Quickstart tutorial of how to install and configure SSP to as an service provider to work with testshib We are going to use a php's embedded web server to run SSP. If you want to use docker (https://gist.github.com/pradtke/a63e843a568b9fa4b956668d0b3c0447#file-readme-docker-md) We'll follow many of the steps from install and setup guides.
There is some weirdness in the 1.14.8 release where running on non default ports can lead to issues.
# Do this somewhere under your user directory to make Docker volumes work.
mkdir ssp-quickstart-embed && cd ssp-quickstart-embed
curl -L -o /tmp/ssp.tar.gz https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.8/simplesamlphp-1.14.8.tar.gz
# Check sha256 sum
# sha256sum /tmp/ssp.tar.gz
shasum -a 256 /tmp/ssp.tar.gz
# fc13d3b4cd29445124daeefd382d41643e64fa8ab37af31eb24c5d9e1c1aa92b /tmp/ssp.tar.gz
mkdir simplesamlphp && tar xvzf /tmp/ssp.tar.gz --strip-components 1 -C simplesamlphp
The php server assumes the website is at the root directory of the server, while ssp's default configuration assumes it is at /simplesaml/
.
Update simplesamphp/confi/config.php
and set the baseurl
$config = array(
// other config options
'baseurlpath' => '/',
// other config options
Then run the server.
export SIMPLESAMLPHP_CONFIG_DIR=$PWD/simplesamlphp/config/
php -S 0.0.0.0:80 -t $PWD/simplesamlphp/www/
Use your browser to access SSP at http://localhost/ SSP won't do much until you configure it.
Set an admin password.
sed -i.bak \
-e "s/^.*'auth\.adminpassword'.*=>.*$/'auth.adminpassword' => 'super-secret',/" \
simplesamlphp/config/config.php
TestShib idp encrypts its response, so your SP needs a cert
mkdir -p simplesamlphp/cert
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out simplesamlphp/cert/saml.crt -keyout simplesamlphp/cert/saml.pem
# hit enter through the openssl prompts
And you need to tell SSP to use it. Edit simplesamlphp/config/authsources.php
and add privateKey
and certificate
. Also set entityID
to something unique to avoid any issues with testshib
'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
//'entityID' => null,
'entityID' => 'test-sp.local',
// Other config
)
Download you SPs metadata. Visit the federation tab and click Show metadata
for the SP and then download it from the dedicated
url.
Rename the file something unique (testshib requirement) and upload to https://www.testshib.org/register.html
You can convert the TestShib XML Metadata to php, or configure meta refresh. We'll convert because Apache won't have write access to the mounted volumes.
Visit the metadata-converter and paste in the TestShib metadata and click parse.
On the resulting page look for saml20-idp-remote
and copy and paste the php entry into the file simplesamlphp/metadata/saml20-idp-remote.php
You can test authentication by visiting the default-sp test auth url