => [
			'uid' => ['employee'],
			'eduPersonAffiliation' => ['member', 'employee'],
		],
	],
];

This configuration creates two users - student and employee, with the passwords studentpass and employeepass. The username and password are stored in the array index (student:studentpass for the student-user). The attributes for each user are configured in the array referenced by the index. So for the student user, these are:

[
	'uid' => ['student'],
	'eduPersonAffiliation' => ['member', 'student'],
],

The attributes will be returned by the IdP when the user logs on.

Creating a self signed certificate

The IdP needs a certificate to sign its SAML assertions with. Here is an example of an openssl-command which can be used to generate a new private key key and the corresponding self-signed certificate. The private key and certificate go into the directory defined in the certdir setting (defaults to cert/)