Setup SAML server in lab

Install a virtual machine software:
- Download and install a virtual machine software like VirtualBox or VMware on your computer.
Download a Linux distribution image:
- Download a Linux distribution image from the official website of the chosen distribution (e.g., Ubuntu, CentOS).
- Save the downloaded image to your computer.
Create a virtual machine:
- Open the virtual machine software and click on the “New” button to create a new virtual machine.
- Follow the wizard to create a new virtual machine, selecting the downloaded Linux distribution image as the operating system.
Install Apache web server:
- Open the terminal on the virtual machine and run the following command to install Apache web server:
  1
  2
  3
  TXT Copysudo apt-get update sudo apt-get install apache2
Install SimpleSAMLphp:
- Download the latest version of SimpleSAMLphp from the official website (https://simplesamlphp.org/download).
- Extract the downloaded archive to the Apache web server document root directory (/var/www/html).
- Rename the extracted directory to “simplesamlphp”.
Configure SimpleSAMLphp as a SAML identity provider:
- Open the terminal on the virtual machine and navigate to the SimpleSAMLphp configuration directory:
  1
  2
  TXT Copycd /var/www/html/simplesamlphp/config
- Copy the “config-templates/config.php” file to “config.php”:
  1
  2
  TXT Copycp config-templates/config.php config.php
- Edit the “config.php” file and set the following parameters:
  1
  2
  3
  4
  TXT Copy'baseurlpath' => 'https://localhost/simplesamlphp/', 'auth.adminpassword' => 'CHOOSE-A-STRONG-PASSWORD', 'secretsalt' => 'CHOOSE-A-RANDOM-STRING',
- Save and close the “config.php” file.

Configure SimpleSAMLphp as a SAML service provider:

Open the terminal on the virtual machine and navigate to the SimpleSAMLphp configuration directory:
1
2
TXT Copycd /var/www/html/simplesamlphp/config
Copy the “config-templates/authsources.php” file to “authsources.php”:
1
2
TXT Copycp config-templates/authsources.php authsources.php

Edit the “authsources.php” file and set the following parameters:

TXT
Copy'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://localhost/testsp',
    'discoURL' => null,
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    'simplesaml.nameidattribute' => 'uid',
    'simplesaml.attributes' => false,
    'AssertionConsumerService' => 'https://localhost/testsp/saml2-acs.php',
    'SingleLogoutService' => 'https://localhost/testsp/saml2-logout.php',
    'sign.logout' => true,
    'redirect.sign' => true,
),

Save and close the “authsources.php” file.

Create a test user account:

Open the terminal on the virtual machine and navigate to the SimpleSAMLphp metadata directory:
1
2
TXT Copycd /var/www/html/simplesamlphp/metadata
Copy the “saml20-idp-remote.php” file to “testuser.php”:
1
2
TXT Copycp saml20-idp-remote.php testuser.php

Edit the “testuser.php” file and set the following parameters:

TXT
Copy$metadata['testuser'] = array(
    'entityid' => 'https://localhost/testuser',
    'contacts' => array(
        array(
            'contactType' => 'technical',
            'givenName' => 'Test',
            'surName' => 'User',
            'emailAddress' => 'testuser@example.com',
        ),
    ),
    'metadata-set' => 'saml20-idp-remote',
    'SingleSignOnService' => array(
        array(
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            'Location' => 'https://localhost/simplesamlphp/saml2/idp/SSOService.php',
        ),
    ),
    'SingleLogoutService' => array(
        array(
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            'Location' => 'https://localhost/simplesamlphp/saml2/idp/SingleLogoutService.php',
        ),
    ),
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    'simplesaml.nameidattribute' => 'uid',
    'simplesaml.attributes' => false,
    'authproc' => array(
        10 => array(
            'class' => 'core:AttributeAdd',
            'testuser' => array('uid' => array('testuser')),
        ),
    ),
);

Save and close the “testuser.php” file.

Configure the SAML service provider to trust the SAML identity provider:

Open the terminal on the virtual machine and navigate to the SimpleSAMLphp metadata directory:
1
2
TXT Copycd /var/www/html/simplesamlphp/metadata

Create a new file named “idp-metadata.xml” and add the following metadata for the SAML identity provider:

TXT
Copy<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://localhost/simplesamlphp/saml2/idp/metadata.php">
    <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>
            urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
        </md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/simplesamlphp/saml2/idp/SSOService.php"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/simplesamlphp/saml2/idp/SingleLogoutService.php"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

Edit the “metadata/saml20-sp-remote.php” file and set the following parameters:

TXT
Copy$metadata['https://localhost/testsp'] = array(
    'AssertionConsumerService' => 'https://localhost/testsp/saml2-acs.php',
    'SingleLogoutService' => 'https://localhost/testsp/saml2-logout.php',
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    'simplesaml.nameidattribute' => 'uid',
    'simplesaml.attributes' => false,
    'metadata-set' => 'saml20-sp-remote',
    'entityid' => 'https://localhost/testsp',
    'contacts' => array(
        array(
            'contactType' => 'technical',
            'givenName' => 'Test',
            'surName' => 'SP',
            'emailAddress' => 'testsp@example.com',
        ),
    ),
    'AssertionConsumerService' => array(
        array(
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            'Location' => 'https://localhost/testsp/saml2-acs.php',
        ),
    ),
    'SingleLogoutService' => array(
        array(
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            'Location' => 'https://localhost/testsp/saml2-logout.php',
        ),
    ),
    'NameIDMappingService' => array(
        array(
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
            'Location' => 'https://localhost/testsp/saml2-nameidmapping.php',
        ),
    ),
    'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',
    'attributes' => array(),
    'authproc' => array(
        3 => array(
            'class' => 'saml:NameIDAttribute',
            'attribute' => 'uid',
            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
        ),
    ),
    'saml20.sign.assertion' => true,
    'saml20.sign.response' => true,
    'saml20.encrypt' => false,
    'saml20.sign.metadata' => true,
    'redirect.sign' => true,
);

Save and close the “saml20-sp-remote.php” file.

Test the SAML authentication:
- Open a web browser on your host machine and navigate to “https://localhost/testsp“.
- You will be redirected to the SAML identity provider for authentication.
- Enter the test user credentials created earlier and complete the authentication process.
- You will be redirected back to the SAML service provider and should be able to access the protected resource.
- Verify that the SAML response is valid and that the user is authenticated.

技术文章

#lab #SAML

Setup SAML server in lab

https://blog.excelsre.com/2023/09/27/install-a-virtual-machine-softwaredownload-and-install-a-virtual-machine-software-like-virtualbox-or-vmware-on-your-com/

作者

Felix Yang

发布于

2023年9月28日

许可协议

Lab - Networking on AWS and Azure 上一篇

扩展磁盘-GCP VM 下一篇