SAML Integration using SimpleSAMLphp and ADFS

SAML Integration using SimpleSAMLphp and ADFS === ## 原理 ![](https://i.imgur.com/WsOXM6F.png) http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html :::info SP: 用SimpleSAMLphp實現 IdP: ASUS ADFS (Microsoft Active Directory Federation Services) Browser: Client ::: ## 使用SimpleSAMLphp Download SimpleSAMLphp and extract to it's final destination > wget https://simplesamlphp.org/download?latest -O ~/simplesaml-latest.tar.gz > tar zxvf simplesaml-latest.tar.gz > sudo mv ~/simplesamlphp-1.* /var/simplesamlphp > sudo chown -R root:www-data /var/simplesamlphp ### Configure SimpleSAMLphp Edit /var/simplesamlphp/config/config.php - `auth.adminpassword` - Set a password. - `secretsalt` - A secret key. Use `openssl rand -base64 32` to generate a random value to go here. - `trusted.url.domains` - A list of trusted domains. `'trusted.url.domains' => ['waynetest01.asuscomm.com'],` - `enable.saml20-idp` - Set this to true ### Configure Apache Create a new vhost configuration > cd /etc/apache2/sites-available > sudo add-apt-repository ppa:certbot/certbot > sudo apt-get install python-certbot-apache > sudo certbot --apache -d waynetest01.asuscomm.com > sudo nano 000-default-le-ssl.conf 加入下述設定 ``` SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config Alias /simplesaml /var/simplesamlphp/www <Directory /var/simplesamlphp/www/> Require all granted </Directory> ``` > sudo a2ensite 000-default-le-ssl.conf > sudo systemctl reload apache2 ### Login to SimpleSAMLphp Now we can browse the SimpleSAMLphp web page https://waynetest01.asuscomm.com/simplesaml Click tab `Configuration` we'll find `Login as administrator` <font color="#fff">root, asus@1234</font> ![](https://i.imgur.com/yqvGy0U.png) ![](https://i.imgur.com/JPJtilZ.png) 如果LDAP前面為紅色按鈕，則需要安裝php-extension > sudo apt install php-xml php-mbstring php-curl php-memcache php-ldap 如果technicalcontact_email前面為紅色按鈕，則需要在config.php中設定 > ... > 'technicalcontact_name' => 'Administrator', > 'technicalcontact_email' => 'na@example.org', > ... ### Import ADFS FederationMetadata to SimpleSAMLphp MIS提供的FederationMetadata為: https://adfsr3.asus.com/FederationMetadata/2007-06/FederationMetadata.xml - Navigate to the `Federation` tab and click `XML to simpleSAMLphp metadata converter` - Copy & Paste the contents or select the xml file file in to the `XML metadata` field and click the `Parse` button. - The page will return two sets of data. - For our purposes, the first: **saml20-sp-remote** can be ignored since we are not using SimpleSAMLphp as an identity provider, that’s ADFS’ job. - Scroll to **saml20-idp-remote** and copy the contents of this field to the clipboard. - > Edit /var/simplesamlphp/metadata/saml20-idp-remote.php - Paste the clipboard contents to saml20-idp-remote.php and then save it. ### Create a service provider configuration in SimpleSAMLphp Edit /var/simplesamlphp/config/authsources.php ```php= // An authentication source which can authenticate against both SAML 2.0 // and Shibboleth 1.3 IdPs. 'default-sp' => [ 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => null, // The entity ID of the IdP this SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'https://adfsr3.asus.com/adfs/services/trust', // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => null, 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'simplesaml.nameidattribute' => 'eduPersonTargetedID', // ADFS 2012R2 requires signing of the logout - the others are optional (may be overhead you don't want.) 'sign.logout' => TRUE, 'redirect.sign' => TRUE, 'assertion.encryption' => TRUE, // We now need a certificate and key. The following command (executed on Linux usually) // creates a self-signed cert and key, using SHA256, valid for 2 years. // openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem 'privatekey' => 'my.key', 'certificate' => 'my.pem', // Enforce the use of SHA-256 by default. 'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ], ``` ### Creating a certificate and key file for signing and encryption create /var/simplesamlphp/cert folder > openssl req -x509 -nodes -sha256 -days 730 -newkey rsa:2048 -keyout my.key -out my.pem > chmod 664 my.key my.pem > openssl x509 -inform pem -in my.pem -outform der -out my.cer //mis request ![image](https://hackmd.io/_uploads/By3D04zd0.png) ### Create the Relying Party Trust in ADFS - Navigate to the `Federation` tab and copy the `Entity ID: url`. We need to give this to ADFS when we configure the Relying Party Trust. ![](https://i.imgur.com/caKE21C.png) 接下來設定ADFS的部分請參考下述文件 https://hackmd.io/@K67cvr2XQ1eKmDcSyH6FTQ/BJQWyTuoL 或是提供上圖中框起來的Metadata存成xml file後給ADFS匯入 ### Testing Authentication Now that we have configured SimpleSAMLphp as the service provider, ADFS as the IdP, exchanged metadata between the two and configured some basic claims rules. - Navigate to the `Authentication` tab and click `Test configured authentication sources`. - Select `default-sp` from the list. ![](https://i.imgur.com/A3A0Ikg.png) - 接下來會直接進入 ADFS server Login Page，Enter your user ID in the format “domain\user_name” - 按下Sign in後，會切回到SimpleSAMLphp and shown the claims. ![](https://i.imgur.com/1BPVa73.png)