SAML Server

From Network Security Wiki
Jump to navigation Jump to search

Installing SAML Server

Source: helloitsliam.com,support.citrix.com, simplesamlphp.org, citrix.com

Installation

  • Prerequisites:
Ubuntu Server - VM or Physical box
Internet connectivity 
  • Update Ubuntu
sudo apt-get update
sudo apt-get upgrade
  • Install PHP, Apache2 & related libraries:
sudo apt-get install php7.0 apache2 php7.0-mcrypt php7.0-ldap php7.0-mysql libapache2-mod-php7.0 php-xml
  • Installing SimpleSAMLphp binaries:
cd /var
sudo wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.12/simplesamlphp-1.14.12.tar.gz

OR

sudo wget https://simplesamlphp.org/download?latest
sudo mv download\?latest simplesamlphp.tar.gz
sudo tar zxf simplesamlphp-*.tar.gz
sudo mv simplesamlphp-* simplesamlphp
sudo rm -f simplesamlphp-*.tar.gz 
cd simplesamlphp/

Configuring SAML Server as IDP

Modify the below files as per given parameters depending on your environment:

  • /var/simplesamlphp/config/config.php
'auth.adminpassword' => 'test@123',
'secretsalt' => 'ewt9ty348ty34ty3goy3gy3g',
'technicalcontact_email' => 'test@testlab.com',
'timezone' => 'Asia/Kolkata',		
'enable.saml20-idp' => true,
'enable.shib13-idp' => true,
'session.phpsession.cookiename' => null,
  • /var/simplesamlphp/config/authsources.php
'my-ldap' => array(
'hostname' => 'ad.testlab.com',
'enable_tls' => FALSE,		
'timeout' => 10,		
'dnpattern' => 'uid=%username%,cn=Users,dc=testlab,dc=com',	
'search.enable' => TRUE,
'search.base' => 'cn=Users,dc=testlab,dc=com',
'search.attributes' => array('cn'),		
'search.username' => 'test2',
'search.password' => 'Password@123',		
'priv.read' => TRUE,		
'priv.username' => 'test2',
'priv.password' => 'Password@123',		
  • /var/simplesamlphp/metadata/saml20-idp-hosted.php
'privatekey' => '/etc/apache2/ssl/wildcard.testlab.com.pem',
'certificate' => '/etc/apache2/ssl/wildcard.testlab.com.cer',
'auth' => 'my-ldap',	

Uncomment the below section:

'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
'authproc' => array(
// Convert LDAP names to oids.
100 => array('class' => 'core:AttributeMap', 'name2oid'),
),

Disable the message signing as the NetScaler does not understand this signature type

'saml20.sign.response' => FALSE,
'saml20.sign.assertion' => FALSE,
  • /var/simplesamlphp/metadata/saml20-sp-remote.php

Generate the metadata from the SP and paste in the end of this file:

$metadata['testlab-AD-CA'] = array (
  'entityid' => 'testlab-AD-CA',
  'contacts' => 
  array (
  ),
  'metadata-set' => 'saml20-sp-remote',
  'AssertionConsumerService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://samlvip.testlab.com/cgi/samlauth',
      'index' => 255,
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://samlvip.testlab.com/cgi/tmlogout',
    ),
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => true,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => '
 										 
MIIFNjCCBB6gAwIBAgITYwAAAAsiKKYDFRKTlwAAAAAACzANBgkqhkiG9w0BAQsF
ADBGMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHdGVzdGxh
YjEWMBQGA1UEAxMNdGVzdGxhYi1BRC1DQTAeFw0xNjEyMTAxNTQwMTlaFw0xODEy
MTAxNTQwMTlaMEoxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExDzAN
BgNVBAoTBkNpdHJpeDEWMBQGA1UEAxQNKi50ZXN0bGFiLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKoEslU503/iN1oJtzklquElyRFeiLpa+jJU
qcM3fb8eZbSkL1EmNhDTSKr1Dr/dvr3U3YQP4gi7Z+NaYIK90umw12/SEoQ7FUTj
anK6Aj66XgAgF1mqO/XJxb0Ht4dVRhuyVjpMMpoeX2QxCB16xI/mePA9Eph4haZ1
p8ZjRlYuNT4zSHaV4F1RbzQXE+PyL9r0PImB4wtJ+Rvvm164kb3YgQvgAxr2N6+b
On0wTpStcGdZfilkrgTMvk8r1YtWBGcfjWkI4a9rY+i1Y7lc6U17fvUqwiCI6RMZ
/hOiQoAO4YoYE/6i9dg6Ls3+tuNX5ZLCAWhGgE9ra9SlWH9bH1kCAwEAAaOCAhcw
ggITMB0GA1UdDgQWBBRfs0siZp1uvlP+cFc53pbsM17gXDAfBgNVHSMEGDAWgBQd
EcLsEJ1BbQM6vQqW3ta6ve1fmzCBxgYDVR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRh
cDovLy9DTj10ZXN0bGFiLUFELUNBLENOPWFkLENOPUNEUCxDTj1QdWJsaWMlMjBL
ZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXRl
c3RsYWIsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmpl
Y3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvwYIKwYBBQUHAQEEgbIwga8w
gawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj10ZXN0bGFiLUFELUNBLENOPUFJQSxD
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
cmF0aW9uLERDPXRlc3RsYWIsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmpl
Y3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIA
VwBlAGIAUwBlAHIAdgBlAHIwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCDuZPhbn1ZOTKDsUNtAkdtfuyW0Ms7
iPelPhH7mfp62Z+Naz9HkQIMWVARw0aoA7Yr42GBfATUD0Rf39BKcyNg6LSnYcyd
Q1NJ1UwcguxHP8t/UXdYorT0L765MBNhetSZr/aaCU7Nf2w4424nr3g2MAz+lOEW
fp4N96YZwjrDdv0uQKtUOvBY7ptKLeDOy6bsdFhZTN4H2Jb8rJSz8xmBzs8xbNGq
cLczDq9eChH8T0uboG58vrhMnwY3tnIMPELjO6LqbeOv7OdPxBtCbmSXG6CugzCk
7rYoP0r0zB6tw0SobgzjzAyOkoboOrEGjo780rgy6QLl4HQAmumwbWx8


 								 ',
    ),
  ),
);

Configuring Apache Server

Pointing Apache to SimpleSAMLphp by editing below file:

  • /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /simplesaml /var/simplesamlphp/www/
<Directory /var/simplesamlphp/www/>
Require all granted
</Directory>

</VirtualHost>
  • Now check if application is accessible over HTTP:
http://<ip-address-of-server>/simplesamlphp

Enabling SSL Access

  • Generate Certificates
cd /etc/apache2/
sudo mkdir ssl
sudo openssl genrsa -des3 -out Certificate.key 4096
sudo openssl rsa -in Certificate.key -out Certificate.pem
sudo openssl req -new -key Certificate.key -out Certificate.csr
sudo openssl x509 -req -days 9999 -in Certificate.csr -signkey Certificate.key -out Certificate.crt
  • Restart Apache
sudo a2enmod ssl
sudo service apache2 restart
  • Point Apache to use these Certificates by editing below config file:
/etc/apache2/sites-available/000-default.conf
<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        SSLCertificateFile      /etc/apache2/ssl/wildcard.testlab.com.cer
        SSLCertificateKeyFile   /etc/apache2/ssl/wildcard.testlab.com.pem
        SSLEngine On

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /simplesaml /var/simplesamlphp/www/
<Directory /var/simplesamlphp/www/>
Require all granted
</Directory>
</VirtualHost>
  • Restart Apache
sudo a2ensite ssl
sudo a2enmod ssl
sudo service apache2 restart
sudo phpenmod mcrypt
sudo service apache2 restart
  • Now the page should be available over https:
https://<ip-address-of-server>/simplesamlphp



References





blog comments powered by Disqus