Versions Compared

Old Version 6

changes.mady.by.user Peter Brand

Saved on

compared with

New Version 7

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

While we recommend use of the Shibboleth Service Provider software whenever possible there might be pressure to run a SAML SP implementation in severely constrained environments, including ones where the Shibbleth SP software cannot be run. (The fact that the protected resource itself is written in PHP is immaterial, as the Shibboleth SP can protect that just fine and avoids API-level integration or PHP session complexity issues.)
But if PHP code can still be run in such environments SimpleSAMLphp might be a viable alternative. (Whether running security software in such environments – e.g. cheap PHP mass-hosting or public PaaS – is a good idea is another question.)

Getting started

Install and configure SimpleSAMLphp as per the documentation. Also make a plan right now how you will be keeping the software current and up-to-date, esp. if you don't install from vendor- or OS distribution-supported packages. In almost all cases this will involve use of an alternative location of SimpleSAMLphp's configuration files by making use of the SIMPLESAMLPHP_CONFIG_DIR environment variable (as documented in sections 5.3 and 6 in the installation documentation).

...

Code Block
languagephp
titleconfig-metarefresh.php
<?php
$config = array(
    'sets' => array(
        'aconet' => array(
            'cron' => array('hourly', 'daily'),
            'sources' => array(
                array(
                    #'blacklist' => array(
                    #    'https://openidp.aco.net/saml',
                    #),
                    #'whitelist' => array(
                    #    'http://some.uni/idp',
                    #    'http://some.other.uni/idp',
                    #),
                    'conditionalGET' => TRUE,
                    'src' => 'http://eduid.at/md/aconet-registered.xml',
                    'certificates' => array('aconet-metadata-signing.crt'),
                    'types' => array('saml20-idp-remote'),
                ), 
            ),
            'expireAfter'  => 60*60*24*3, // Maximum 3 days cache time
            'outputDir'    => 'metadata/aconet/',
            'outputFormat' => 'flatfile',
        ),
    ),
);

That way the eduID.at metadata will be put into files within a separate sub-directory of the default metadata directory, leaving the existing files in the default metadata directory for other, manually managed entities. In order for SimpleSAMLphp to find these files you'll have to adjust its metadata configuration to additionally look there:

Code Block
languagephp
titleMetadata Configuration in config.php
'metadata.sources' => array(
    array('type' => 'flatfile'),
    array('type' => 'flatfile', 'directory' => 'metadata/aconet/') // add this line!
),

TBD: Setting up the cron module. 

SAML SP details

By default there's no easy way to process persistent SAML NameIDs the same way as SAML attributes. Using an authproc filter like the one below fixes this:

...