Skip to content

Instantly share code, notes, and snippets.

@pradtke

pradtke/README-Docker.md

Last active March 18, 2019 09:55
Show Gist options
  • Save pradtke/a63e843a568b9fa4b956668d0b3c0447 to your computer and use it in GitHub Desktop.
Save pradtke/a63e843a568b9fa4b956668d0b3c0447 to your computer and use it in GitHub Desktop.
Download ZIP
SimpleSAMLphp quick start
Raw
README-built-in-server.md

Overview

Quickstart tutorial of how to install and configure SSP to as an service provider to work with testshib We are going to use a php's embedded web server to run SSP. If you want to use docker (https://gist.github.com/pradtke/a63e843a568b9fa4b956668d0b3c0447#file-readme-docker-md) We'll follow many of the steps from install and setup guides.

There is some weirdness in the 1.14.8 release where running on non default ports can lead to issues.

Start

Download SSP

# Do this somewhere under your user directory to make Docker volumes work.
mkdir ssp-quickstart-embed && cd ssp-quickstart-embed
curl -L -o /tmp/ssp.tar.gz https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.8/simplesamlphp-1.14.8.tar.gz
# Check sha256 sum
# sha256sum /tmp/ssp.tar.gz
shasum -a 256 /tmp/ssp.tar.gz 
# fc13d3b4cd29445124daeefd382d41643e64fa8ab37af31eb24c5d9e1c1aa92b  /tmp/ssp.tar.gz
mkdir simplesamlphp &&  tar xvzf /tmp/ssp.tar.gz --strip-components 1 -C simplesamlphp

Run with PHP

The php server assumes the website is at the root directory of the server, while ssp's default configuration assumes it is at /simplesaml/. Update simplesamphp/confi/config.php and set the baseurl

$config = array(
  // other config options
  'baseurlpath' => '/',
  // other config options

Then run the server.

export SIMPLESAMLPHP_CONFIG_DIR=$PWD/simplesamlphp/config/
php -S 0.0.0.0:80 -t $PWD/simplesamlphp/www/

Use your browser to access SSP at http://localhost/ SSP won't do much until you configure it.

Configure

Set an admin password.

sed -i.bak \
    -e "s/^.*'auth\.adminpassword'.*=>.*$/'auth.adminpassword' => 'super-secret',/" \
    simplesamlphp/config/config.php

TestShib idp encrypts its response, so your SP needs a cert

mkdir -p simplesamlphp/cert
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out simplesamlphp/cert/saml.crt -keyout simplesamlphp/cert/saml.pem
# hit enter through the openssl prompts

And you need to tell SSP to use it. Edit simplesamlphp/config/authsources.php and add privateKey and certificate. Also set entityID to something unique to avoid any issues with testshib

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    //'entityID' => null,
    'entityID' => 'test-sp.local',
    // Other config
   )

Test Shib integration

Send SP metadata to testshib

Download you SPs metadata. Visit the federation tab and click Show metadata for the SP and then download it from the dedicated url.

Rename the file something unique (testshib requirement) and upload to https://www.testshib.org/register.html

Integrate testshib IdP Metadata

You can convert the TestShib XML Metadata to php, or configure meta refresh. We'll convert because Apache won't have write access to the mounted volumes.

Visit the metadata-converter and paste in the TestShib metadata and click parse. On the resulting page look for saml20-idp-remote and copy and paste the php entry into the file simplesamlphp/metadata/saml20-idp-remote.php

Test Authentication

You can test authentication by visiting the default-sp test auth url

Raw
README-Docker.md

Overview

Quickstart tutorial of how to install and configure SSP to as an service provider to work with testshib We are going to use a php apache docker image so you don't need to worry about installing those on your system. If you want to use the embedded php web server (https://gist.github.com/pradtke/a63e843a568b9fa4b956668d0b3c0447#file-readme-built-in-server-md) We'll follow many of the steps from install and setup guides.

Note: there is a bug some of the url handling when using a reverse proxy (since fixed in master branch of SSP). This messes up port mappings, so we must map the local port 80 to the docker image.

Start

Download SSP

# Do this somewhere under your user directory to make Docker volumes work.
mkdir ssp-quickstart-sp && cd ssp-quickstart-sp
curl -L -o /tmp/ssp.tar.gz https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.8/simplesamlphp-1.14.8.tar.gz
# Check sha256 sum
# sha256sum /tmp/ssp.tar.gz
shasum -a 256 /tmp/ssp.tar.gz 
# fc13d3b4cd29445124daeefd382d41643e64fa8ab37af31eb24c5d9e1c1aa92b  /tmp/ssp.tar.gz
mkdir simplesamlphp &&  tar xvzf /tmp/ssp.tar.gz --strip-components 1 -C simplesamlphp

Run with Apache

Setup Apache config file

echo '<VirtualHost *>
    DocumentRoot /var/www/
    SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
    Alias /simplesaml /var/simplesamlphp/www

    <Directory /var/simplesamlphp/www>           
        # For Apache 2.4:
        Require all granted
    </Directory>
</VirtualHost>' \
> ssp-apache.conf

And then run an apache php docker image and mount SSP and the apache config file as the default apache site.

docker run -d -p 80:80 \
  -v $PWD/simplesamlphp:/var/simplesamlphp \
  -v $PWD/ssp-apache.conf:/etc/apache2/sites-enabled/000-default.conf \
  --name ssp-quickstart-sp \
  php:5.6-apache

Use your browser to access SSP at http://192.168.99.100/simplesaml This assumes your docker-machine is on the given IP and that you mapped the given port to port 80 of the container. SSP won't do much untill you configure it.

Configure

Set an admin password and make logs docker friendly.

sed -i.bak \
    -e "s/^.*'auth\.adminpassword'.*=>.*$/'auth.adminpassword' => 'super-secret',/" \
    -e "s/^.*'logging\.handler'.*=>.*$/'logging.handler' => errorlog,/" \
    simplesamlphp/config/config.php

TestShib idp encrypts its response, so your SP needs a cert

mkdir -p simplesamlphp/cert
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out simplesamlphp/cert/saml.crt -keyout simplesamlphp/cert/saml.pem
# hit enter through the openssl prompts

And you need to tell SSP to use it. Edit simplesamlphp/config/authsources.php and add privateKey and certificate. Also set entityID to something unique to avoid any issues with testshib

'default-sp' => array(
    'saml:SP',
    'privatekey' => 'saml.pem',
    'certificate' => 'saml.crt',
    //'entityID' => null,
    'entityID' => 'test-sp.local',
    // Other config
   )

Test Shib integration

Send SP metadata to testshib

Download you SPs metadata. Visit the federation tab and click Show metadata for the SP and then download it from the dedicated url.

Rename the file something unique (testshib requirement) and upload to https://www.testshib.org/register.html

Integrate testshib IdP Metadata

You can convert the TestShib XML Metadata to php, or configure meta refresh. We'll convert because Apache won't have write access to the mounted volumes.

Visit the metadata-converter and paste in the TestShib metadata and click parse. On the resulting page look for saml20-idp-remote and copy and paste the php entry into the file simplesamlphp/metadata/saml20-idp-remote.php

Test Authentication

You can test authentication by visiting the [default-sp test auth] (http://192.168.99.100/simplesaml/module.php/core/authenticate.php?as=default-sp) url

Trouble shoot

Volume issues

If you are using Docker Machine on Mac or Windows, your Docker Engine daemon has only limited access to your macOS or Windows filesystem. Docker Machine tries to auto-share your /Users (macOS) or C:\Users (Windows) directory

Make sure the directory you are working in is under your /Users

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment