SimpleSamlPHP 测试环境搭建

准备

三个域名:

  • saml-idp.test.jungleran.com
  • saml-sp1.test.jungleran.com
  • saml-sp2.test.jungleran.com

一个服务器:

  • Ubuntu 16.04

安装 Apache, Mysql, PHP 环境

测试时,数据库表保存用户名密码,为 IdP 提供验证源,所以需要 Mysql

# Install apache mysql.
$ apt-get update;apt-get install -y vim wget apache2 mysql-server -y
# $ mysql_secure_installation
# install php.
$ apt-get install php libapache2-mod-php php-mcrypt php-mysql
# Install dependencies for SimpleSAMLPHP.
$ apt-get install php-xml php-mbstring php-curl php-memcache php-ldap memcached

准备源代码

访问 https://github.com/simplesamlphp/simplesamlphp/releases

$ wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.15.4/simplesamlphp-1.15.4.tar.gz
# For IdP.
$ tar xzf simplesamlphp-1.15.4.tar.gz 
$ mv simplesamlphp-1.15.4 /var/simplesaml-idp
# For SP1.
$ tar xzf simplesamlphp-1.15.4.tar.gz 
$ mv simplesamlphp-1.15.4 /var/simplesaml-sp1
# For SP2.
$ tar xzf simplesamlphp-1.15.4.tar.gz 
$ mv simplesamlphp-1.15.4 /var/simplesaml-sp2

# Change owner.
$ chown -R www-data:www-data /var/simplesaml-idp /var/simplesaml-sp1 /var/simplesaml-sp2

配置网站

配置 http 访问

$ cd /etc/apache2/sites-available
$ cp 000-default.conf saml-idp.conf
$ cp 000-default.conf saml-sp1.conf
$ cp 000-default.conf saml-sp2.conf

配置类似

diff 000-default.conf saml-idp.conf 
13a14,17
>         ServerName saml-idp.test.iegio.com
> 
>         Alias /simplesaml /var/simplesaml-idp/www
> 
22a27,30
>   <Directory /var/simplesaml-idp/www/>
>       Require all granted
>   </Directory>
> 

以上是 diff 000-default.conf saml-idp.conf 的结果,主要添加了 ServerName,Alias,Directory 三部分。

配置 HTTPS 访问

参考 https://certbot.eff.org/

$ add-apt-repository ppa:certbot/certbot
$ apt-get update
$ apt-get install python-certbot-apache -y
$ certbot --apache
# $ certbot renew --dry-run

配置 IdP

修改配置

操作的文件:config.php

  • 管理员密码:auth.adminpassword
  • 密钥盐:secretsalt。(可以使用命令 openssl rand -base64 32 生成32位的随机数作为其值)
  • 技术联系人及其邮件:technicalcontact_name,technicalcontact_email
  • 时区设置:timezone。(Asia/Shanghai 或参考http://php.net/manual/en/timezones.php)
  • 开启IdP:enable.saml20-idp,将其设置为 true

配置认证源

创建测试用数据

数据选择保存到 mysql

$ mysql -u root -p
$ CREATE DATABASE idp;
$ CREATE TABLE idp.users(username VARCHAR(30), password VARBINARY(30));
# 假如前面设置的密钥盐为 lNlk8W69sepsUDRo438tMhBAgeFmV2hmzYGsqT0P/mo=
$ INSERT INTO idp.users(username, password) VALUES ('user1', AES_ENCRYPT('user1pass','lNlk8W69sepsUDRo438tMhBAgeFmV2hmzYGsqT0P/mo=')),('user2', AES_ENCRYPT('user2pass','lNlk8W69sepsUDRo438tMhBAgeFmV2hmzYGsqT0P/mo=')), ('user3', AES_ENCRYPT('user3pass','lNlk8W69sepsUDRo438tMhBAgeFmV2hmzYGsqT0P/mo='));

修改认证源配置文件

操作的文件:config/authsources.php

diff authsources.php authsources.php.orgin 
72c72,73
<     'mysql' => array(
---
>     /*
>     'example-sql' => array(
74,77c75,78
<         'dsn' => 'mysql:host=localhost;port=3306;dbname=idp',
<         'username' => 'root',
<         'password' => 'root',
<         'query' => 'SELECT username FROM users WHERE username = :username AND AES_DECRYPT(password,"lNlk8W69sepsUDRo438tMhBAgeFmV2hmzYGsqT0P/mo=") = :password',
---
>         'dsn' => 'pgsql:host=sql.example.org;port=5432;dbname=simplesaml',
>         'username' => 'simplesaml',
>         'password' => 'secretpassword',
>         'query' => 'SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = :username AND password = SHA2(CONCAT((SELECT salt FROM users WHERE uid = :username), :password),256);',
78a80
>     */

参考资料