Install, Configure and Test SimpleSAMLphp for Authentication Testing

While working with Federated Authentication platforms, I am always on the lookout for a good testing tool, instead of writing one or going through the whole installation and configuration before I can test something. Over few months I have been using something called “SimpleSAMLphp“. This is a lightweight easy to setup web application that I can use for all testing like this. You can read more about it here: https://simplesamlphp.org/

I run my installation on an “Ubuntu” Virtual Machine hosted in Windows Azure, makes it easy to get to and can use it when I need from anyway.

To set it up create your “Ubuntu” machine then make sure it is up to date by running the following command.

sudo apt-get update && sudo apt-get upgrade

We then need to make sure that the following prerequisites are installed.

sudo apt-get install php5 apache2

You should then be able to browse to the default page from the Apache server on your instance, and it should render.

Once it has completed we need to download the most stable version which is found here: https://simplesamlphp.org/download

Within the command line we need to run the following command.

cd /var
sudo wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.13.2.tar.gz

Once it downloaded we need to extract the file using the “tar” command.

sudo tar zxf simplesamlphp-1.13.2.tar.gz

This extracts the files into a directory called “simplesamlphp-1.13.2“, we are going to rename this folder to just be “simplesamlphp“, by using the following command.

sudo mv simplesamlphp-1.13.2.tar.gz simplesamlphp

Now we need to move some files around from the newly created folder we created “simplesaml” using the following commands.

cd simplesamlphp
sudo cp -r config-templates/*.php config/
sudo cp -r metadata-templates/*.php metadata/

We also need to set access permissions on the folder using the following command.

chown -R root:www-data /var/simplesamlphp

Now we need to tell the Apache part of the server that we have some files we would like to setup as a Virtual Directory (using the Windows name) so we can actually access the site. This is done by using the “Alias” command within the configuration files. Simply open up “/etc/apache2/sites-available/000-default.conf” and add the following line just before the ending “</VirtualHost>” line.

sudo nano /etc/apache2/sites-available/000-default.conf

Alias /simplesaml /var/simplesamlphp/www
&lt;Directory /var/simplesamlphp/www /&gt;
Require all granted
&lt;/Directory&gt;

Now we need to make a change to the core “SimpleSAMLphp” configuration, setting some basic values in the file “/var/simplesamlphp/config/config.php“.

sudo nano /var/simplesamlphp/config/config.php

Next we need to make a change to the “SecretSalt” property.

We do this by generating a new one and updating the “defaultsecretsalt” value to be the generated value.

tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz!@#$%^&amp;amp;*()_+' &lt;/dev/urandom | dd bs=32 count=1 &gt;/dev/null;echo

Once done, you need to restart “Apache” using the following command.

sudo service apache2 restart

You should be able to load the site using the following URL: http://server.domina.com/simplsaml

Now we have this setup we need to make a few more changes to the “config.php” file. First off we need to set the “Admin” account password to something other than the default which is “123“, we will leave the other settings as is.

Next we need to set the time zone value to what we need.

America/New_York

Now we need to make it run over SSL in order for the configuration to work as it should. This is done by using any of the normal SSL enabling tutorials out there for Apache. The short steps I used (not production and only used for this purpose):

Create the SSL Certificate using the following commands

sudo openssl genrsa -des3 -out {Key Name}.key 4096
sudo openssl rsa -in {Key Name}.key -out {Private Key Name}.pem
sudo openssl req -new -key {Key Name}.key -out {Certificate Request Name}.csr
sudo openssl x509 -req -days 9999 -in {Certificate Request Name}.csr -signkey {Key Name}.key -out {Final Certificate Name}.crt
Make a directory in the “Apache2” folder called “ssl“, then move the certificate we just created to the new “ssl” folder
cd /etc/apache2/
sudo mkdir ssl
sudo mv /var/certificate.key /etc/apache2/ssl
sudo mv /var/certificate.pem /etc/apache2/ssl
sudo mv /var/certificate.crt /etc/apache2/ssl
sudo mv /var/certificate.csr /etc/apache2/ssl
Run the following command to enable the SSL module, then restart Apache.
sudo a2enmod ssl
sudo service apache2 restart

Now modify the file we used earlier “000-default.conf” and change as highlighted below

Next we enable the “ssl” settings by using two commands.

sudo a2ensite ssl
sudo service apache2 restart

The site should now load over SSL.

So there we have it, a basic configuration of “SimpleSAMLphp” ready to use with other providers for testing. Last step is to really check the installation, by accessing the site and choosing the “Configuration” page and seeing the checklist errors if any.

Mine was easy to resolve by running the following command, then restarting apache.

sudo apt-get install php5-mcrypt php5-ldap php5-mysql
sudo php5enmod mcrypt

I then updated the “Technical Contact Email” and I then had a clean setup

.

As a final test I was able to click the “Authentication” tab and choose the link for “Test configured authentication sources” and was then able to test the two options. The first one being the standard username and password one using the password we assigned earlier.

The second option sends us to an identity provider called “Feide OpenIdp” for testing, where you can register for an account, login and get redirected back to the your site authenticated.

Now that we have this working we are now able to connect other federated platforms to it, so we can see how they work and what attributes are returned. In the next post we will use Active Directory Federated Services connected to this to test.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...

  • Steve Lewis

    Great tutorial thank you. Almost all worked for me. Only thing I had to do differently from your instructions was…

    sudo apt-get install looptools sudo apt-get install genometools

    Couldn’t get the urandom working, keep getting Permission denied?

  • Sean

    Where is the next article? Would love to see this tested with ADFS. Is there a link I am missing?

  • any ideas why i got this error?

    Forbidden
    You don’t have permission to access /simplesaml/
    on this server.