G3/3w/3.10.0/DocTecnica/Interfaces/Saml

Configuración SAML Gestión <-> Autogestión

Prerequisitos

Contar con una instalación funcional de Gestión y Autogestión

Configuración

  • Descargar iDP
    mkdir /path/to/idp
    wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.13.2.tar.gz -O idp.tar.gz && tar zxvf idp.tar.gz -C /path/to/idp --strip 1
    
  • Descargar módulo SAML Guaraní desde la URL correspondiente en Colab. Ejemplo con la carpeta creada para uba-fcen:
    svn co https://colab.siu.edu.ar/svn/guarani3/nodos/uba-fcen/gestion/trunk/3.10.X/saml_module /path/to/idp/modules/authguarani
    
  • Contenido de config/authsources.php, completar con los datos de la instalación actual
    <?php
    
    $config = array(
        'guarani-sql' => array(
            'authguarani:SQLBCRYPT',
            'dsn' => 'pgsql:host=localhost;port=5432;dbname=gestion_trunk',
    	'schema' => 'negocio',
            'username' => 'postgres',
            'password' => 'postgres',
    	'query' => "SELECT	mdp_personas.clave,
    				mdp_personas.autenticacion,
    				mdp_personas.usuario as usuario
    				FROM	mdp_personas
    				WHERE	mdp_personas.usuario = :username
    	",
        ),
    );
    
  • Armar el archivo de configuración a partir del template. Dentro de la carpeta /path/to/idp/modules/authguarani/conf:
    /path/to/idp/modules/authguarani/conf$ cp saml_template.ini saml.ini
    
  • Luego configurar el archivo /path/to/idp/modules/authguarani/conf/saml.ini:
    [idp]
    #URL base de la instalación de Guaraní 3W
    url_base_3w = http://www.ejemplo.edu.ar/guarani_3w
    #Email para poder comunicarse con el administrador del sitio ante cualquier inconveniente
    email_webmaster = admin@ejemplo.edu.ar
    
  • En config/config.php modificar:
    • Setear la entrada baseurlpath a 'simplesaml/'
    • Cambiar la contraseña de admin modificando la entrada auth.adminpassword
    • Activar idp saml20 poniendo en true la entrada enable.saml20-idp
    • Activar la entrada enable.http_post
    • Setear la entrada theme.use a 'authguarani:guarani'
    • 'language.available' => array('es'),
    • 'language.default' => 'es',
  • En metadata/saml20-idp-hosted.php
    • En la entrada auth poner guarani-sql
    • Descomentar el bloque indicado por el siguiente comentario Uncomment the following to use the uri NameFormat on attributes.
  • El archivo metadata/saml20-sp-remote.php debe tener el siguiente contenido. Modificar las variables url_autogestion y url_sp por las que estén publicadas en la instalación
    <?php
    $url_autogestion = 'http://localhost/g3w3_sso';
    $metadata[$url_autogestion.'/acceso'] = array(
    	'AssertionConsumerService' => $url_autogestion.'/acceso?auth=saml',
    	'SingleLogoutService' => $url_autogestion.'/acceso/logout?auth=saml',
    );
    
    
    $url_sp = 'http://localhost/toba_2.6_sp';
    
    $metadata[$url_sp.'/module.php/saml/sp/metadata.php/default-sp'] = array (
        'entityid' => $url_sp.'/module.php/saml/sp/metadata.php/default-sp',
        'contacts' =>
            array (
            ),
        'metadata-set' => 'shib13-sp-remote',
        'SingleLogoutService'      => $url_sp.'/module.php/saml/sp/saml2-logout.php/default-sp',
        'AssertionConsumerService' =>
            array (
                0 =>
                    array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                        'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp',
                        'index' => 0,
                    ),
                1 =>
                    array (
                        'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
                        'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp',
                        'index' => 1,
                    ),
                2 =>
                    array (
                        'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
                        'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp',
                        'index' => 2,
                    ),
                3 =>
                    array (
                        'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
                        'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
                        'index' => 3,
                    ),
            ),
    );
    
  • Configurar alias idp, crear el archivo /path/to/idp/idp.conf
    Alias /simplesaml /path/to/idp/www
    <Directory /path/to/idp/www>
            <IfModule !mod_authz_core.c>
                    Order allow,deny
                    Allow from all
            </IfModule>
            <IfModule mod_authz_core.c>
                    Require all granted
            </IfModule>
    </Directory>
    
  • Linkear el archivo a sites-enabled de Apache:
    sudo ln -s /path/to/idp/idp.conf /etc/apache2/sites-enabled
    
  • Reiniciar Apache
    sudo service apache2 restart
    

Luego de seguir estos pasos ya se debería poder acceder a http://localhost/simplesaml utilizando las credenciales de Administrador definidas anteriormente.

  • Generar certificados del server
    mkdir /path/to/idp/cert
    cd /path/to/idp/cert
    openssl req -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
    

Configurar Autogestión

  • En instalacion/login.php agregar la entrada saml:
    ...
        'saml'   => array(
            'activo'     => true,
            'clase'      => 'modelo\\autenticacion\\auth_saml',
            'parametros' => array(
                'settings_file' => \siu\bootstrap::get_dir_instalacion() . '/saml/settings.php',
                'saml_uid' => 'usuario',// 'urn:oid:0.9.2342.19200300.100.1.1', //se matchea con local_uid
                'local_uid' => 'usuario' //puede ser 'persona'
            ),
        ),
    ...
    
  • Crear el archivo instalacion/saml/settings.php con el siguiente contenido, modificando las variables $url_autogestion y $url_idp. También hay que setear el fingerprint que se puede obtener con el siguiente comando:
    openssl x509 -noout -in /path/to/idp/cert/server.crt -fingerprint
    
<?php

//settings y advanced_settings de la libreria de saml.
$url_autogestion = 'http://localhost/g3w3_sso';
$url_idp = 'http://localhost/simplesaml';
return $settings = array (
    // If 'strict' is True, then the PHP Toolkit will reject unsigned
    // or unencrypted messages if it expects them signed or encrypted
    // Also will reject the messages if not strictly follow the SAML
    // standard: Destination, NameId, Conditions ... are validated too.
    'strict' => false,

    // Enable debug mode (to print errors)
    'debug' => false,

    // Service Provider Data that we are deploying
    'sp' => array (
        // Identifier of the SP entity  (must be a URI)
        'entityId' => $url_autogestion.'/acceso',
        // Specifies info about where and how the <AuthnResponse> message MUST be
        // returned to the requester, in this case our SP.
        'assertionConsumerService' => array (
            // URL Location where the <Response> from the IdP will be returned
            'url' => $url_autogestion.'/acceso?auth=saml',
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-Redirect binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ),
        // Specifies info about where and how the <Logout Response> message MUST be
        // returned to the requester, in this case our SP.
        'singleLogoutService' => array (
            // URL Location where the <Response> from the IdP will be returned
            'url' => $url_autogestion.'/acceso/logout',
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-Redirect binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        // Specifies constraints on the name identifier to be used to
        // represent the requested subject.
        // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
        'nameIdFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',

        // Usually x509cert and privateKey of the SP are provided by files placed at
        // the certs folder. But we can also provide them with the following parameters
        // 'x509cert' => file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt'),
        // 'privateKey' > file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.pem'),
    ),

    // Identity Provider Data that we want connect with our SP
    'idp' => array (
        // Identifier of the IdP entity  (must be a URI)
        'entityId' => $url_idp.'/saml2/idp/metadata.php',
        // SSO endpoint info of the IdP. (Authentication Request protocol)
        'singleSignOnService' => array (
            // URL Target of the IdP where the SP will send the Authentication Request Message
            'url' => $url_idp.'/saml2/idp/SSOService.php',
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-POST binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        // SLO endpoint info of the IdP.
        'singleLogoutService' => array (
            // URL Location of the IdP where the SP will send the SLO Request
            'url' => $url_idp.'/saml2/idp/SingleLogoutService.php',
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-Redirect binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        // Public x509 certificate of the IdP
        // 'x509cert' => \siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt',
        /*
         *  Instead of use the whole x509cert you can use a fingerprint
         *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
         */
         'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9',
    ),

	//Advanced settings
	// Security settings
    'security' => array (

	    /** signatures and encryptions offered */

	    // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
	    // will be encrypted.
	    'nameIdEncrypted' => false,

	    // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
	    // will be signed.              [The Metadata of the SP will offer this info]
	    'authnRequestsSigned' => false,

	    // Indicates whether the <samlp:logoutRequest> messages sent by this SP
	    // will be signed.
	    'logoutRequestSigned' => false,

	    // Indicates whether the <samlp:logoutResponse> messages sent by this SP
	    // will be signed.
	    'logoutResponseSigned' => false,

	    /* Sign the Metadata
	 False || True (use sp certs) || array (
												keyFileName => 'metadata.key',
												certFileName => 'metadata.crt'
											)
	*/
	    'signMetadata' => false,


	    /** signatures and encryptions required **/

	    // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
	    // <samlp:LogoutResponse> elements received by this SP to be signed.
	    'wantMessagesSigned' => false,

	    // Indicates a requirement for the <saml:Assertion> elements received by
	    // this SP to be signed.        [The Metadata of the SP will offer this info]
	    'wantAssertionsSigned' => false,

	    // Indicates a requirement for the NameID received by
	    // this SP to be encrypted.
	    'wantNameIdEncrypted' => false,
    ),

	// Contact information template, it is recommended to suply a technical and support contacts
    'contactPerson' => array (
	    'technical' => array (
		    'givenName' => 'CAMBIAR',
		    'emailAddress' => 'CAMBIAR'
	    ),
	    'support' => array (
		    'givenName' => 'CAMBIAR',
		    'emailAddress' => 'CAMBIAR'
	    ),
    ),

	// Organization information template, the info in en_US lang is recomended, add more if required
    'organization' => array (
	    'en-US' => array(
		    'name' => 'CAMBIAR',
		    'displayname' => 'CAMBIAR',
		    'url' => 'CAMBIAR.com'
	    ),
    ),
);

Configuración Gestión

  • En lib/toba/instalacion/instalacion.ini agregar la entrada:
    autenticacion = saml
    
  • El archivo lib/toba/instalacion/saml.ini debe tener el siguiente contenido, reemplazando la url del idp por la correcta y el fingerprint generado anteriormente:
    [basicos]
    path_sp = 3ros/simplesamlphp
    auth_source = default-sp
    atributo_usuario=usuario
    permite_login_toba= 0
    
    
    [sp]
    baseurlpath = /toba_2.6_sp/
    session.phpsession.cookiename = TOBA_SESSID
    idp = http://localhost/simplesaml/saml2/idp/metadata.php
    
    
    [idp:http://localhost/simplesaml/saml2/idp/metadata.php]
    name = Your IdP
    SingleSignOnService = http://localhost/simplesaml/saml2/idp/SSOService.php
    SingleLogoutService = http://localhost/simplesaml/saml2/idp/SingleLogoutService.php
    certFingerprint = AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
    

IMPORTANTE

Debido a una particularidad de SimplesamlPHP, si el idp y sp se implementan con SimplesamlPHP DEBEN estar en diferentes hosts, si esto no es así el comportamiento no está determinado. Aquí está el link a la documentación de SimplesamlPHP  https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_9_1. Una salida a este problema es definir un virtual host para el idp (en vez de un alias).