Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
40 results
Blame History Permalink
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
simplesamlphp-idp.md 10.62 KiB

SimpleSAMLphp Identity Provider QuickStart

This guide will describe how to configure SimpleSAMLphp as an identity provider (IdP). You should previously have installed SimpleSAMLphp as described in the SimpleSAMLphp installation instructions

Enabling the Identity Provider functionality

The first that must be done is to enable the identity provider functionality. This is done by editing config/config.php. The options enable.saml20-idp and enable.shib13-idp controls whether SAML 2.0 and Shibboleth 1.3 support is enabled. Enable one or both of those by assigning true to them:

'enable.saml20-idp' => true,
'enable.shib13-idp' => true,

Authentication module

The next step is to configure the way users authenticate on your IdP. Various modules in the modules/ directory provides methods for authenticating your users. This is an overview of those that are included in the SimpleSAMLphp distribution:

authcrypt:Hash : Username & password authentication with hashed passwords.

authcrypt:Htpasswd : Username & password authentication against .htpasswd file.

authX509:authX509userCert : Authenticate against a LDAP database with a SSL client certificate.

exampleauth:UserPass : Authenticate against a list of usernames and passwords.

exampleauth:Static : Automatically log in as a user with a set of attributes.

ldap:LDAP : Authenticates an user to a LDAP server.

ldap:LDAPMulti : Authenticates an user to one of several LDAP server. The user can choose the LDAP server from a dropdown list.

sqlauth:SQL : Authenticate an user against a database.

radius:Radius : Authenticates an user to a Radius server.

InfoCard:ICAuth : Authenticate with an InfoCard.

multiauth:MultiAuth : Allow the user to select from a list of authentication sources.

openid:OpenIDConsumer : Authenticate against an OpenID provider.

saml:SP : Authenticate against a SAML IdP. Can be used for bridging.

authYubiKey:YubiKey : Authenticate with an YubiKey.

authfacebook:Facebook : Authenticate with a Facebook ID.

authtwitter:Twitter : Authenticate with your Twitter account using the Twitter OAuth API.

papi:PAPI : Authenticate by means of the PAPI protocol.

In this guide, we will use the exampleauth:UserPass authentication module. This module does not have any dependencies, and is therefore simple to set up.

Configuring the authentication module

The exampleauth:UserPass authentication module is part of the exampleauth module. This module isn't enabled by default, so you will have to enable it. This is done by creating a file named enable in modules/exampleauth/.

On unix, this can be done by running (from the SimpleSAMLphp installation directory):

touch modules/exampleauth/enable

The next step is to create an authentication source with this module. An authentication source is an authentication module with a specific configuration. Each authentication source has a name, which is used to refer to this specific configuration in the IdP configuration. Configuration for authentication sources can be found in config/authsources.php.

In this setup, this file should contain a single entry:

<?php
$config = array(
	'example-userpass' => array(
		'exampleauth:UserPass',
		'student:studentpass' => array(
			'uid' => array('student'),
			'eduPersonAffiliation' => array('member', 'student'),
		),
		'employee:employeepass' => array(
			'uid' => array('employee'),
			'eduPersonAffiliation' => array('member', 'employee'),
		),
	),
);

This configuration creates two users - student and employee, with the passwords studentpass and employeepass. The username and password is stored in the array index (student:studentpass for the student-user. The attributes for each user is configured in the array referenced by the index. For the student user, these are:

array(
	'uid' => array('student'),
	'eduPersonAffiliation' => array('member', 'student'),
),

The attributes will be returned by the IdP when the user logs on.

Creating a SSL self signed certificate

Here is an example of an openssl-command which can be used to generate a new private key key and the corresponding self-signed certificate.

This key and certificate can be used to sign SAML messages:

openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem

The certificate above will be valid for 10 years.