Building:SAML Configuration - cu-uis/cu-starterkit-project GitHub Wiki
While the SimpleSAMLphp library and Drupal module are configured based on Pantheon's requirements, each site must go through the process of adding a cert and metadata configuration generated by the system or campus identify management group.
There is a known issues with CU's Federated Ping authentication and versions of the simpleSAMLphp library greater than 1.19.0. Until this is resolved, simpleSAMLphp is pinned to the 1.18.8 version. If you aren't using the upstream and are configuring simpleSAMLphp following Pantheon's documentation, use
composer require simplesamlphp/simplesamlphp:1.18.8
If you are using the upstream where the simpleSAMLphp library and symlinks have already been created or have followed those configuration yourself, the next steps to configure SSO authentication with UIS are:
- Contact the system of campus identity management group to start the process of adding your site/application to Identity Provider (IdP)
- You will either be asked to generate a certificate or be given one to place in /private/simplesamlphp/cert
- Modify /private/simplesamlphp/metadata/saml20-idp-remote.php with the settings provided by you identity management group. The settings should look something like the following array. The simpleSAMLphp library also provides an XML to config array converter utility. To use this, you must change the simpleSAMLphp admin password in the config.php. The password must be changed to use the Admin UI. Leaving the password as the default leaves the admin UI disabled.
$metadata['uispingtst_entity'] = array (
'entityid' => [REPLACE WITH PROVIDED VALUE],
'contacts' =>
array (
0 =>
array (
'contactType' => 'administrative',
'company' => 'University of Colorado System',
'givenName' => '',
'surName' => '',
'emailAddress' =>
array (
0 => [REPLACE WITH PROVIDED VALUE],
),
),
),
'metadata-set' => 'saml20-idp-remote',
'sign.authnrequest' => true,
'SingleSignOnService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => [REPLACE WITH PROVIDED VALUE],
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => [REPLACE WITH PROVIDED VALUE],
),
),
'SingleLogoutService' =>
array (
),
'ArtifactResolutionService' =>
array (
),
'NameIDFormats' =>
array (
0 => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
),
'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => [REPLACE WITH PROVIDED VALUE],
),
),
);
- Confirm the site can connect to the IdP using /simplesaml/
- If there are no issues, go to /admin/config/people/simplesamlphp_auth and check Activate authentication via SimpleSAMLphp
- Using Incognito mode or another browser, visit /user. Click the
SSO for CU Stafflink
You should be able to authenticate with only the Authenticated User role. Either add additional roles to this user while logged in as an admin user or send the user an invite email to join the site with a specific role.