Posted on by remy

SimpleSAMLphp as a Service Provider with Nginx!

On a server with nginx already setup, I wanted to write a php-application that needed SAML-authentication. So let’s install SimpleSAMLphp and configure it and nginx to have the magic going. I presume you have a user with sudo privileges that is also member of the www-data group.

$ cd /var/www
$ sudo chown root:www-data .
$ sudo chmod 775 .
$ wget -O simplesaml.tar.gz https://simplesamlphp.org/download?latest
$ tar xzf simplesaml.tar.gz
$ ln -sf simplesamlphp-1.18.x/ simplesamlphp

Now that we have a simpleSAMLphp installation let’s configure it, edit config/config.php

// I like short baseurlpaths:
'baseurlpath' => 'https://application.example.org/saml/',

// I always fill in the technical contact information:
'technicalcontact_name' => 'Remy Blom',
'technicalcontact_email' => 'na@example.org',

'timezone' => 'Europe/Amsterdam',

// https://passwordsgenerator.net/ 
// length = 32, include numbers and lowercase characters
'secretsalt' => 'ner9iuf8vu3fqkgawqchu7bcp4ihn221',
   
// you might want to change this one: 
'auth.adminpassword' => '123',
 
'admin.protectindexpage' => true,

Now let’s setup nginx to serve simpleSAMLphp from the /saml url: in /var/www/html/ I create a symlink:

$ sudo ln -sf /var/www/simplesamlphp/www /var/www/html/saml

And presuming you already have a serverblock setup that is serving /var/www/html we can add this location-block:

location /saml {
  location ~ ^(?<prefix>/saml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass     unix:/var/run/php/php7.2-fpm.sock;
    fastcgi_split_path_info ^((?U).+\.php)(/?.+)$; 
  }
}

Reload nginx:

$ sudo nginx -t && sudo service nginx reload

In /config/authsources.php we put:

<?php

$config = [
  // This is a authentication source which handles admin authentication.
  'admin' => [
    // The default is to use core:AdminPassword, but it can be replaced with
    // any authentication source.
    'core:AdminPassword',
  ],

  // An authentication source which can authenticate against both SAML 2.0
  // and Shibboleth 1.3 IdPs.
  'application.example.org' => [
    'saml:SP',
    'entityID' => 'https://application.example.org',
    'idp' => 'https://idp.example.org',
  ],
];

Then we exchange the metadata with the IdP and we have a testable setup. You can use https://application.example.org/saml/module.php/core/authenticate.php to test the application as an authentication source. You should be able to login via your IdP

If so, writing a simple php program that needs authentication is peanuts:

<?php

require_once('/var/www/simplesamlphp/lib/_autoload.php');

$as = new \SimpleSAML\Auth\Simple('application.example.org');
$as->requireAuth();
$attr = $as->getAttributes();

print_r($attr);