====== How to configure simpleSAMLphp 1.3 as SP and Shibboleth 2.1 as IdP ? ====== I suppose here you already have a server with a working Shibboleth 2.1 IdP at this address: https://your-idp-host/idp/shibboleth We will explain now how to configure simpleSAMLphp 1.3 as a Service Provider (SP) relying on the Shibboleth IdP for the user's authentications. ===== simpleSAMLphp installation/configuration ===== First of all you have to install simplesaml: *

cd /var
svn co http://simplesamlphp.googlecode.com/svn/trunk simplesamlphp
cd simplesaml
cp -r config-templates/*.php config/
cp -r metadata-templates/*.php metadata/

* Then configure your apache server to map this path /var/simplesamlphp/www to this url (using https is not required): http://your-sp-host/simplesamlTo accomplish this task, you can simply add this directive in your apache configuration:Alias /simplesaml /var/simplesamlphp/www Now you have to configure it as a SP: * Edit ''/var/simplesamlphp/metadata/saml20-sp-hosted.php'' and add this metadata to the array:

  'your-sp-id' => array(
        'host' => 'your-sp-host',
        'certificate' => 'server.crt',
        'privatekey'  => 'server.pem',
  ),

* ''your-sp-id'' is the string used to identify your SP to other IdP, you can change it if you want. * ''server.crt'' and ''server.pem'' are public and private keys of your SP certificate located in ''/var/simplesamlphp/cert/''. This certificate will be published in the SP metadata and then will be used by Shibboleth to encrypt the transmitted data (assertions). * Edit ''/var/simplesamlphp/metadata/saml20-idp-remote.php'' and add this metadata to the end of the file:


$metadata['https://your-idp-host/idp/shibboleth'] = array (
  'name' => 'The sexy name of your IdP',
  'description' => 'The description of your idp',
  'SingleSignOnService' => 'https://your-idp-host/idp/profile/SAML2/Redirect/SSO',
  'certFingerprint' => 'xxx',
);

* ''certFingerprint'' can be calculated from your Shibboleth IdP certificate this way:


cat idp.crt | openssl x509 -fingerprint  | grep SHA1 | sed "s/^[^=]*=//g" | sed "s/://g"

(In a default shibboleth installation, ''idp.crt'' is located in ''shibboleth-idp/credentials/'') ===== Shibboleth 2.1 configuration ===== Last step is to configure Shibboleth to handled simpleSAMLphp specificities: * Edit ''shibboleth-idp/conf/relying-party.xml'' and just after the ''DefaultRelyingParty'' entry, add this XML block:

This part of code will override the default profile only for your SP. It will disable the encryption of the NameIDs which is not yet supported in simpleSAMLphp. More [[http://groups.google.com/group/simplesamlphp/browse_thread/thread/08f3893a359f1909|informations about the NameIDs problem can be found in this thread]]. In addition, there is also a discussion about [[http://groups.google.com/group/shibboleth-users/browse_thread/thread/a5916236c3d62a42|removing the NameIDs encryption in the default shibboleth idp configuration]].\\ __Notice :__ in the next 2.2 shibb release, [[http://groups.google.com/group/shibboleth-users/browse_thread/thread/be83666d0575bba6|NameIDs encryption will be disabled by default in the shibboleth configuration]]. * Configure a new metadata provider for this SP in ''shibboleth-idp/conf/relying-party.xml'':

I used the ''ResourceBackedMetadataProvider'' type which just reads data from a static file because [[https://bugs.internet2.edu/jira/browse/SIDP-217|Shibboleth 2.1 doesn't support yet HTTP proxies for the ''FileBackedHTTPMetadataProvider'' type]]. So you'll have also to configure a crontab to retrieve periodically fresh metadata from your SP. For example your can use this:


0 * * * * wget http://your-sp-host/simplesaml/saml2/sp/metadata.php -O /path/to/your/sp/metadata/shibboleth-idp/metadata/yoursp-metadata.xml

* Restart your shibboleth server Now you should be ready to test it ! Try to open http://your-sp-host/simplesaml/example-simple/saml2-example.php {{tag>article computing shibboleth simplesaml php java}} ~~DISCUSSION~~