Installing → Single Sign On Authentication
Documentation only covers using SimpleSAMLphp for Single Sign On.
Assumptions
- You have already installed Open XDMoD.
- You have installed Open XDMoD using an RPM. If not, you will need to change the paths used in the examples.
First you will need to create the folders for the SimpleSAMLphp files to live:
# mkdir -p /etc/xdmod/simplesamlphp/config
# mkdir -p /etc/xdmod/simplesamlphp/metadata
# mkdir -p /etc/xdmod/simplesamlphp/cert
Required configuration files to be added to support Single Sign On:
/etc/xdmod/simplesamlphp/config/config.php
/etc/xdmod/simplesamlphp/config/authsources.php
/etc/xdmod/simplesamlphp/metadata/saml20-idp-remote.php
More information on how to set these up can be found in the SimpleSAMLphp Service Provider QuickStart.
Information on how to set up SimpleSAMLphp to use Globus Auth can be found in the simplesamlphp-module-authglobus documentation
You will need to modify the config.php
file and make sure you modify the metadata.sources
and the certdir
keys to have the full path to directories containing the configurations:
note make sure the file has opening <?php
...
'certdir' => '/etc/xdmod/simplesamlphp/cert/',
'metadata.sources' => array(
array(
'type' => 'flatfile',
'directory' => '/etc/xdmod/simplesamlphp/metadata/'
),
),
...
If you are having errors you might need to check the trusted domains setting
...
'trusted.url.domains' => array('f.q.dn.of.xdmod'),
...
Templates will exist inside the Open XDMoD shared data directory:
/usr/share/xdmod/vendor/simplesamlphp/simplesamlphp/config-templates/
/usr/share/xdmod/vendor/simplesamlphp/simplesamlphp/metadata-templates/
The properties that are required currently for login are:
username
- This will be used to identify Users via the
moddb.Users.username
column
- This will be used to identify Users via the
This is currently the main identifying piece of information that must be created, we use it with an identifier of itname
in our authentication code, so this means you need to edit the file /etc/xdmod/simplesamlphp/config/authsources.php
and make sure that an attribute is mapped to this index.
Conditionally, if your installation supports multiple organizations then you must provide the following:
organization
- This will be used to identify which Organization the user should be associated with via the
modw.organization.name
column
- This will be used to identify which Organization the user should be associated with via the
To get a better idea of how these properties translate into expected behavior during SSO login. Please refer to the table below:
SAML Organization Present | Person Present | Expected Behavior |
---|---|---|
true | true | The user is associated with the the Person’s organization if found, else the SAML Organization if found, else the Unknown Organization |
true | false | The user is associated with the SAML Organization if found, else the Unknown organization |
false | true | The user is associated with the Persons organization if found, else the Unknown organization |
false | false | The user is associated with the Unknown organization |
Here is an example authsources.php
file note: keys 60 and 61 must be present These check that the mandatory username and organization properties are present.
The values in section 40
should be left the same. You should change the keys
in this section to match what your IdP returns.
To find what the IdP returns you can use the simple saml administration pages located at: https://{{HOSTNAME}}/simplesaml
.
More specifically if you have used this guide and named things the same you can use https://{{HOSTNAME}}/simplesaml/module.php/core/authenticate.php?as=xdmod-sp
.
<?php
$config = array(
/*
* If you want to support both local auth and Single Sign On auth look into
* https://simplesamlphp.org/docs/stable/multiauth:multiauth
* https://simplesamlphp.org/docs/stable/sqlauth:sql
* An updated example will be provided when this is implemented.
*/
'default-sp' => array(
'saml:SP',
// 'idp' => 'urn:example:idp',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
'authproc' => array(
40 => array(
'class' => 'core:AttributeMap',
'email' => 'email_address',
'firstName' => 'first_name',
'middleName' => 'middle_name',
'lastName' => 'last_name',
'personId' => 'person_id',
'orgId' => 'organization',
'fieldOfScience' => 'field_of_science',
'itname' => 'username'
),
// Ensures that the 'username' property has one or more non-whitespace characters
60 => array(
'class' => 'authorize:Authorize',
'username' => array(
'/\S+/'
),
),
// Ensures that the 'organization' property has one or more non-whitespace characters
61 => array(
'class' => 'authorize:Authorize',
'organization' => array(
'/\S+/'
)
)
)
),
);
Use the above example to match the response from the IdP, the indexes (left side of =>
) under authproc[40]
point to values (right side of =>
) expected by Open XDMoD.
These indexes need to be what SAML receives from the IdP not the ones known from LDAP or other sources.
These indexes can be viewed using the Test authentication sources
page built into simplesamlphp located at
https://{{HOSTNAME}}/simplesaml/module.php/core/authenticate.php
then clicking on xdmod-sp
after which you will be redirect to the configured IdP login page.
After you have successfully logged in to the IdP you should be redirected back to a SAML 2.0 SP Demo Example
page. This page will show you the attributes passed back by the IdP.
NOTE: If a login prompt is displayed when going to the Test authentication sources
you will need to use the user name admin
and the password in /etc/xdmod/simplesamlphp/config/config.php
under the auth.adminpassword
index.
Setting up IdP metadata
Get the metadata from the IdP (if you are using SAML IdP to test https://{{HOSTNAME}}/metadata
) and use the SimpleSAMLphp built in converter located at https://{{HOSTNAME}}/simplesaml/admin/metadata-converter.php
to create the saml20-idp-remote.php
config file more information can be found on the Simple Saml PHP website.
NOTE: You will not be able to use this configuration directly, as the cert is not real and the domains are fake as well.
<?php
$metadata['urn:example:idp'] = array (
'name' => array(
'en' => 'idp.example.com:7000'
),
'entityid' => 'urn:example:idp',
'metadata-set' => 'saml20-idp-remote',
'SingleSignOnService' =>
array (
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.example.com:7000',
),
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => 'https://idp.example.com:7000',
),
),
'SingleLogoutService' =>
array (
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp.example.com:7000/logout',
),
),
'ArtifactResolutionService' =>
array (
),
'keys' =>
array (
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIEMD...Bfaq9pWo0LsKwKZVmOJU+4VzD6EkJ5dtE=',
),
),
);
You can also add an optional icon
property to the metadata. This defines the image that
is displayed in the login dialog box. The icon can be defined as an inline base64 encoded
image or a path to an image file (relative to the webserver root). The login box form
layout is designed for an image that is 272 pixels wide.
<?php
$metadata['urn:example:idp'] = array (
...
'icon' => 'gui/images/[SSO_LOGIN_ICON].png'
)
Web Server Setup
Apache
Just follow the SimpleSAMLphp documentation for apache.
Make sure to include the updated configuration locations. This will need to be the full path to the configuration directory.
Uncomment the SimpleSAML configuration in your Apache VirtualHost:
SetEnv SIMPLESAMLPHP_CONFIG_DIR /etc/xdmod/simplesamlphp/config
<Directory /usr/share/xdmod/vendor/simplesamlphp/simplesamlphp/www>
Options FollowSymLinks
AllowOverride All
# Apache 2.4 access controls.
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
nginx
This web server is not currently supported. While we have some instances running nginx it has not been fully vetted at this time. If you have updates please share, but there will be limited help if you use nginx at this time.
To store the configuration files in a different location you will need to edit your php-fpm.conf
file and add the following line with the path equal to the location of your SimpleSAML config directory:
env[SIMPLESAMLPHP_CONFIG_DIR] = /etc/xdmod/simplesamlphp/config/
The following locations will need to be added to your Open XDMoD server configuration for the Open XDMoD site.
You will need to specify the full path to simplesamlphp
for the aliases.
location ^~ /simplesaml {
alias /usr/share/xdmod/vendor/simplesamlphp/simplesamlphp/www;
location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\/module\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
}
Testing
SAML IdP was used to test this functionality locally.
Run the following command line substitute where appropriate:
$ node app.js \
--aud <http|https>://<XDMODHOST>/simplesaml/module.php/saml/sp/metadata.php/default-sp \
--acs <http|https>://<XDMODHOST>/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp \
--httpsPrivateKey <PATH TO PRIVATE KEY> --httpsCert <PATH TO PRIVATE KEY> --https true
Single Sign-on (SSO) Embedding
see Integrations for more information