Configuración SAML Gestión <-> Autogestión
Prerequisitos
Contar con una instalación funcional de Gestión y Autogestión
Configuración
- Descargar iDP
mkdir /path/to/idp wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.13.2.tar.gz -O idp.tar.gz && tar zxvf idp.tar.gz -C /path/to/idp --strip 1
- Descargar módulo SAML Guaraní desde la URL correspondiente en Colab. Ejemplo con la carpeta creada para uba-fcen:
svn co https://colab.siu.edu.ar/svn/guarani3/nodos/uba-fcen/gestion/trunk/3.10.X/saml_module /path/to/idp/modules/authguarani
- Contenido de config/authsources.php, completar con los datos de la instalación actual
<?php $config = array( 'guarani-sql' => array( 'authguarani:SQLBCRYPT', 'dsn' => 'pgsql:host=localhost;port=5432;dbname=gestion_trunk', 'schema' => 'negocio', 'username' => 'postgres', 'password' => 'postgres', 'query' => "SELECT mdp_personas.clave, mdp_personas.autenticacion, mdp_personas.usuario as usuario FROM mdp_personas WHERE mdp_personas.usuario = :username ", ), );
- Armar el archivo de configuración a partir del template. Dentro de la carpeta /path/to/idp/modules/authguarani/conf:
/path/to/idp/modules/authguarani/conf$ cp saml_template.ini saml.ini
- Luego configurar el archivo /path/to/idp/modules/authguarani/conf/saml.ini:
[idp] #URL base de la instalación de Guaraní 3W url_base_3w = http://www.ejemplo.edu.ar/guarani_3w #Email para poder comunicarse con el administrador del sitio ante cualquier inconveniente email_webmaster = admin@ejemplo.edu.ar
- En config/config.php modificar:
- Setear la entrada baseurlpath a 'simplesaml/'
- Cambiar la contraseña de admin modificando la entrada auth.adminpassword
- Activar idp saml20 poniendo en true la entrada enable.saml20-idp
- Activar la entrada enable.http_post
- Setear la entrada theme.use a 'authguarani:guarani'
- 'language.available' => array('es'),
- 'language.default' => 'es',
- En metadata/saml20-idp-hosted.php
- En la entrada auth poner guarani-sql
- Descomentar el bloque indicado por el siguiente comentario Uncomment the following to use the uri NameFormat on attributes.
- El archivo metadata/saml20-sp-remote.php debe tener el siguiente contenido. Modificar las variables url_autogestion y url_sp por las que estén publicadas en la instalación
<?php $url_autogestion = 'http://localhost/g3w3_sso'; $metadata[$url_autogestion.'/acceso'] = array( 'AssertionConsumerService' => $url_autogestion.'/acceso?auth=saml', 'SingleLogoutService' => $url_autogestion.'/acceso/logout?auth=saml', ); $url_sp = 'http://localhost/toba_2.6_sp'; $metadata[$url_sp.'/module.php/saml/sp/metadata.php/default-sp'] = array ( 'entityid' => $url_sp.'/module.php/saml/sp/metadata.php/default-sp', 'contacts' => array ( ), 'metadata-set' => 'shib13-sp-remote', 'SingleLogoutService' => $url_sp.'/module.php/saml/sp/saml2-logout.php/default-sp', 'AssertionConsumerService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp', 'index' => 0, ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post', 'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp', 'index' => 1, ), 2 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp', 'index' => 2, ), 3 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01', 'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp/artifact', 'index' => 3, ), ), );
- Configurar alias idp, crear el archivo /path/to/idp/idp.conf
Alias /simplesaml /path/to/idp/www <Directory /path/to/idp/www> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory>
- Linkear el archivo a sites-enabled de Apache:
sudo ln -s /path/to/idp/idp.conf /etc/apache2/sites-enabled
- Reiniciar Apache
sudo service apache2 restart
Luego de seguir estos pasos ya se debería poder acceder a http://localhost/simplesaml utilizando las credenciales de Administrador definidas anteriormente.
- Generar certificados del server
mkdir /path/to/idp/cert cd /path/to/idp/cert openssl req -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
Configurar Autogestión
- En instalacion/login.php agregar la entrada saml:
... 'saml' => array( 'activo' => true, 'clase' => 'modelo\\autenticacion\\auth_saml', 'parametros' => array( 'settings_file' => \siu\bootstrap::get_dir_instalacion() . '/saml/settings.php', 'saml_uid' => 'usuario',// 'urn:oid:0.9.2342.19200300.100.1.1', //se matchea con local_uid 'local_uid' => 'usuario' //puede ser 'persona' ), ), ...
- Crear el archivo instalacion/saml/settings.php con el siguiente contenido, modificando las variables $url_autogestion y $url_idp. También hay que setear el fingerprint que se puede obtener con el siguiente comando:
openssl x509 -noout -in /path/to/idp/cert/server.crt -fingerprint
<?php //settings y advanced_settings de la libreria de saml. $url_autogestion = 'http://localhost/g3w3_sso'; $url_idp = 'http://localhost/simplesaml'; return $settings = array ( // If 'strict' is True, then the PHP Toolkit will reject unsigned // or unencrypted messages if it expects them signed or encrypted // Also will reject the messages if not strictly follow the SAML // standard: Destination, NameId, Conditions ... are validated too. 'strict' => false, // Enable debug mode (to print errors) 'debug' => false, // Service Provider Data that we are deploying 'sp' => array ( // Identifier of the SP entity (must be a URI) 'entityId' => $url_autogestion.'/acceso', // Specifies info about where and how the <AuthnResponse> message MUST be // returned to the requester, in this case our SP. 'assertionConsumerService' => array ( // URL Location where the <Response> from the IdP will be returned 'url' => $url_autogestion.'/acceso?auth=saml', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ), // Specifies info about where and how the <Logout Response> message MUST be // returned to the requester, in this case our SP. 'singleLogoutService' => array ( // URL Location where the <Response> from the IdP will be returned 'url' => $url_autogestion.'/acceso/logout', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Specifies constraints on the name identifier to be used to // represent the requested subject. // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported 'nameIdFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters // 'x509cert' => file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt'), // 'privateKey' > file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.pem'), ), // Identity Provider Data that we want connect with our SP 'idp' => array ( // Identifier of the IdP entity (must be a URI) 'entityId' => $url_idp.'/saml2/idp/metadata.php', // SSO endpoint info of the IdP. (Authentication Request protocol) 'singleSignOnService' => array ( // URL Target of the IdP where the SP will send the Authentication Request Message 'url' => $url_idp.'/saml2/idp/SSOService.php', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-POST binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // SLO endpoint info of the IdP. 'singleLogoutService' => array ( // URL Location of the IdP where the SP will send the SLO Request 'url' => $url_idp.'/saml2/idp/SingleLogoutService.php', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Public x509 certificate of the IdP // 'x509cert' => \siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt', /* * Instead of use the whole x509cert you can use a fingerprint * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it) */ 'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9', ), //Advanced settings // Security settings 'security' => array ( /** signatures and encryptions offered */ // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP // will be encrypted. 'nameIdEncrypted' => false, // Indicates whether the <samlp:AuthnRequest> messages sent by this SP // will be signed. [The Metadata of the SP will offer this info] 'authnRequestsSigned' => false, // Indicates whether the <samlp:logoutRequest> messages sent by this SP // will be signed. 'logoutRequestSigned' => false, // Indicates whether the <samlp:logoutResponse> messages sent by this SP // will be signed. 'logoutResponseSigned' => false, /* Sign the Metadata False || True (use sp certs) || array ( keyFileName => 'metadata.key', certFileName => 'metadata.crt' ) */ 'signMetadata' => false, /** signatures and encryptions required **/ // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and // <samlp:LogoutResponse> elements received by this SP to be signed. 'wantMessagesSigned' => false, // Indicates a requirement for the <saml:Assertion> elements received by // this SP to be signed. [The Metadata of the SP will offer this info] 'wantAssertionsSigned' => false, // Indicates a requirement for the NameID received by // this SP to be encrypted. 'wantNameIdEncrypted' => false, ), // Contact information template, it is recommended to suply a technical and support contacts 'contactPerson' => array ( 'technical' => array ( 'givenName' => 'CAMBIAR', 'emailAddress' => 'CAMBIAR' ), 'support' => array ( 'givenName' => 'CAMBIAR', 'emailAddress' => 'CAMBIAR' ), ), // Organization information template, the info in en_US lang is recomended, add more if required 'organization' => array ( 'en-US' => array( 'name' => 'CAMBIAR', 'displayname' => 'CAMBIAR', 'url' => 'CAMBIAR.com' ), ), );
Configuración Gestión
- En lib/toba/instalacion/instalacion.ini agregar la entrada:
autenticacion = saml
- El archivo lib/toba/instalacion/saml.ini debe tener el siguiente contenido, reemplazando la url del idp por la correcta y el fingerprint generado anteriormente:
[basicos] path_sp = 3ros/simplesamlphp auth_source = default-sp atributo_usuario=usuario permite_login_toba= 0 [sp] baseurlpath = /toba_2.6_sp/ session.phpsession.cookiename = TOBA_SESSID idp = http://localhost/simplesaml/saml2/idp/metadata.php [idp:http://localhost/simplesaml/saml2/idp/metadata.php] name = Your IdP SingleSignOnService = http://localhost/simplesaml/saml2/idp/SSOService.php SingleLogoutService = http://localhost/simplesaml/saml2/idp/SingleLogoutService.php certFingerprint = AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
IMPORTANTE
Debido a una particularidad de SimplesamlPHP, si el idp y sp se implementan con SimplesamlPHP DEBEN estar en diferentes hosts, si esto no es así el comportamiento no está determinado. Aquí está el link a la documentación de SimplesamlPHP https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_9_1. Una salida a este problema es definir un virtual host para el idp (en vez de un alias).