Sicurezza II A.A. 2010-2011 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy [email protected] Sicurezza II, A.A. 2010/2011 Security Assertion Markup Language o XML-based open standard for exchanging authentication and authorization data between security domains • Identity Provider (IdP) • Service Provider (SP) Sicurezza II, A.A. 2010/2011 SimpleSAMLphp o SAML implementation written in PHP o Provides support for: • • • • SAML 2.0 as a Service Provider SAML 2.0 as a Identity Provider Shibboleth 1.3 A-Select, CAS, OpenID, WS-Federation and OAuth Sicurezza II, A.A. 2010/2011 Download e installazione o Ai nostri scopi è necessario anche la libreria PHP con supporto a • libxml • openssl • zlib • ldap o Scaricare la versione compilata per il laboratorio da http://www.di.unito.it/~panisson/public/libphp5.so.tar.gz tar -xvzf libphp5.so.tar.gz mv libphp5.so $HOME/apache/modules/ Sicurezza II, A.A. 2010/2011 Download e installazione o http://simplesamlphp.org/ • http://code.google.com/p/simplesamlphp/downloads/list o Scaricare la versione 1.8.0 tar -xvzf simplesamlphp-1.8.0.tar.gz o La cartella samlidp conterrà l’ Identity Provider cp -R simplesamlphp-1.8.0 $HOME/samlidp o La cartella samlsp conterrà il Service Provider cp -R simplesamlphp-1.8.0 $HOME/samlsp Sicurezza II, A.A. 2010/2011 Apache Configuration WARNING: When running an IdP and a SP on the same computer, the SP and IdP MUST be configured with different hostnames. This prevents cookies from the SP to interfere with cookies from the IdP. o Uncomment the following line on apache/conf/httpd.conf: Include conf/extra/httpd-vhosts.conf Sicurezza II, A.A. 2010/2011 Apache Configuration o Edit the file apache/conf/extra/httpd-vhosts.conf and add: <VirtualHost *:8080> ServerAdmin [email protected] DocumentRoot "/usr/home/…/apache/htdocs/localhost" ServerName localhost ServerAlias localhost ErrorLog "logs/localhost-error_log" CustomLog "logs/localhost-access_log" common Alias /samlidp /usr/home/…/samlidp/www <Directory /usr/home/…/samlidp/www > Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:8080> ServerAdmin [email protected] DocumentRoot "/usr/home/…/apache/htdocs/loopback" ServerName 127.0.0.1 ServerAlias 127.0.0.1 ErrorLog "logs/loopback-error_log" CustomLog "logs/loopback-access_log" common Alias /samlsp /usr/home/…/samlsp/www <Directory /usr/home/…/samlsp/www > Order allow,deny Allow from all </Directory> </VirtualHost> Sicurezza II, A.A. 2010/2011 Identity Provider o Copy some required config files: cp samlidp/modules/sanitycheck/config-templates/configsanitycheck.php samlidp/config/ o Edit samlidp/config/config.php • Change the following values: • • • • 'baseurlpath' => 'samlidp/', 'tempdir' => '/tmp/samlidp', 'auth.adminpassword' => 'your_password', 'technicalcontact_email' => 'your_email', Sicurezza II, A.A. 2010/2011 Identity Provider o Enabling the Identity Provider functionality: • This is done by editing samlidp/config/config.php. • The options enable.saml20-idp and enable.shib13-idp controls whether SAML 2.0 and Shibboleth 1.3 support is enabled. • Enable one or both of those by assigning true to them: 'enable.saml20-idp' => true, 'enable.shib13-idp' => true, Sicurezza II, A.A. 2010/2011 Identity Provider o Configuring the authentication module: • The exampleauth:UserPass authentication module is part of the exampleauth module. • This module isn't enabled by default, so you will have to enable it. • This is done by creating a file named enable in samlidp/modules/exampleauth/ touch samlidp/modules/exampleauth/enable Sicurezza II, A.A. 2010/2011 Identity Provider o Configuring the authentication module: • The next step is to create an authentication source with this module. • Configuration for authentication sources can be found in samlidp/config/authsources.php. Uncomment the following entry: 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('test'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), ), Sicurezza II, A.A. 2010/2011 Identity Provider o Configuring the IdP: • The IdP is configured by the metadata stored in • samlidp/metadata/saml20-idp-hosted.php and • samlidp/metadata/shib13-idp-hosted.php • Keep them untouched! Sicurezza II, A.A. 2010/2011 Identity Provider o Test it! • Access http://localhost:8080/samlidp Sicurezza II, A.A. 2010/2011 Service Provider o Copy some required config files: cp samlsp/modules/sanitycheck/config-templates/configsanitycheck.php samlsp/config/ o Edit samlsp/config/config.php • Change the following values: • • • • 'baseurlpath' => 'samlsp/', 'tempdir' => '/tmp/samlsp', 'auth.adminpassword' => 'your_password', 'technicalcontact_email' => 'your_email', Sicurezza II, A.A. 2010/2011 Service Provider o The SP is configured by an entry in samlsp/config/authsources.php: // An authentication source which can authenticate against both SAML 2.0 // and Shibboleth 1.3 IdPs. 'default-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => NULL, // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => NULL, // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, ), Sicurezza II, A.A. 2010/2011 Adding IdPs to the SP The service provider you are configuring needs to know about the identity providers you are going to connect to it o This is configured by metadata stored in samlsp/metadata/saml20-idp-remote.php and samlsp/metadata/shib13-idp-remote.php o You will have to add the identity provider metadata to your configuration file. o You can find the metadata by going to your identity provider • Open http://localhost:8080/samlidp • Go to the tab “Federation” and find the session entitled “SAML 2.0 IdP Metadata” • Click on “Show metadata” • Copy the PHP code for the metadata into samlsp/metadata/saml20idp-remote.php o Sicurezza II, A.A. 2010/2011 Adding SPs to the IdP The identity provider you are configuring also needs to know about the service providers you are going to connect to it. o This is configured by metadata stored in samlidp/metadata/saml20-sp-remote.php and samlidp/metadata/shib13-sp-remote.php o You will have to add the service provider metadata to your configuration file. o You can find the metadata by going to your service provider • Open http://127.0.0.1:8080/samlsp • Go to the tab “Federation” and find the session entitled “SAML 2.0 SP Metadata” • Click on “Show metadata” • Copy the PHP code for the metadata into samlidp/metadata/saml20sp-remote.php o Sicurezza II, A.A. 2010/2011 Test the SP and IdP o Go to your Service Provider: http://127.0.0.1:8080/samlsp o Go to the tab “Authentication” and click on “Test configured authentication sources” o Click on “default-sp” o Select the identity provider you configured in the previous steps o Log in using the identity provider credentials Sicurezza II, A.A. 2010/2011 Sicurezza II A.A. 2010-2011 SAML Grazie per l’attenzione! Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy [email protected] Sicurezza II, A.A. 2010/2011 ©2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. Sicurezza II, A.A. 2010/2011