Configuración SAML Gestión <-> Autogestión
Prerequisitos
Contar con una instalación funcional de Gestión y Autogestión
Configuración
- Descargar iDP
mkdir /path/to/idp wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.13.2.tar.gz -O idp.tar.gz && tar zxvf idp.tar.gz -C /path/to/idp --strip 1
- Descargar módulo SAML Guaraní desde la URL correspondiente en Colab. Ejemplo con la carpeta creada para uba-fcen:
svn co https://colab.siu.edu.ar/svn/guarani3/nodos/uba-fcen/gestion/trunk/3.10.X/saml_module /path/to/idp/modules/authguarani
- Contenido de config/authsources.php, completar con los datos de la instalación actual
<?php $config = array( 'guarani-sql' => array( 'authguarani:SQLBCRYPT', 'dsn' => 'pgsql:host=localhost;port=5432;dbname=gestion_trunk', 'schema' => 'negocio', 'username' => 'postgres', 'password' => 'postgres', 'query' => "SELECT mdp_personas.clave, mdp_personas.autenticacion, mdp_personas.usuario as usuario FROM mdp_personas WHERE mdp_personas.usuario = :username ", ), ); - Armar el archivo de configuración a partir del template. Dentro de la carpeta /path/to/idp/modules/authguarani/conf:
/path/to/idp/modules/authguarani/conf$ cp saml_template.ini saml.ini
- Luego configurar el archivo /path/to/idp/modules/authguarani/conf/saml.ini:
[idp] #URL base de la instalación de Guaraní 3W url_base_3w = http://www.ejemplo.edu.ar/guarani_3w #Email para poder comunicarse con el administrador del sitio ante cualquier inconveniente email_webmaster = admin@ejemplo.edu.ar
- En config/config.php modificar:
- Setear la entrada baseurlpath a 'simplesaml/'
- Cambiar la contraseña de admin modificando la entrada auth.adminpassword
- Activar idp saml20 poniendo en true la entrada enable.saml20-idp
- Activar la entrada enable.http_post
- Setear la entrada theme.use a 'authguarani:guarani'
- 'language.available' => array('es'),
- 'language.default' => 'es',
- En metadata/saml20-idp-hosted.php
- En la entrada auth poner guarani-sql
- Descomentar el bloque indicado por el siguiente comentario Uncomment the following to use the uri NameFormat on attributes.
- El archivo metadata/saml20-sp-remote.php debe tener el siguiente contenido. Modificar las variables url_autogestion y url_sp por las que estén publicadas en la instalación
<?php $url_autogestion = 'http://localhost/g3w3_sso'; $metadata[$url_autogestion.'/acceso'] = array( 'AssertionConsumerService' => $url_autogestion.'/acceso?auth=saml', 'SingleLogoutService' => $url_autogestion.'/acceso/logout?auth=saml', ); $url_sp = 'http://localhost/toba_2.6_sp'; $metadata[$url_sp.'/module.php/saml/sp/metadata.php/default-sp'] = array ( 'entityid' => $url_sp.'/module.php/saml/sp/metadata.php/default-sp', 'contacts' => array ( ), 'metadata-set' => 'shib13-sp-remote', 'SingleLogoutService' => $url_sp.'/module.php/saml/sp/saml2-logout.php/default-sp', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp', 'index' => 0, ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post', 'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp', 'index' => 1, ), 2 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp', 'index' => 2, ), 3 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01', 'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp/artifact', 'index' => 3, ), ), );
- Configurar alias idp, crear el archivo /path/to/idp/idp.conf
Alias /simplesaml /path/to/idp/www <Directory /path/to/idp/www> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory>
- Linkear el archivo a sites-enabled de Apache:
sudo ln -s /path/to/idp/idp.conf /etc/apache2/sites-enabled
- Reiniciar Apache
sudo service apache2 restart
Luego de seguir estos pasos ya se debería poder acceder a http://localhost/simplesaml utilizando las credenciales de Administrador definidas anteriormente.
- Generar certificados del server
mkdir /path/to/idp/cert cd /path/to/idp/cert openssl req -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
Configurar Autogestión
- En instalacion/login.php agregar la entrada saml:
... 'saml' => array( 'activo' => true, 'clase' => 'modelo\\autenticacion\\auth_saml', 'parametros' => array( 'settings_file' => \siu\bootstrap::get_dir_instalacion() . '/saml/settings.php', 'saml_uid' => 'usuario',// 'urn:oid:0.9.2342.19200300.100.1.1', //se matchea con local_uid 'local_uid' => 'usuario' //puede ser 'persona' ), ), ...
- Crear el archivo instalacion/saml/settings.php con el siguiente contenido, modificando las variables $url_autogestion y $url_idp. También hay que setear el fingerprint que se puede obtener con el siguiente comando:
openssl x509 -noout -in /path/to/idp/cert/server.crt -fingerprint
<?php
//settings y advanced_settings de la libreria de saml.
$url_autogestion = 'http://localhost/g3w3_sso';
$url_idp = 'http://localhost/simplesaml';
return $settings = array (
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => false,
// Enable debug mode (to print errors)
'debug' => false,
// Service Provider Data that we are deploying
'sp' => array (
// Identifier of the SP entity (must be a URI)
'entityId' => $url_autogestion.'/acceso',
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array (
// URL Location where the <Response> from the IdP will be returned
'url' => $url_autogestion.'/acceso?auth=saml',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => array (
// URL Location where the <Response> from the IdP will be returned
'url' => $url_autogestion.'/acceso/logout',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'nameIdFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
// 'x509cert' => file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt'),
// 'privateKey' > file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.pem'),
),
// Identity Provider Data that we want connect with our SP
'idp' => array (
// Identifier of the IdP entity (must be a URI)
'entityId' => $url_idp.'/saml2/idp/metadata.php',
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array (
// URL Target of the IdP where the SP will send the Authentication Request Message
'url' => $url_idp.'/saml2/idp/SSOService.php',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-POST binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array (
// URL Location of the IdP where the SP will send the SLO Request
'url' => $url_idp.'/saml2/idp/SingleLogoutService.php',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Public x509 certificate of the IdP
// 'x509cert' => \siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt',
/*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9',
),
//Advanced settings
// Security settings
'security' => array (
/** signatures and encryptions offered */
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
'nameIdEncrypted' => false,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [The Metadata of the SP will offer this info]
'authnRequestsSigned' => false,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
'logoutRequestSigned' => false,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
'logoutResponseSigned' => false,
/* Sign the Metadata
False || True (use sp certs) || array (
keyFileName => 'metadata.key',
certFileName => 'metadata.crt'
)
*/
'signMetadata' => false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
// <samlp:LogoutResponse> elements received by this SP to be signed.
'wantMessagesSigned' => false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [The Metadata of the SP will offer this info]
'wantAssertionsSigned' => false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
'wantNameIdEncrypted' => false,
),
// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array (
'technical' => array (
'givenName' => 'CAMBIAR',
'emailAddress' => 'CAMBIAR'
),
'support' => array (
'givenName' => 'CAMBIAR',
'emailAddress' => 'CAMBIAR'
),
),
// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array (
'en-US' => array(
'name' => 'CAMBIAR',
'displayname' => 'CAMBIAR',
'url' => 'CAMBIAR.com'
),
),
);
Configuración Gestión
- En lib/toba/instalacion/instalacion.ini agregar la entrada:
autenticacion = saml
- El archivo lib/toba/instalacion/saml.ini debe tener el siguiente contenido, reemplazando la url del idp por la correcta y el fingerprint generado anteriormente:
[basicos] path_sp = 3ros/simplesamlphp auth_source = default-sp atributo_usuario=usuario permite_login_toba= 0 [sp] baseurlpath = /toba_2.6_sp/ session.phpsession.cookiename = TOBA_SESSID idp = http://localhost/simplesaml/saml2/idp/metadata.php [idp:http://localhost/simplesaml/saml2/idp/metadata.php] name = Your IdP SingleSignOnService = http://localhost/simplesaml/saml2/idp/SSOService.php SingleLogoutService = http://localhost/simplesaml/saml2/idp/SingleLogoutService.php certFingerprint = AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
IMPORTANTE
Debido a una particularidad de SimplesamlPHP, si el idp y sp se implementan con SimplesamlPHP DEBEN estar en diferentes hosts, si esto no es así el comportamiento no está determinado. Aquí está el link a la documentación de SimplesamlPHP https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_9_1. Una salida a este problema es definir un virtual host para el idp (en vez de un alias).
