Background: For about 5 years at my place of work we have used a software called SimpleSAMLphp to help offer identity solutions to TVE (TV Everywhere) customers. In essence I have been one of a team of 20th century cable people.
This software, in it’s current version has been heavily customized to offer quick deployment solutions for new customers. All I can say is that it’s awesome running an Identity Stack with 50+ IdPs and 5000+ SPs.
I decided to see how quick I could set up a SAML SP -> IdP relationship between two Centos 7 Virtual Computers:
2 hosts, sspsp (192.168.1.76) and sspidp (192.168.1.77)
Minimal install, static IPs and DNS set on OS installation
yum update
systemctl stop firewalld
systemctl disable firewalld
/etc/sysconfig/selinux, SELINUX=permissive
yum install httpd mod_ssl
systemctl start httpd
systemctl enable httpd
shutdown -r now
Install PHP7+ on Centos 7 following https://linuxize.com/post/install-php-7-on-centos-7/
sudo yum install epel-release yum-utils
sudo yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum-config-manager --enable remi-php73
sudo yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysqlnd
shutdown -r now
Test!
echo -e "<?php\nphpinfo();" > /var/www/html/index.php
Install SimpleSAMLphp from tars on https://simplesamlphp.org/download
yum install wget
wget 'https://simplesamlphp.org/download?latest'
mv download\?latest simplesamlphp-1.19.0-rc1.tar.gz
tar -xzf simplesamlphp-1.19.0-rc1.tar.gz
mv simplesamlphp-1.19.0-rc1 /var/www/html/simplesamlphp
chown -R apache:apache /var/www/html/simplesamlphp
vi /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html/simplesamlphp/www"
vi /var/www/html/simplesamlphp/config/config.php
'baseurlpath' => '',
'secretsalt' => 'salt',
'auth.adminpassword' => 'admin',
'enable.saml20-idp' => true,
yum install php-xml php-ldap php-pecl-memcache
systemctl restart httpd
Set up Identity Provider on 192.168.1.77
cd /var/www/html/simplesamlphp/cert
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-idp.crt -keyout saml-idp.pem
cd /var/www/html/simplesamlphp/metadata
vi saml20-idp-hosted.php
$metadata['https://192.168.1.77/saml/saml2/idp/metadata.php'] = [
'auth' => 'blankPage',
'certificate' => 'saml-idp.crt',
'privatekey' => 'saml-idp.pem',
'name' => 'blankPage-on-77',
'entityid' => 'https://192.168.1.77/saml/saml2/idp/metadata.php',
'host' => '192.168.1.77',
];
cd /var/www/html/simplesamlphp/config
vi authsources.php
'blankPage' => [
'blank:Page',
],
Additionally with the Identity Provider I installed my simplesamlphp-modules-blank module so I can just pass-through back to the SP.
Set up Service Provider on 192.168.1.76
cd /var/www/html/simplesamlphp/cert
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-sp.crt -keyout saml-sp.pem
vi /var/www/html/simplesamlphp/config/authsources.php
'seventysix' => [
'saml:SP',
'idp' => null,
'name' => [ 'en' => '192.168.1.76 SAML' ],
'privatekey' => 'saml-sp.pem',
'certificate' => 'saml-sp.crt',
]
Now, we do the metadata exchange!
Add IdP Metadata from https://192.168.1.77/saml2/idp/metadata.php?output=xhtml to SP’s metadata/saml20-idp-remote.php and change ‘idp’ => ‘https://192.168.1.77/saml/saml2/idp/metadata.php’,
Add SP Metadata from https://192.168.1.76/module.php/saml/sp/metadata.php/seventysix?output=xhtml to IdPs metadata/saml20-sp-remote.php.
And now I test: https://192.168.1.76/module.php/core/authenticate.php
#ezpz