SimpleSAMLphp integration

From Wiki @ Karl Jones dot com
Jump to: navigation, search

SimpleSAMLphp integration is the integration of SimpleSAMLphp with some other system.

See also SimpleSAMLphp installation.

SimpleSAMLphp Implementation Tutorial

SimpleSAMLphp is an open-source application that implements SAML 2.0 and Shibboleth 1.3 Single Sign-On (SSO). Third party applications that require SSO integration with SAML 2.0 or Shibboleth 1.3 may use SimpleSAMLphp to simplify integration process. SimpleSAMLphp offers an administrative interface to convert SAML meta data, and also provides a link to test and integrate with other Identity Providers and Service Providers. SimpleSAMLphp also offers a programming APIs which makes it easier for 3rd party applications to implement Single Sign On.

Here is a code snippet that uses SimpleSAMLphp APIs to implement SSO functionality. 

$lib = "/var/simplesamlphp";
$sp = "wte-sp";  // Name of SP defined in config/authsources.php
 
try {
    // Autoload simplesamlphp classes.
    if(!file_exists("{$lib}/_autoload.php")) {
        throw(new Exception("simpleSAMLphp lib loader file does not exist: ".
        "{$lib}/_autoload.php"));
    }
 
    include_once("{$lib}/_autoload.php");
    $as = new SimpleSAML_Auth_Simple($sp);
 
    // Take the user to IdP and authenticate.
    $as->requireAuth();
    $valid_saml_session = $as->isAuthenticated();
 
} catch (Exception $e) {
    // SimpleSAMLphp is not configured correctly.
    throw(new Exception("SSO authentication failed: ". $e->getMessage()));
    return;
}
 
if (!$valid_saml_session) {
    // Not valid session. Redirect a user to Identity Provider
    try {
        $as = new SimpleSAML_Auth_Simple($sp);
        $as->requireAuth();
    } catch (Exception $e) {
        // SimpleSAMLphp is not configured correctly.
        throw(new Exception("SSO authentication failed: ". $e->getMessage()));
        return;
    }
}
 
// At this point, the user is authenticated by the Identity Provider, and has access
// to the attributes received with SAML assertion.
$attributes = $as->getAttributes();
 
// The print_r response of $as->getAttributes() look something like this:
//Array (
//      [first_name] => Array ( [0] => John )
//      [last_name] => Array ( [0] => Doe )
//      [email] => Array ( [0] => john.doe@webtrafficexchange.com )
//)
         
$firstname = $attributes['first_name'][0];
$lastName = $attributes['last_name'][0];
$email = $attributes['email'][0];
 
// Do something with assertion data.

Source:

simpleSAMLphp modules

Source:

Third-party modules

Third-party modules

SimpleSAMLphp contains an Extension API, allowing third-party modules to extend some parts of SimpleSAMLphp. Some of the most important extension points of SimpleSAMLphp include:

  • Authentication Modules allow you to implement your own authentication method, such as PKI-based, using a proprietary user data source, or any other kind of authentication mechanism.
  • Authentication Processing Filters allow any kind of processing right after authentication has taken place.
  • Themes allow you to customize the look of any page served by SimpleSAMLphp. You can change only the CSS, headers, footers, or you can modify the look of any particular page.
  • Modules allow you to extend SimpleSAMLphp with any new identity protocols, pages, registry systems or anything you'd like.

SimpleSAMLphp comes with a number of modules, authentication modules and processing filters that you may use, or use as a base for customizing SimpleSAMLphp to fit your specific needs. It also provides:

  • an abstract data store API, allowing alternative ways of storing data
  • an abstraction layer of metadata handling, allowing alternative implementations of metadata consumption
  • multiple session handlers, which you can use the session handling built-in to PHP or use memcache
  • multiple handlers for logging. You can choose between syslog and a normal file logger

Apart from the modules that ship by default with SimpleSAMLphp, there's plenty of modules that third-party developers make available for you to cover specific features. Here we provide a (non-exhaustive) list of modules available:

How to install third-party modules

SimpleSAMLphp makes use of <a href="https://getcomposer.org/">Composer</a> to manage dependencies and third-party modules. Those modules that have been properly configured can be easily installed with composer. Just execute the following command:

<code>composer.phar require vendor/simplesamlphp-module-mymodule version
</code>

where vendor is the name of the vendor of the module, mymodule is the name of the module itself and version is the version of the module you want to install, for example, 1.0.

Please note that if you don't have console access to your web server, you will need to deploy the module somewhere else and then copy the files to your server.

A-Select

This module allows you to use A-Select (or any service that understands the A-Select 1.5 protocol) to authenticate users in SimpleSAMLphp.

See the <a href="https://non-gnu.uvt.nl/simplesamlphp-aselect/">website</a> for more information on how to download and install it.

Attribute Authority

This module provides back-end SAML Attribute Authority functionality.

Attribute Aggregator

The Attribute Aggregator module is implemented as an <a href="http://www.famine.vm/docs/stable/simplesamlphp-authproc">Authentication Processing Filter</a>. It can be configured in the SP's config.php file.

It is recommended to run the Attribute Aggregator module at the SP and configure the filter to run after the federated identity, usually eduPersonPrincipalName, is resolved.

Autotest

This module provides an interface to do automatic testing of authentication sources.

Consent Simple Admin

A SimpleSAMLphp module implementing a very simple user interface for managing consent.

DiscoJuice

A SimpleSAMLphp module to provide a very flexible User Interface implementing an IdP Discovery Service. See the <a href="http://discojuice.org">web page</a> for more information.

InfoCard

This is a SimpleSAMLphp module that works with Information Cards technologies and provides some basic functionalities:

  • RP: acting as a Relying Party, you can accept user authentication through InfoCards consuming tokens sent by an STS.

  • STS: acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user password and self issued credentials are supported.

  • InfoCard Generator: your users could request their InfoCard filling a form with their username and password.

  • Package name: simplesamlphp/simplesamlphp-module-infocard

  • Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-infocard">simplesamlphp/simplesamlphp-module-infocard</a>

Kerberos

Kerberos 5 authentication module for SimpleSAMLphp.

Logpeek

This module provides a web API that you can use to search for all to lines in the logs corresponding to a specific session identifier.

Metadata aggregator

This module aggregates a set of SAML entities into SAML 2.0 metadata documents. The resulting metadata documents contain an EntitiesDescriptor element with the multiple entities configured as sources inside. Multiple aggregates can be configured at the same time.

Please note that this module has been deprecated in favour of the more recent <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator2">Aggregator2 module</a>.

Metadata aggregator 2

This is a module for metadata aggregation. It is designed to preserve most of the common metadata items, and it also attempts to preserve unknown elements. It parses and rebuilds metadata sources, so small differences between them and the generated metadata may occur.

Please note that this aggregator works only with XML metadata, and does its work independently of other parts of SimpleSAMLphp, such as the metarefresh module.

Metaedit

This module allows you to do very basic editing of metadata (AssertionConsumerService, SingleLogoutService, name and description, as well as manually registering metadata for service providers.

Modinfo

A very straightforward module for SimpleSAMLphp that displays the list of modules and their status in the web interface.

OAuth2

A module adding support for <a href="http://oauth.net/2/">the OAuth2 protocol</a>.

OpenID Consumer

A module adding support for the OpenID protocol as a Consumer.

OpenID Provider

A module adding support for the OpenID protocol as an Identity Provider.

PAPI

This authentication module makes use of an external library, <a href="https://forja.rediris.es/projects/phppoa/">phpPoA</a>, in order to authenticate users by means of the PAPI protocol. It can therefore be used to bridge between protocols, behaving like a PAPI Point of Access or as a Service Provider.

SAML 2.0 Debugger

This module allows you to debug SAML 2.0 messages by decoding or encoding them according to the binding they are using, supporting both the HTTP-Redirect and HTTP-POST bindings.

Selfregister

A module that allows registration of users accounts. The original version was developed by UNINETT and supported LDAP as a backend. This fork adds support for SQL databases as the back-end.

VOOT Groups

A module to fetch group memberships from an API service protected with OAuth 2.0 using the VOOT protocol and add them to the list of attributes received from the identity provider.

Extending SimpleSAMLphp

If you plan to extend SimpleSAMLphp with some functionality, we advise you to follow these recommendations:

  1. Check the existing functionalities and modules. The feature you want to implement may already exist.

  2. Try to code with the <a href="http://www.php-fig.org/psr/psr-2/">PHP PSR-2 guidelines</a> in mind.

  3. Make sure your module is <a href="https://github.com/simplesamlphp/composer-module-installer">installable through composer</a>.

  4. Let us know about your module so we can reference it in this web site, so that our users can easily find it.

Source:

See also

Retrieved from "http://wiki.karljones.com/index.php?title=SimpleSAMLphp_integration&oldid=13338"