Service Provider Setup - achaux/simplesaml GitHub Wiki

Service Provider setup using simpleSAMLphp

The SP is configured by modifying the /var/simplesamlphp/config/authsources.php file. SP configurations are stored in an associative array. Multiple SP's can be configured by adding more key/value pairs to the array. For now I am going to keep it simple and use these default settings:

// An authentication source which can authenticate against both SAML 2.0
// and Shibboleth 1.3 IdPs.
'default-sp' => array(
    'saml:SP',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => null,

    // The entity ID of the IdP this should SP should contact.
    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
    'idp' => null,

    // The URL to the discovery service.
    // Can be NULL/unset, in which case a builtin discovery service will be used.
    'discoURL' => null,

    // Force the use of SHA-256 since simpleSAMLphp defaults to SHA-1
    'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

Create and enable a certificate for the SP

Our IdP will require that the SP provide certificate information to encrypt responses. We need to create a self-signed certificate and store our private and public keys in the /var/simplesamlphp/cert directory.

mkdir /var/simplesamlphp/cert
cd /var/simplesamlphp/cert

Then create the cert:

openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Fill in the information asked for at the prompts. When asked for Common Name (e.g. server FQDN or YOUR name), type in localhost.

Now we need to update the /var/simplesamlphp/config/authsources.php file to reflect our new certificate:

...
'default-sp' => array(
    'saml:SP',
    
    // The private key and public certificate for encryption.
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',

    // The entity ID of this SP.
    // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
    'entityID' => null,
...

The SP now needs to know about the IdPs that are going to connect to it. Allowed IdPs are configured in the /var/simplesamlphp/metadata/saml20-idp-remote.php file. The configuration files also have an associative, multidimensional array format:

<?php
/* The IdP's entity ID is used for the array index */
$metadata['http://idp.local'] = array(
    /* Configuration options for the first IdP. */
    'name' => array(
        'en' => 'Test IdP residing at idp.local'
    ),
    'description' => 'The localhost IdP will be set up to log in users and set up new accounts.',
    'icon'                 => '/images/icons/localhost.128.png',
    'SingleSignOnService'  => 'http://idp.local/simplesaml/saml2/idp/SSOService.php',
    'SingleLogoutService'  => 'http://idp.local/simplesaml/saml2/idp/SingleLogoutService.php',
    'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb',
);

...