Tuesday, May 19, 2015

Setting up WSO2 Identity Server as the SAML2 Identity Provider for SimpleSAMLphp Service Provider [On Windows and WAMP]

SimpleSAMLphp is a web application written in native PHP that deals with authentication. This example shows how to configure the SimpleSAMLphp web application as a Service Provider with WSO2 Identity Server as the SAML2 Identity Provider. In this demonstration I am using the Identity Server 5.0.0 version with the Service Pack 1 installed.

First, let’s download the latest version of SimpleSAMLphp. At the time of this writing the latest version is 1.13.2. Once we download, we get simplesamlphp-1.13.2.tar.gz file. Extract this and you get simplesamlphp-1.13.2 directory. Rename the directory to simplesamlphp and copy to the web server. Here I have installed WAMP Server. I copy the simplesamlphp folder to the WAMP Server’s www directory which is located in C:\wamp\www path. Then I start the WAMP Server.

I can access the SimpleSAMLphp application now by visiting the following URL. (Note that the web pages of the application are located in the simplesamlphp/www directory and WAMP Server is running in port 80.


After visiting the above URL, it will automatically redirect to http://localhost/simplesamlphp/www/module.php/core/frontpage_welcome.php URL and you can see the welcome page.



Next step is to set the configurations related to the Service Provider and the Identity Provider.

I am adding the Service Provider configuration in simplesamlphp/authsources.php config file. (In the deployed web app, C:\wamp\www\simplesamlphp\config\authsources.php)

Add the following configuration to the file and save. Here the SAML Issuer is given in entityID and the Identity Provider URL is given in idp property.
    'wso2-sp' => array(  
  
        'saml:SP',  
          
        // The entity ID of this SP.  
          
        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.  
          
        'entityID' => 'simplesaml',  
          
        // The entity ID of the IdP this should SP should contact.  
          
        // Can be NULL/unset, in which case the user will be shown a list of available IdPs.  
          
        'idp' => 'https://localhost:9443/samlsso',  
          
        // The URL to the discovery service.  
          
        // Can be NULL/unset, in which case a builtin discovery service will be used.  
          
        'discoURL' => NULL,  
          
    ),


Next step is to add the Identity Provider metadata configuration in the simplesamlphp/metadata/saml20-idp-remote.php config file. (In the deployed web app,
C:\wamp\www\simplesamlphp\metadata\saml20-idp-remote.php)

$metadata['https://localhost:9443/samlsso'] = array(  
  
   'name' => array(  
  
   'en' =>  'WSO2 IS',  
  
   'no' =>  'WSO2 IS',  
  
),  
  
   'description'   =>  'Login with WSO2 IS SAML2 IdP.',  
  
   'SingleSignOnService'  =>  'https://localhost:9443/samlsso',  
  
   'SingleLogoutService'  => 'https://localhost:9443/samlsso',

  'certFingerprint'      => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d'
);

A detailed description on the above IDP remote metadata is available in [1].

Note that metadata ['https://localhost:9443/samlsso'] should match value of 'idp' in simplesamlphp/authsources.php service provider configuration.

6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d is the thumbprint of the default certificate ships with WSO2 IS. SAML2 Response/Assertion is signed with this certificate by default.

You can find these configuration files in [2] for further reference.

Next step is to configure the Identity Server. Start the Identity Server and login to the management console as admin.

First we need to set the IDP Entity ID of the SAML2 configuration in Resident IDP of Identity Server to the URL of SAML endpoint of IS. Go to Main -> Identity Providers -> List  and click on Resident Identity Provider


Expand the Inbound Authentication Configuration menu and then SAML2 Web SSO Configuration. Set the Identity Provider Entity Id value to the SAML endpoint URL of IS. By default this is https://localhost:9443/samlsso when you run IS with port offset 0. Then Update the configuration.


Next step is to create a Service Provider in IS. Go to Main -> Service Providers -> Add. For the Service Provider name you can specify any name. Here I’m giving the name as simplesaml.


Once the Service Provider is registered, Edit the configuration.


Expand the Inbound Authentication Configuration and SAML2 Web SSO Configuration. Click on Configure link.


Following are the values we have to specify.



Note that as the Issuer name we have to give the same name set in the Service Provider configuration in SimpleSAMLphp web app. Set the other configuration as shown below and Register.


Update the Service Provider once the SAML2 issuer is successfully added.


Now we can test the SimpleSAMLphp web application. Open the application in browser (i.e http://localhost/simplesamlphp/www ) and select Authentication tab. Click on Test configured authentication sources link.

Now you see the wso2-sp which was previously added in Service Provider configuration. Click on the wso2-sp link.


It will redirect to the login page of the Identity Server. Here I login as admin.


Now I am successfully authenticated to the SimpleSAMLphp application using the WSO2 Identity Server as the Identity Provider.


If you want to test this further, you can follow the following steps which shows how to retrieve claims of the logged in user.

Here I add a new user in the Identity Server.


I enter the username and password for the new user and click Next.


For demonstration purpose I assign the admin role to this user.


Once the user is created I edit the User Profile.


The user profile attributes are set for the user.


Now I need to select which claims/attributes should be sent to the SimpleSAMLphp application when a user is authenticated. For that, Edit the configuration of the simplesaml Service Provider.


Expand the Claim Configuration menu in the Service Provider configuration.  



As the Subject Claim URI, select http://wso2.org/claims/givenname because that is the claim which identifies a user uniquely.  Under the Requested Claims I add several claims where I added values in the user profile of the created user. Then Update the Service Provider configuration.


Now again try to login to the SimpleSAMLphp application with wso2-sp Service Provider.


Now in the login page of the Identity Server I enter the credentials of the newly created user.

Upon successful authentication I can see the requested claim attributes are successfully received.



References :

Tharindu Edirisinghe
Identity Server Team
WSO2

6 comments:

  1. Hi,
    I had followed all the steps above, but I received an error after login when I want to Test configured authentication sources.
    "status=Error when processing the authentication request!&statusMsg=Please try login again."

    What is the problem?

    ReplyDelete
  2. Hi Ahmad,

    You can send an email to dev[at]wso2[dot]org email and attach the log file also to that. The log file is the IS_HOME/repository/logs/wso2carbon.log file. Then we can look into the issue and provide you a solution.

    ReplyDelete
  3. Hello Tharindu, how are you?
    So, I have my SimpleSAMLPHP in my application already configured and working like in your tutorial (as indentity provider). The user is redirected to provider login page. I would like to create my own login page in my application and only send the informations to WSO2 to authenticate. How can I do it? I'm looking for it a lot and I didn't found any explanation/example. Could you help me?

    ReplyDelete
  4. Hi,

    I'm glad this was useful to you. Yes, this is possible with 'Request Path Authenticator' in WSO2 Identity Server. There, you can have your own login page and once the user clicks the 'Login' button, you can post the credentials directly to Identity Server. I will write my next blog post on the request path authenticator so you can refer it.

    P.S - You can contact me over twitter @thariyarox

    ReplyDelete
    Replies
    1. Oh, okay. Thank you very much. I'm waiting for it :) I found this tutorial http://xacmlinfo.org/2015/02/12/sso-without-identity-provider-login-page/ but it didn't help me, so... I'll wait for your next tutorial :)

      Delete
    2. Hi Julyano,

      In order to achieve this, what we have to do is along with the SAML Authentication Request, we need to send user credentials in http header with the header name 'sectoken' and the value is the base64 encoded value of "username:password". Also we need to set configuration to use HTTP POST Binding.

      For setting HTTP POST Binding, we can set the Binding in saml20-idp-remote.php file as shown below.

      'SingleSignOnService' => array (
      array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://localhost:9443/samlsso',
      )
      ),

      However I couldn't find the particular location where I can set the custom 'sectoken' http header. I will look more into it. What I found with a google search is [1] which can be used to create a login page at SimpleSAMLPhp side to do the same.

      [1] https://simplesamlphp.org/docs/development/simplesamlphp-theming

      Delete