On a server with nginx already setup, I wanted to write a php-application that needed SAML-authentication. So let’s install SimpleSAMLphp and configure it and nginx to have the magic going. I presume you have a user with sudo privileges that is also member of the www-data group.<\/p>\n\n\n\n
$ cd \/var\/www\n$ sudo chown root:www-data .\n$ sudo chmod 775 .\n$ wget -O simplesaml.tar.gz https:\/\/simplesamlphp.org\/download?latest\n$ tar xzf simplesaml.tar.gz\n$ ln -sf simplesamlphp-1.18.x\/ simplesamlphp<\/code><\/pre>\n\n\n\nNow that we have a simpleSAMLphp installation let’s configure it, edit config\/config.php<\/code><\/p>\n\n\n\n\/\/ I like short baseurlpaths:\n'baseurlpath' => 'https:\/\/application.example.org\/saml\/',\n\n\/\/ I always fill in the technical contact information:\n'technicalcontact_name' => 'Remy Blom',\n'technicalcontact_email' => 'na@example.org',\n\n'timezone' => 'Europe\/Amsterdam',\n\n\/\/ https:\/\/passwordsgenerator.net\/ \n\/\/ length = 32, include numbers and lowercase characters\n'secretsalt' => 'ner9iuf8vu3fqkgawqchu7bcp4ihn221',\n \n\/\/ you might want to change this one: \n'auth.adminpassword' => '123',\n \n'admin.protectindexpage' => true,<\/code><\/pre>\n\n\n\nNow let’s setup nginx to serve simpleSAMLphp from the \/saml<\/code> url: in \/var\/www\/html\/<\/code> I create a symlink:<\/p>\n\n\n\n$ sudo ln -sf \/var\/www\/simplesamlphp\/www \/var\/www\/html\/saml<\/code><\/pre>\n\n\n\nAnd presuming you already have a serverblock setup that is serving \/var\/www\/html<\/code> we can add this location-block:<\/p>\n\n\n\nlocation \/saml {\n location ~ ^(?<prefix>\/saml)(?<phpfile>.+?\\.php)(?<pathinfo>\/.*)?$ {\n include snippets\/fastcgi-php.conf;\n fastcgi_pass unix:\/var\/run\/php\/php7.2-fpm.sock;\n fastcgi_split_path_info ^((?U).+\\.php)(\/?.+)$; \n }\n}<\/code><\/pre>\n\n\n\nReload nginx:<\/p>\n\n\n\n
$ sudo nginx -t && sudo service nginx reload<\/code><\/pre>\n\n\n\nIn \/config\/authsources.php<\/code> we put:<\/p>\n\n\n\n<?php\n\n$config = [\n \/\/ This is a authentication source which handles admin authentication.\n 'admin' => [\n \/\/ The default is to use core:AdminPassword, but it can be replaced with\n \/\/ any authentication source.\n 'core:AdminPassword',\n ],\n\n \/\/ An authentication source which can authenticate against both SAML 2.0\n \/\/ and Shibboleth 1.3 IdPs.\n 'application.example.org' => [\n 'saml:SP',\n 'entityID' => 'https:\/\/application.example.org',\n 'idp' => 'https:\/\/idp.example.org',\n ],\n];<\/code><\/pre>\n\n\n\nThen we exchange the metadata with the IdP and we have a testable setup. You can use https:\/\/application.example.org\/saml\/module.php\/core\/authenticate.php to test the application as an authentication source. You should be able to login via your IdP<\/p>\n\n\n\n
If so, writing a simple php program that needs authentication is peanuts:<\/p>\n\n\n\n
<?php\n\nrequire_once('\/var\/www\/simplesamlphp\/lib\/_autoload.php');\n\n$as = new \\SimpleSAML\\Auth\\Simple('application.example.org');\n$as->requireAuth();\n$attr = $as->getAttributes();\n\nprint_r($attr);<\/code><\/pre>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
On a server with nginx already setup, I wanted to write a php-application that needed SAML-authentication. So let’s install SimpleSAMLphp and configure it and nginx to have the magic going. I presume you have a user with sudo privileges that is also member of the www-data group. Now that we have a simpleSAMLphp installation let’s … <\/p>\n