Friday, June 28, 2013

WSO2 Identity Server SAML2 IdP with SimpleSAMLphp Service Provider

This blog post explains how to configure WSO2 Identity Server SAML2 IdP with SimpleSAMLphp Service Provider.

Let's first setup SimpleSAMLphp as a service provider. The steps below are tested with Ubuntu.

1.  Install Apache
# apt-get install apache2
2.  Install PHP and related extensions
# apt-get install php5
# apt-get install php5-cli
# apt-get install php5-common
# apt-get install php5-curl
# apt-get install php-pear
# apt-get install php5-mcrypt
3.  Install SimpleSAMLphp
# cd /var/simplesamlphp/
# wget http://simplesamlphp.googlecode.com/files/simplesamlphp-1.11.0.tar.gz
# tar xvf simplesamlphp-1.11.0.tar.gz
# mv simplesamlphp-1.11.0 simplesamlphp
# cd simplesamlphp
# cp -r metadata-templates/*.php metadata/
# cp -r config-templates/*.php config
4. Configure  SimpleSAMLphp web in Apache.
# cd /var/www
# ln -s /var/simplesamlphp/simplesamlphp/www simplesaml
5.  Start Apache
# apachectl start 
6.  Access  SimpleSAMLphp web app

http://localhost/simplesaml

7.  SimpleSAMLphp administrator login configuration.
# cd /var/simplesamlphp/simplesamlphp
# vi config/config.php

Look for 'auth.adminpassword' and change its value from the default and save the file.

8. Click on 'Login as administrator' from the web page http://localhost/simplesaml

9.  Adding a Service Provider to SimpleSAMLphp
# cd /var/simplesamlphp/simplesamlphp
# vi config/authsources.php
Add the following section to the file and save.
'wso2-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => 'simplesaml',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => 'https://localhost:9443/samlsso',
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => NULL,
),
Here we assume WSO2 IS is running in localhost on 9443.

10. Adding Identity Provider metadata.
# cd /var/simplesamlphp/simplesamlphp
#  vi metadata/saml20-idp-remote.php
Add the following section to the file and save.
$metadata['https://localhost:9443/samlsso'] = array(
'name' => array(
'en' =>  'WSO2 IS',
'no' =>  'WSO2 IS',
),
'description'   =>  'Login with WSO2 IS SAML2 IdP.',
'SingleSignOnService'  =>  'https://localhost:9443/samlsso',
'SingleLogoutService'  => 'https://localhost:9443/samlsso',
'certFingerprint'      => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'

);
Note that,  metadata['https://localhost:9443/samlsso'] should match value of 'idp' in step-8.

6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d is the thumbprint of the default certificate ships with WSO2 IS. SAML2 Response is signed with this certificate.

11.  Install WSO2 Identity Server 4.5.0. For the moment you can test with M2 build of WSO2 IS 4.5.0 which is available here.

12.  Start WSO2 Identity Server and add a Service Provider under SAML SSO.

Issuer : simplesaml

Assertion Consumer Url :http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/wso2-sp

Enable Assertion Signing : True

Keep the defaults for the rest.

13.  Test SimpleSAMLphp

Go to http://localhost/simplesaml and then to "Authentication" and click on "Test configured authentications sources"

Pick, "wso2-sp" - now you will be redirected to WSO2 IS SAML2 IdP for login.

2 comments:

Al said...

I am trying to use oiosaml as a service provider with wso2. The trouble is that oiosaml requires the idp metadata file. Do you know of any easy way of obtaining this from wso2 please? I have tried accessing https://localhost:9443/samlsso without success.

Gabriel Vince said...

This blog looks great, looks seamless, but it refers to the WSO2 IS 4.5.0 which is not yet available as release (where do we get the WSO2IS 4.5.0M2?) Previous versions have a bug where WSO2 IS deflates post reply, so simpleSAMLphp doesn't recognize the assertion XML. A link fix would be welcome.