{"id":555,"date":"2020-10-26T22:07:17","date_gmt":"2020-10-27T02:07:17","guid":{"rendered":"https:\/\/www.unliterate.net\/?p=555"},"modified":"2020-10-26T22:08:08","modified_gmt":"2020-10-27T02:08:08","slug":"simplesamlphp","status":"publish","type":"post","link":"https:\/\/www.unliterate.net\/index.php\/2020\/10\/26\/simplesamlphp\/","title":{"rendered":"SimpleSAMLphp \/ quick&#038;ez"},"content":{"rendered":"\n<p><em>Background<\/em>: For about 5 years <a rel=\"noreferrer noopener\" href=\"https:\/\/synacor.com\/\" target=\"_blank\">at my place of work<\/a> we have used a software called <a rel=\"noreferrer noopener\" href=\"https:\/\/simplesamlphp.org\/\" target=\"_blank\">SimpleSAMLphp<\/a> to help offer identity solutions to TVE (TV Everywhere) customers. In essence I have been one of a team of 20th century cable people.<\/p>\n\n\n\n<p>This software, in it&#8217;s current version has been heavily customized to offer quick deployment solutions for new customers. All I can say is that it&#8217;s awesome running an Identity Stack with 50+ IdPs and 5000+ SPs.<\/p>\n\n\n\n<p>I decided to see how quick I could set up a SAML SP -&gt; IdP relationship between two Centos 7 Virtual Computers:<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>2 hosts, sspsp (192.168.1.76) and sspidp (192.168.1.77)<\/p>\n\n\n\n<p>Minimal install, static IPs and DNS set on OS installation<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum update\nsystemctl stop firewalld\nsystemctl disable firewalld\n\/etc\/sysconfig\/selinux, SELINUX=permissive\nyum install httpd mod_ssl\nsystemctl start httpd\nsystemctl enable httpd\nshutdown -r now<\/code><\/pre>\n\n\n\n<p>Install PHP7+ on Centos 7 following <a rel=\"noreferrer noopener\" href=\"https:\/\/linuxize.com\/post\/install-php-7-on-centos-7\/\" target=\"_blank\">https:\/\/linuxize.com\/post\/install-php-7-on-centos-7\/<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo yum install epel-release yum-utils\nsudo yum install http:\/\/rpms.remirepo.net\/enterprise\/remi-release-7.rpm\nsudo yum-config-manager --enable remi-php73\nsudo yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysqlnd\nshutdown -r now<\/code><\/pre>\n\n\n\n<p>Test!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo -e \"&lt;?php\\nphpinfo();\" > \/var\/www\/html\/index.php<\/code><\/pre>\n\n\n\n<p>Install SimpleSAMLphp from tars on <a rel=\"noreferrer noopener\" href=\"https:\/\/simplesamlphp.org\/download\" target=\"_blank\">https:\/\/simplesamlphp.org\/download<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install wget\nwget 'https:\/\/simplesamlphp.org\/download?latest'\nmv download\\?latest simplesamlphp-1.19.0-rc1.tar.gz\ntar -xzf simplesamlphp-1.19.0-rc1.tar.gz\nmv simplesamlphp-1.19.0-rc1 \/var\/www\/html\/simplesamlphp\nchown -R apache:apache \/var\/www\/html\/simplesamlphp\n\nvi \/etc\/httpd\/conf.d\/ssl.conf\nDocumentRoot \"\/var\/www\/html\/simplesamlphp\/www\"\n\nvi \/var\/www\/html\/simplesamlphp\/config\/config.php\n'baseurlpath' => '',\n'secretsalt' => 'salt',\n'auth.adminpassword' => 'admin',\n'enable.saml20-idp' => true,\n\nyum install php-xml php-ldap php-pecl-memcache\nsystemctl restart httpd<\/code><\/pre>\n\n\n\n<p>Set up Identity Provider on 192.168.1.77<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/var\/www\/html\/simplesamlphp\/cert\nopenssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-idp.crt -keyout saml-idp.pem\ncd \/var\/www\/html\/simplesamlphp\/metadata\n\nvi saml20-idp-hosted.php\n$metadata&#91;'https:\/\/192.168.1.77\/saml\/saml2\/idp\/metadata.php'] = &#91;\n        'auth' => 'blankPage',\n        'certificate' => 'saml-idp.crt',\n        'privatekey' => 'saml-idp.pem',\n        'name' => 'blankPage-on-77',\n        'entityid' => 'https:\/\/192.168.1.77\/saml\/saml2\/idp\/metadata.php',\n        'host' => '192.168.1.77',\n];\n\ncd \/var\/www\/html\/simplesamlphp\/config\n\nvi authsources.php\n    'blankPage' => &#91;\n        'blank:Page',\n    ],<\/code><\/pre>\n\n\n\n<p>Additionally with the Identity Provider I installed my <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/mjheick\/simplesamlphp-modules-blank\" target=\"_blank\">simplesamlphp-modules-blank<\/a> module so I can just pass-through back to the SP.<\/p>\n\n\n\n<p>Set up Service Provider on 192.168.1.76<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd \/var\/www\/html\/simplesamlphp\/cert\nopenssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-sp.crt -keyout saml-sp.pem\n\nvi \/var\/www\/html\/simplesamlphp\/config\/authsources.php\n    'seventysix' => &#91;\n      'saml:SP',\n      'idp' => null,\n      'name' => &#91; 'en' => '192.168.1.76 SAML' ],\n      'privatekey' => 'saml-sp.pem',\n      'certificate' => 'saml-sp.crt',\n    ]<\/code><\/pre>\n\n\n\n<p>Now, we do the metadata exchange!<\/p>\n\n\n\n<p>Add IdP Metadata from <em>https:\/\/192.168.1.77\/saml2\/idp\/metadata.php?output=xhtml<\/em> to SP&#8217;s <em>metadata\/saml20-idp-remote.php<\/em> and change<em> &#8216;idp&#8217; =&gt; &#8216;https:\/\/192.168.1.77\/saml\/saml2\/idp\/metadata.php&#8217;,<\/em><\/p>\n\n\n\n<p>Add SP Metadata from <em>https:\/\/192.168.1.76\/module.php\/saml\/sp\/metadata.php\/seventysix?output=xhtml<\/em> to IdPs <em>metadata\/saml20-sp-remote.php<\/em>.<\/p>\n\n\n\n<p>And now I test: https:\/\/192.168.1.76\/module.php\/core\/authenticate.php<\/p>\n\n\n\n<p>#ezpz<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Background: For about 5 years at my place of work we have used a software called SimpleSAMLphp to help offer identity solutions to TVE (TV Everywhere) customers. In essence I have been one of a team of 20th century cable people. This software, in it&#8217;s current version has been heavily customized to offer quick deployment [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,20,17,2],"tags":[],"class_list":["post-555","post","type-post","status-publish","format-standard","hentry","category-centos","category-geek-instructions","category-linux","category-random"],"_links":{"self":[{"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/posts\/555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/comments?post=555"}],"version-history":[{"count":2,"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/posts\/555\/revisions"}],"predecessor-version":[{"id":557,"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/posts\/555\/revisions\/557"}],"wp:attachment":[{"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/media?parent=555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/categories?post=555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.unliterate.net\/index.php\/wp-json\/wp\/v2\/tags?post=555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}