Difference between revisions of "SimpleSAMLphp integration"
Karl Jones (Talk | contribs) |
Karl Jones (Talk | contribs) |
||
Line 1: | Line 1: | ||
'''SimpleSAMLphp integration''' is the [[integration]] of [[SimpleSAMLphp]] with some other system. | '''SimpleSAMLphp integration''' is the [[integration]] of [[SimpleSAMLphp]] with some other system. | ||
+ | |||
+ | See also [[SimpleSAMLphp installation]]. | ||
== SimpleSAMLphp Implementation Tutorial == | == SimpleSAMLphp Implementation Tutorial == |
Revision as of 06:44, 14 October 2015
SimpleSAMLphp integration is the integration of SimpleSAMLphp with some other system.
See also SimpleSAMLphp installation.
Contents
- 1 SimpleSAMLphp Implementation Tutorial
- 2 simpleSAMLphp modules
- 3 Third-party modules
- 4 Third-party modules
- 4.1 How to install third-party modules
- 4.1.1 A-Select
- 4.1.2 Attribute Authority
- 4.1.3 Attribute Aggregator
- 4.1.4 Autotest
- 4.1.5 Consent Simple Admin
- 4.1.6 DiscoJuice
- 4.1.7 InfoCard
- 4.1.8 Kerberos
- 4.1.9 Logpeek
- 4.1.10 Metadata aggregator
- 4.1.11 Metadata aggregator 2
- 4.1.12 Metaedit
- 4.1.13 Modinfo
- 4.1.14 OAuth2
- 4.1.15 OpenID Consumer
- 4.1.16 OpenID Provider
- 4.1.17 PAPI
- 4.1.18 SAML 2.0 Debugger
- 4.1.19 Selfregister
- 4.1.20 VOOT Groups
- 4.2 Extending SimpleSAMLphp
- 4.3 See also
- 4.1 How to install third-party modules
SimpleSAMLphp Implementation Tutorial
SimpleSAMLphp is an open-source application that implements SAML 2.0 and Shibboleth 1.3 Single Sign-On (SSO). Third party applications that require SSO integration with SAML 2.0 or Shibboleth 1.3 may use SimpleSAMLphp to simplify integration process. SimpleSAMLphp offers an administrative interface to convert SAML meta data, and also provides a link to test and integrate with other Identity Providers and Service Providers. SimpleSAMLphp also offers a programming APIs which makes it easier for 3rd party applications to implement Single Sign On.
Here is a code snippet that uses SimpleSAMLphp APIs to implement SSO functionality.
$lib = "/var/simplesamlphp"; $sp = "wte-sp"; // Name of SP defined in config/authsources.php try { // Autoload simplesamlphp classes. if(!file_exists("{$lib}/_autoload.php")) { throw(new Exception("simpleSAMLphp lib loader file does not exist: ". "{$lib}/_autoload.php")); } include_once("{$lib}/_autoload.php"); $as = new SimpleSAML_Auth_Simple($sp); // Take the user to IdP and authenticate. $as->requireAuth(); $valid_saml_session = $as->isAuthenticated(); } catch (Exception $e) { // SimpleSAMLphp is not configured correctly. throw(new Exception("SSO authentication failed: ". $e->getMessage())); return; } if (!$valid_saml_session) { // Not valid session. Redirect a user to Identity Provider try { $as = new SimpleSAML_Auth_Simple($sp); $as->requireAuth(); } catch (Exception $e) { // SimpleSAMLphp is not configured correctly. throw(new Exception("SSO authentication failed: ". $e->getMessage())); return; } } // At this point, the user is authenticated by the Identity Provider, and has access // to the attributes received with SAML assertion. $attributes = $as->getAttributes(); // The print_r response of $as->getAttributes() look something like this: //Array ( // [first_name] => Array ( [0] => John ) // [last_name] => Array ( [0] => Doe ) // [email] => Array ( [0] => john.doe@webtrafficexchange.com ) //) $firstname = $attributes['first_name'][0]; $lastName = $attributes['last_name'][0]; $email = $attributes['email'][0]; // Do something with assertion data.
Source:
simpleSAMLphp modules
Source:
Third-party modules
Third-party modules
SimpleSAMLphp contains an Extension API, allowing third-party modules to extend some parts of SimpleSAMLphp. Some of the most important extension points of SimpleSAMLphp include:
- Authentication Modules allow you to implement your own authentication method, such as PKI-based, using a proprietary user data source, or any other kind of authentication mechanism.
- Authentication Processing Filters allow any kind of processing right after authentication has taken place.
- Themes allow you to customize the look of any page served by SimpleSAMLphp. You can change only the CSS, headers, footers, or you can modify the look of any particular page.
- Modules allow you to extend SimpleSAMLphp with any new identity protocols, pages, registry systems or anything you'd like.
SimpleSAMLphp comes with a number of modules, authentication modules and processing filters that you may use, or use as a base for customizing SimpleSAMLphp to fit your specific needs. It also provides:
- an abstract data store API, allowing alternative ways of storing data
- an abstraction layer of metadata handling, allowing alternative implementations of metadata consumption
- multiple session handlers, which you can use the session handling built-in to PHP or use memcache
- multiple handlers for logging. You can choose between syslog and a normal file logger
Apart from the modules that ship by default with SimpleSAMLphp, there's plenty of modules that third-party developers make available for you to cover specific features. Here we provide a (non-exhaustive) list of modules available:
How to install third-party modules
SimpleSAMLphp makes use of <a href="https://getcomposer.org/">Composer</a> to manage dependencies and third-party modules. Those modules that have been properly configured can be easily installed with composer. Just execute the following command:
<code>composer.phar require vendor/simplesamlphp-module-mymodule version </code>
where vendor
is the name of the vendor of the module, mymodule
is the name of the module itself and version
is the
version of the module you want to install, for example, 1.0.
Please note that if you don't have console access to your web server, you will need to deploy the module somewhere else and then copy the files to your server.
A-Select
This module allows you to use A-Select (or any service that understands the A-Select 1.5 protocol) to authenticate users in SimpleSAMLphp.
See the <a href="https://non-gnu.uvt.nl/simplesamlphp-aselect/">website</a> for more information on how to download and install it.
Attribute Authority
This module provides back-end SAML Attribute Authority functionality.
- Package name:
NIIF/simplesamlphp-module-aa
- Repository: <a href="https://github.com/NIIF/simplesamlphp-module-aa">NIIF/simplesamlphp-module-aa</a>
Attribute Aggregator
The Attribute Aggregator module is implemented as an
<a href="http://www.famine.vm/docs/stable/simplesamlphp-authproc">Authentication Processing Filter</a>. It can be configured in the
SP's config.php
file.
It is recommended to run the Attribute Aggregator module at the SP and configure the filter to run after the federated identity, usually eduPersonPrincipalName, is resolved.
- Package name:
NIIF/simplesamlphp-module-attributeaggregator
- Repository: <a href="https://github.com/NIIF/simplesamlphp-module-attributeaggregator">NIIF/simplesamlphp-module-atributeaggregator</a>
Autotest
This module provides an interface to do automatic testing of authentication sources.
- Package name:
simplesamlphp/simplesamlphp-module-autotest
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-autotest">simplesamlphp/simplesamlphp-module-autotest</a>
Consent Simple Admin
A SimpleSAMLphp module implementing a very simple user interface for managing consent.
- Package name:
simplesamlphp/simplesamlphp-module-consentsimpleadmin
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-consentsimpleadmin">simplesamlphp/simplesamlphp-module-consentsimpleadmin</a>
DiscoJuice
A SimpleSAMLphp module to provide a very flexible User Interface implementing an IdP Discovery Service. See the <a href="http://discojuice.org">web page</a> for more information.
- Package name:
simplesamlphp/simplesamlphp-module-discojuice
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-discojuice">simplesamlphp/simplesamlphp-module-discojuice</a>
InfoCard
This is a SimpleSAMLphp module that works with Information Cards technologies and provides some basic functionalities:
RP: acting as a Relying Party, you can accept user authentication through InfoCards consuming tokens sent by an STS.
STS: acting as a Secure Token Service you can provide information to a RP generating tokens. Currently, only user password and self issued credentials are supported.
InfoCard Generator: your users could request their InfoCard filling a form with their username and password.
Package name:
simplesamlphp/simplesamlphp-module-infocard
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-infocard">simplesamlphp/simplesamlphp-module-infocard</a>
Kerberos
Kerberos 5 authentication module for SimpleSAMLphp.
- Package name:
ualberta-iapps/simplesamlphp-module-kerberos
- Repository: <a href="https://github.com/ualberta-iapps/simplesamlphp-module-kerberos">ualberta-iapps/simplesamlphp-module-kerberos</a>
Logpeek
This module provides a web API that you can use to search for all to lines in the logs corresponding to a specific session identifier.
- Package name:
simplesamlphp/simplesamlphp-module-logpeek
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-logpeek">simplesamlphp/simplesamlphp-module-logpeek</a>
Metadata aggregator
This module aggregates a set of SAML entities into SAML 2.0 metadata documents. The resulting metadata documents contain an EntitiesDescriptor element with the multiple entities configured as sources inside. Multiple aggregates can be configured at the same time.
Please note that this module has been deprecated in favour of the more recent <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator2">Aggregator2 module</a>.
- Package name:
simplesamlphp/simplesamlphp-module-aggregator
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator">simplesamlphp/simplesamlphp-module-aggregator</a>
Metadata aggregator 2
This is a module for metadata aggregation. It is designed to preserve most of the common metadata items, and it also attempts to preserve unknown elements. It parses and rebuilds metadata sources, so small differences between them and the generated metadata may occur.
Please note that this aggregator works only with XML metadata, and does its work independently of other parts of SimpleSAMLphp, such as the metarefresh module.
- Package name:
simplesamlphp/simplesamlphp-module-aggregator2
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-aggregator2">simplesamlphp/simplesamlphp-module-aggregator2</a>
Metaedit
This module allows you to do very basic editing of metadata (AssertionConsumerService, SingleLogoutService, name and description, as well as manually registering metadata for service providers.
- Package name:
simplesamlphp/simplesamlphp-module-metaedit
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-metaedit">simplesamlphp/simplesamlphp-module-metaedit</a>
Modinfo
A very straightforward module for SimpleSAMLphp that displays the list of modules and their status in the web interface.
- Package name:
simplesamlphp/simplesamlphp-module-modinfo
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-modinfo">simplesamlphp/simplesamlphp-module-modinfo</a>
OAuth2
A module adding support for <a href="http://oauth.net/2/">the OAuth2 protocol</a>.
- Package name:
sgomez/simplesamlphp-module-oauth2
- Repository: <a href="https://github.com/sgomez/simplesamlphp-module-oauth2">sgomez/simplesamlphp-module-oauth2</a>
OpenID Consumer
A module adding support for the OpenID protocol as a Consumer.
- Package name:
simplesamlphp/simplesamlphp-module-openid
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-openid">simplesamlphp/simplesamlphp-module-openid</a>
OpenID Provider
A module adding support for the OpenID protocol as an Identity Provider.
- Package name:
simplesamlphp/simplesamlphp-module-openidprovider
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-openidprovider">simplesamlphp/simplesamlphp-module-openidprovider</a>
PAPI
This authentication module makes use of an external library, <a href="https://forja.rediris.es/projects/phppoa/">phpPoA</a>, in order to authenticate users by means of the PAPI protocol. It can therefore be used to bridge between protocols, behaving like a PAPI Point of Access or as a Service Provider.
- Package name:
rediris-es/simplesamlphp-module-papi
- Repository: <a href="https://github.com/rediris-es/simplesamlphp-module-papi">rediris-es/simplesamlphp-module-papi</a>
SAML 2.0 Debugger
This module allows you to debug SAML 2.0 messages by decoding or encoding them according to the binding they are using, supporting both the HTTP-Redirect and HTTP-POST bindings.
- Package name:
simplesamlphp/simplesamlphp-module-saml2debug
- Repository: <a href="https://github.com/simplesamlphp/simplesamlphp-module-saml2debug">simplesamlphp/simplesamlphp-module-saml2debug</a>
Selfregister
A module that allows registration of users accounts. The original version was developed by UNINETT and supported LDAP as a backend. This fork adds support for SQL databases as the back-end.
- Package name:
geant/simplesamlphp-module-selfregister
- Repository: <a href="https://github.com/TERENA/simplesamlphp-module-selfregister">geant/simplesamlphp-module-selfregister</a>
VOOT Groups
A module to fetch group memberships from an API service protected with OAuth 2.0 using the VOOT protocol and add them to the list of attributes received from the identity provider.
- Package name:
openconextapps/simplesamlphp-module-vootgroups
- Repository: <a href="https://github.com/OpenConextApps/ssp-voot-groups">OpenConextApps/ssp-voot-groups</a>
Extending SimpleSAMLphp
If you plan to extend SimpleSAMLphp with some functionality, we advise you to follow these recommendations:
Check the existing functionalities and modules. The feature you want to implement may already exist.
Try to code with the <a href="http://www.php-fig.org/psr/psr-2/">PHP PSR-2 guidelines</a> in mind.
Make sure your module is <a href="https://github.com/simplesamlphp/composer-module-installer">installable through composer</a>.
Let us know about your module so we can reference it in this web site, so that our users can easily find it.
Source: