How to integrate my website with simplesamlphp

[Ishpreet Kaur]

I have installed simplesamlphp as described in https://simplesamlphp.org/docs/stable/simplesamlphp-install .

Then I followed link "https://simplesamlphp.org/docs/stable/simplesamlphp-sp" to use simplesaml as a service provider. 

Upto step 5 in the above link, simplesamlphp site is working correctly.

But It is not clear how to use step 6 in the link to use my website as service provider.

How to implement simplesamlphp on my website?

  

[Jaime Perez Crespo]

Hi again,

> On 03 Dec 2015, at 14:17 PM, Ishpreet Kaur <ishpre...@webners.com> wrote:
> I have installed simplesamlphp as described in https://simplesamlphp.org/docs/stable/simplesamlphp-install .
>
> Then I followed link "https://simplesamlphp.org/docs/stable/simplesamlphp-sp" to use simplesaml as a service provider.

That looks closer to what I thought you would want to do. Anyway...

> Upto step 5 in the above link, simplesamlphp site is working correctly.
>
> But It is not clear how to use step 6 in the link to use my website as service provider.

What’s exactly unclear? Without precise questions, I’m afraid we can’t give you any answers...

> How to implement simplesamlphp on my website?

https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6

Really. That’s all you need.

SimpleSAMLphp is a PHP library. You install it, read the docs, and use the Application Programming Interface (API) provided by the library in order to, well, use it. No black magic, nothing fancy. If you have a PHP application and want SAML authentication, just use the API in your code. If you don’t know how to do that, I’m afraid this might not be the best solution for you...

--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Ishpreet Kaur]

Hi Jaime,

Thanks for your reply.

Upto step 5, it is working, because test site is within www folder of simplesamlphp library.

Now, suppose my site is: http://localhost/cakephp. 

For my site, I added 

'sp1' => array(

'saml:SP',

'privatekey' => 'simplesamlphp.pem',

'certificate' => 'simplesamlphp.crt',

'entityID' => 'http://localhost/cakephp'

),

in config/authsources.php file.

After that, I added metadata for sp1 provided on fedaration tab of test site generated at step 5 in metadata/saml20-sp-remote.php file and even on https://openidp.feide.no site.

The metadata generated for my site is:

$metadata['http://localhost/cakephp1'] = array (

  'SingleLogoutService' => 

  array (

    0 => 

    array (

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',

      'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-logout.php/sp1',

    ),

  ),

  'AssertionConsumerService' => 

  array (

    0 => 

    array (

      'index' => 0,

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',

      'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-acs.php/sp1',

    ),

    1 => 

    array (

      'index' => 1,

      'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',

      'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml1-acs.php/sp1',

    ),

    2 => 

    array (

      'index' => 2,

      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',

      'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-acs.php/sp1',

    ),

    3 => 

    array (

      'index' => 3,

      'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',

      'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml1-acs.php/sp1/artifact',

    ),

  ),

  'certData' => 'MIIEdTCCA12gAwIBAgIJAKxE3OIHRNM5MA0GCSqGSIb3DQEBCwUAMIHQMQswCQYDVQQGEwJOTzEPMA0GA1UECAwGUHVuamFiMQ8wDQYDVQQHDAZNb2hhbGkxDzANBgNVBAoMBldlYm5lcjExMC8GA1UECwwoaHR0cDovL3NlcnZpY2UubG9jYWwtc2FtbC5jb20vc2ltcGxlc2FtbDExMC8GA1UEAwwoaHR0cDovL3NlcnZpY2UubG9jYWwtc2FtbC5jb20vc2ltcGxlc2FtbDEoMCYGCSqGSIb3DQEJARYZaXNocHJlZXQua2F1ckB3ZWJuZXJzLmNvbTAeFw0xNTExMjYwNTUyNThaFw0yNTExMjUwNTUyNThaMIHQMQswCQYDVQQGEwJOTzEPMA0GA1UECAwGUHVuamFiMQ8wDQYDVQQHDAZNb2hhbGkxDzANBgNVBAoMBldlYm5lcjExMC8GA1UECwwoaHR0cDovL3NlcnZpY2UubG9jYWwtc2FtbC5jb20vc2ltcGxlc2FtbDExMC8GA1UEAwwoaHR0cDovL3NlcnZpY2UubG9jYWwtc2FtbC5jb20vc2ltcGxlc2FtbDEoMCYGCSqGSIb3DQEJARYZaXNocHJlZXQua2F1ckB3ZWJuZXJzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBE5w7jR005OIiuLttEuPMPZS0erfQzYhXIm2NRMQbT18fHXI0IrG72m0YRjrsrHKjX5vdzCFeiVwj0fE+79rVHVIDjuYwfKh85ltva52NcBsyneHdWEyWlKLM0vfqbhiJMbDiHwzpav69HJV3EBh8pyXVvf/ooJf/Wedcw60bYHJk/C9WiSWojCpgc7311n0+pgjCpwKtv4GVaInNSNZIzXp+SkK9Z4pJP1JOQjJC2QSPCCynyw/d7H66v7C7Q+mC1J0KeflWIJ9fdwAVGnaTXSaU4XiHoxWYFW451ATrlahUSgqSgIi7V4wAAYMcP3Ohk5T9J1QWgDdYN3/UZA1kCAwEAAaNQME4wHQYDVR0OBBYEFHyhafVfM7mU4m6/MWhXSAw6DdboMB8GA1UdIwQYMBaAFHyhafVfM7mU4m6/MWhXSAw6DdboMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGoEb3aeGJoAUZLpXShziNgSu2buVt/qiK2ienUwRxy/futG8MLrKnxJCTaGlEuLmw/GsDZ3by4GdDHgyGVJx5YEh81pluIU3cUMw37EIToe9Fi2U/14llaD7chTfpk9A8ZoPMQ+MK+Mt5Ya6Bt3O8xF+1F/l6zvfH6U8PUKRidRCSOjOQbmUd8L1gcOpiA2THBhtWRQBmSs1hPv6DxXJnNfn3NcBUyIgzWlT+HcjSPYK0QNYMA+T3ZwvsL4Ce2sox67a1M+iEhJ1mSBs7v+z8YgTkLamzO4Re67NoytubojzEqTtvgtEWsEWgFxKNGpQeqLWS3Uvym7VxOLjqbbzWI=',

);

After adding these configuration settings, I tried step 6 API on my project.

When I open link of my site, it redirected to "https://openidp.feide.no". User enters his login credentials. After successful login, my requirement is that user is redirected to my site and information should be displayed. but user is redirected to "http://service.local-saml.com/simplesaml/module.php/saml/sp/saml1-acs.php/sp1" with error message displaying "State Information Lost".

Please help me where I am wrong, whether I need more configuration settings in simplesamlphp plugin for my site working.

[Dick Visser]

On 4 December 2015 at 05:18, Ishpreet Kaur <ishpre...@webners.com> wrote:
> Hi Jaime,
>
> Thanks for your reply.
>
> Upto step 5, it is working, because test site is within www folder of
> simplesamlphp library.

Are you saying you put a test site inside the www folder of simplesamlphp?


DIck

[Ishpreet Kaur]

Hi Dick,

I have not put my website application in www folder of simplesamlphp.

I have two separate folders which named cakephp and simplesamlphp. I have given path of simplesamlphp in my project cakephp for loading saml files with the autoloader as mentioned in step 6 of "https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6".

I was trying to say upto step 5 is working. Upto step 5 means saml test site is working as given in above link, not my project. saml test site is within www folder of simplesamlphp.

[Ishpreet Kaur]

Dick, 

Please also check the link "https://groups.google.com/forum/#!topic/simplesamlphp/Jl4CTvKwefQ" if you can. I have mentioned steps which I have followed. Correct me if I have done something wrong anywhere.  

[Jaime Perez Crespo]

Hi again,

Please see some comments inline:

> On 04 Dec 2015, at 05:18 AM, Ishpreet Kaur <ishpre...@webners.com> wrote:
> Hi Jaime,
>
> Thanks for your reply.
>
> Upto step 5, it is working, because test site is within www folder of simplesamlphp library.
>
> Now, suppose my site is: http://localhost/cakephp.
>
> For my site, I added
>
> 'sp1' => array(
> 'saml:SP',
> 'privatekey' => 'simplesamlphp.pem',
> 'certificate' => 'simplesamlphp.crt',
> 'entityID' => 'http://localhost/cakephp'

Why are you specifying your own entity ID? Why not letting SimpleSAMLphp auto-generate it for you?

> ),
>
> in config/authsources.php file.
>
> After that, I added metadata for sp1 provided on fedaration tab of test site generated at step 5 in metadata/saml20-sp-remote.php file

You are a service provider. *You*. Not anyone else, but you. Why are you then adding your own metadata to a file where you configure *remote* service providers? Remote, of course, means here “not you”.

> and even on https://openidp.feide.no site.
>
> The metadata generated for my site is:

Is this metadata what you get in the federation tab?

> $metadata['http://localhost/cakephp1'] = array (

Note the entity ID (the index in the $metadata array), which *should* be auto generated, points to *localhost*. Also note that this one differs to the one defined in authsources.php. I’m assuming this is a typo.

> 'SingleLogoutService' =>
> array (
> 0 =>
> array (
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
> 'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-logout.php/sp1',

Here, and hereafter, all your endpoints point to “service.local-saml.com”. That means your SimpleSAMLphp is configured to be accessible through “service.local-saml.com”, not localhost.

> ),
> ),
> 'AssertionConsumerService' =>
> array (
> 0 =>
> array (
> 'index' => 0,
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
> 'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-acs.php/sp1',
> ),
> 1 =>
> array (
> 'index' => 1,
> 'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post’,

I really don’t think you need to use SAML 1.1. Actually, you shouldn’t be using it. SAML 2.0 is more than 10 years old now.

> 'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml1-acs.php/sp1',
> ),
> 2 =>
> array (
> 'index' => 2,
> 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact’,

You probably don’t need to use artifacts either.

> 'Location' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-acs.php/sp1',
> ),

> After adding these configuration settings, I tried step 6 API on my project.
>
> When I open link of my site,

How do you “open a link of your web site”? Do you go to http://localhost/something?

> it redirected to "https://openidp.feide.no". User enters his login credentials. After successful login, my requirement is that user is redirected to my site and information should be displayed. but user is redirected to "http://service.local-saml.com/simplesaml/module.php/saml/sp/saml1-acs.php/sp1”

The user is redirected where you told the IdP he or she should be redirected. Your metadata is telling precisely this: “my assertion consumer service can be reached at service.local-saml.com/blablabla”. So everything is normal up to this point. And by the way, really, do not use SAML 1.

> with error message displaying "State Information Lost”.

Well, if you initiated the process by going to “localhost/something”, localhost is not the same as "service.local-saml.com", right? Therefore, cookies available for “localhost” are not available for “service.local-saml.com”, nor the other way around. Therefore, how are you supposed to recover your state if you initiate login in a different domain than the domain where you are getting the SAML response?

[Ishpreet Kaur]

Hi Jaime,

Thanks for reply. 

Whether you want to say, for my web application, I don't need to follow steps 1 to 5 from link "https://simplesamlphp.org/docs/stable/simplesamlphp-sp". Whether I should start from step 6 from link "https://simplesamlphp.org/docs/stable/simplesamlphp-sp", I just download the simplesamlphp and put downloaded folder to my web application and after that, should start work from step 6 of link. I don't need to change anything in authsources.php, config.php etc files.?

[Ishpreet Kaur]

I want to use simplephp as a library. I have downloaded simplesamlphp folder and put this folder into my application.

Then I started from step 6 in link "https://simplesamlphp.org/docs/stable/simplesamlphp-sp". But I am getting error "Unable to Load Composer Autoloader".

I have check the simplesamlphp/lib/_autoload.php, following code is written:

<?php

/**

 * This file is a backwards compatible autoloader for simpleSAMLphp.

 * Loads the Composer autoloader.

 *

 * @author Olav Morken, UNINETT AS.

 * @package simpleSAMLphp

 */

// SSP is loaded as a separate project

if (file_exists(dirname(dirname(__FILE__)) . '/vendor/autoload.php')) {

require_once dirname(dirname(__FILE__)) . '/vendor/autoload.php';

}

// SSP is loaded as a library.

else if (file_exists(dirname(dirname(__FILE__)) . '/../../autoload.php')) {

require_once dirname(dirname(__FILE__)) . '/../../autoload.php';

}

else {

throw new Exception('Unable to load Composer autoloader');

}

According to my understanding, I need elseif () part to be executed because I am using as a library. But I am unable to understand, which path it requires?

[Peter Schober]

* Ishpreet Kaur <ishpre...@webners.com> [2015-12-07 06:03]:

> Whether you want to say, for my web application, I don't need to follow
> steps 1 to 5 from link "
> https://simplesamlphp.org/docs/stable/simplesamlphp-sp". Whether I should
> start from step 6 from link "
> https://simplesamlphp.org/docs/stable/simplesamlphp-sp"

No. You start at step 1 and do all the steps the documentation says
to do.
-peter

[Ishpreet Kaur]

Hi,

Can I use it as a Library? All the steps means simplesamlphp should be used as a Application?

Just want to confirm SimpleSamlPhp is a library or application?

Thanks and Regards
Ishpreet Kaur
Software Engineer - Webner Solutions pvt. ltd.

Web - www.webnersolutions.com

-peter

--
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/HV3MmM1HjZA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Peter Schober]

* Ishpreet Kaur <ishpre...@webners.com> [2015-12-07 14:07]:
> Can I use it as a Library? All the steps means *simplesamlphp* should be

> used as a Application?
> Just want to confirm SimpleSamlPhp is a library or application?

Not sure how meaningful that distinction is, but SSP has endpoints
(HTTP resources) that will need to be reachable and be mapped to its
own code, so maybe more of an application in your view.

Either way, you can't use the code (and expect it to work) without
properly installing and configuring it.

Any steps to make the "application" look/work more like a "library"
are then additional changes you're free to make.
-peter

[Ishpreet Kaur]

Hi Peter,

I want ask about a file  /lib/_autoload.php in simplesamlphp.

In this file, following lines of code have been written

<?php

// SSP is loaded as a separate project

if (file_exists(dirname(dirname(__FILE__)) . '/vendor/autoload.php')) {

require_once dirname(dirname(__FILE__)) . '/vendor/autoload.php';

}

// SSP is loaded as a library.

else if (file_exists(dirname(dirname(__FILE__)) . '/../../autoload.php')) {

require_once dirname(dirname(__FILE__)) . '/../../autoload.php';

}

else {

throw new Exception('Unable to load Composer autoloader');

}

Please see the elseif part of code. I want to know what is the purpose of elseif part here and comment is mentioning "SSP is loaded as a library" . 

If part is used when SSP is used as a separate application and lot of documentation is available regarding using SSP as a separate application.

What is the purpose of elseif part here? Whether there is no way to use simplesamlphp as a library?

[Jaime Perez Crespo]

Hi,

On 07 Dec 2015, at 18:04, Ishpreet Kaur <ishpre...@webners.com> wrote:

I want ask about a file  /lib/_autoload.php in simplesamlphp.

No, please, stop. Stop digging into the code because that will only make you waste your time. If you don't understand the most basic things here there's no point in discussing code that works as expected. The file you are mentioning doesn't do what you think it does.

SimpleSAMLphp can be seen as an application if you are an IdP or a library if you are an SP. If you want to protect your application, you are an SP and SSP is then a library. Period. The way you install it has nothing to do with this.

Regardless of whether you use SSP as a library or not, you need to install and configure it. That's not optional. You cannot skip any parts described in the documentation as you like.

Please follow the documentation step by step. If you have specific questions, do no hesitate to ask.

[Ishpreet Kaur]

Hi Jaime, 

Thanks for making me clear about the difference between application and library.  

[Ishpreet Kaur]

Hi Jaime and Peter,

Thanks for giving me response me on time.

I have configured simplesamlphp as you suggested and as per documentation. Its working.

Currently, the simplesamlphp checks the identity provider metadata from file /metadata/saml20-idp-remote.php and then redirects to "https://openidp.feide.no" for user authentication.

Now, I want to know if there is any way to get identity provider metadata in parameters during initiating login like we pass "saml:idp" parameter in login function.
Can we pass identity provider metadata in any function so that we can pass metadata dynamically? Or we get multiple metadata from database table instead of hard-coded writing metadata in file  /metadata/saml20-idp-remote.php . ? 

Any suggestion or idea will be appreciated! 

[Peter Schober]

* Ishpreet Kaur <ishpre...@webners.com> [2015-12-10 11:38]:

> I have configured simplesamlphp as you suggested and as per documentation.
> Its working.

That's great.

> Currently, the simplesamlphp checks the identity provider metadata from

> file */metadata/saml20-idp-remote.php* and then redirects to

> "https://openidp.feide.no" for user authentication.
> Now, I want to know if there is any way to get identity provider metadata
> in parameters during initiating login like we pass "saml:idp" parameter in
> login function.
> Can we pass identity provider metadata in any function so that we can pass
> metadata dynamically? Or we get multiple metadata from database table

> instead of hard-coded writing metadata in file */metadata/saml20-idp-remote.php
> .* ?

Not sure I understand the question.

I use the metarefresh module to populate the metadata/ directory with
metadata files automatically, based on signed SAML Metadata managed
elsewhere and published over the Internet.
Since the SAML standard already defines an interoperable and
machine-readable format for SAML entities (including SAML IDPs) once
you have a method of generating SAML Metadata for the IDPs you need
you can automagically and dynamically convert those to SSP metadata
files, if you want.

But you can generate those metadata files any way you want, there's
no need to produce SAML Metadata first.
E.g. you can configure an additional metadata source in your config/config.php
'metadata.sources' => array(
array('type' => 'flatfile'),
array('type' => 'flatfile', directory' => 'metadata/YOURmetadata),
),
and then generate any files there programmatically. SimpleSAMLphp
metadata is just PHP code (arrays of arrays) so use any tooling you
want to generate those. That way you can still keep "hard-coded",
hand-maintained entries in metadata/saml20-idp-remote.php (if you
want) and overwrite stuff in metadata/YOURmetadata/ at will.
-peter

[Dick Visser]

On 10 December 2015 at 11:38, Ishpreet Kaur <ishpre...@webners.com> wrote:

> metadata dynamically? Or we get multiple metadata from database table
> instead of hard-coded writing metadata in file
> /metadata/saml20-idp-remote.php . ?
>
> Any suggestion or idea will be appreciated!

There is a patch for this:
https://github.com/simplesamlphp/simplesamlphp/issues/44

Dick