Re: [simplesamlphp-users] Trying to set up LDAP IdP with Active Directory
145 views
Skip to first unread message
Jaime Perez Crespo
Aug 16, 2018, 3:34:11 AM8/16/18
to simple...@googlegroups.com
Hi,
On 13 Aug 2018, at 20:45 PM, bpalko...@gmail.com wrote:
> I am trying to set up am authentication page at work for two different sites so that we can log in at one spot and not have to relog when going between sites. We may be planning on expanding this later but for now we just have two sites.
>
> We have an active directory, so far I have gotten the LDAP IdP linked to the active directry. It's working and I've tested it on the SAML start page
>
> I am currently trying to link the two sites to my SAML server and I am very lost and confused, Ive spent my entire day so far running in circles and haven't actually gotten any work done.
>
> From my limited understanding so far there is the IdP (what I already have set up) and my two SP's that I am trying to get linked to the IdP I have. From the documentation I have read so far there are 4 files I need to be editing:
>
> config/authsources.php - Has my IdP and should also have my SP’s
I’m not sure if you are using SimpleSAMLphp for both the IdP and the SPs. In any case, that file is where you define how you authenticate on each of your instances. In the IdP, you should add an LDAP auth source. In the SPs, you should add a SAML auth source.
> metadata/saml20-idp-hosted.php - If the IdP is machine local
> metadata/saml20-idp-remote.php - If the IdP is from a remote location
> metadata/saml20-sp-remote.php - SP is from a remote location, all SP's are remote
>
> What is really confusing me are the saml20 files. I have tried understanding how they work and their relationships to each other and the authsources but the documentation hasnt been very kind in that regard.
The names should be self-explanatory. If you are an IdP, then you are “hosting” it. If you are an SP, then the IdPs are “remote” to you. Same with the SPs: all of them will be “remote” to your IdP.
I think the documentation is pretty explicit. In:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_4
"You will also need to add the metadata of the IdP. Ask them to provide you with their metadata, and parse it using the XML to SimpleSAMLphp metadata converter tool available also in the Federation tab of the web interface. Copy the resulting parsed metadata and paste it with a text editor into the metadata/saml20-idp-remote.php file in your SimpleSAMLphp directory.”
For the IdP, on the other hand:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
"The identity provider you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php and metadata/shib13-sp-remote.php."
--
Jaime Pérez
Uninett / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 13 Aug 2018, at 20:45 PM, bpalko...@gmail.com wrote:
> I am trying to set up am authentication page at work for two different sites so that we can log in at one spot and not have to relog when going between sites. We may be planning on expanding this later but for now we just have two sites.
>
> We have an active directory, so far I have gotten the LDAP IdP linked to the active directry. It's working and I've tested it on the SAML start page
>
> I am currently trying to link the two sites to my SAML server and I am very lost and confused, Ive spent my entire day so far running in circles and haven't actually gotten any work done.
>
> From my limited understanding so far there is the IdP (what I already have set up) and my two SP's that I am trying to get linked to the IdP I have. From the documentation I have read so far there are 4 files I need to be editing:
>
> config/authsources.php - Has my IdP and should also have my SP’s
I’m not sure if you are using SimpleSAMLphp for both the IdP and the SPs. In any case, that file is where you define how you authenticate on each of your instances. In the IdP, you should add an LDAP auth source. In the SPs, you should add a SAML auth source.
> metadata/saml20-idp-hosted.php - If the IdP is machine local
> metadata/saml20-idp-remote.php - If the IdP is from a remote location
> metadata/saml20-sp-remote.php - SP is from a remote location, all SP's are remote
>
> What is really confusing me are the saml20 files. I have tried understanding how they work and their relationships to each other and the authsources but the documentation hasnt been very kind in that regard.
The names should be self-explanatory. If you are an IdP, then you are “hosting” it. If you are an SP, then the IdPs are “remote” to you. Same with the SPs: all of them will be “remote” to your IdP.
I think the documentation is pretty explicit. In:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_4
"You will also need to add the metadata of the IdP. Ask them to provide you with their metadata, and parse it using the XML to SimpleSAMLphp metadata converter tool available also in the Federation tab of the web interface. Copy the resulting parsed metadata and paste it with a text editor into the metadata/saml20-idp-remote.php file in your SimpleSAMLphp directory.”
For the IdP, on the other hand:
https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7
"The identity provider you are configuring needs to know about the service providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-sp-remote.php and metadata/shib13-sp-remote.php."
--
Jaime Pérez
Uninett / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Reply all
Reply to author
Forward
0 new messages