Configuring a SAML IDP with LDAP as authentication source

dth

In this setup, the SAML IDP will be available at example.com/auth and we will use the ldap server configured in this post.

Start by moving to the directory above the DocumentRoot for the domain. Let’s say that it is /var/www/example.com, so

cd /var/www/

Download the latest simplesamlphp version

wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.14.4.tar.gz && tar xvfz simplesamlphp-1.14.4.tar.gz

I like to rename it to something simpler like

mv simplesamlphp-1.14.4 example.com.saml

Then go to the vhost of the domain and add this somewhere, like after the DocumentRoot declaration (adapt to your domain)

# SAML
  SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/example.com.saml/config
  Alias /auth /var/www/example.com.saml/www

Now edit the config file

vim /var/www/example.com.saml/config/config.php

And set the desired base url

'baseurlpath' => 'auth/',

In this same file, define these other variables

'auth.adminpassword' => 'AdminPassword',
'secretsalt' => 'xxxxxxxxxxxxxxxxx',
'technicalcontact_name' => 'Administrator',
'technicalcontact_email' => 'admin@example.com',

And finally enable the IDP. Write and quit afterwards.

'enable.saml20-idp' => true,

Now edit config/authsources.php and look for the “example-ldap” array. I will rename it to “examplecom”. And then set other variables in this array, like

'hostname' => 'example.com',
'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org',
'search.base' => 'ou=users,dc=example,dc=com',
'search.attributes' => array('cn'),

Now change to the “cert” folder and generate a new certificate

openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem

Then go back one level and change to the “metadata” folder. Edit the file saml20-idp-hosted.php and set our authentication source

'auth' => 'examplecom',

And if you want to enable SHA256 by default (make sure all your future SPs support it already)

'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

It’s recommended to use the uri NameFormat on attributes. Uncomment this, then write and quit the text editor:

'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
        'authproc' => array(
                // Convert LDAP names to oids.
                100 => array('class' => 'core:AttributeMap', 'name2oid'),
        ),

Now you can go to your IDP at example.com/auth and test your LDAP authentication source. Enjoy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading Facebook Comments ...
Loading Disqus Comments ...