L
L
Lagoon
Search…
SimpleSAML

SimpleSAMLphp

This is an example of how to add SimpleSAMLphp to your project and then modify configuration to serve it via NGINX.

Requirements

Add SimpleSAMLphp to your project:
1
$ composer req simplesamlphp/simplesamlphp
Copied!

Modify configuration for SimpleSAMLphp

Copy authsources.php and config.php from vendor/simplesamlphp/simplesamlphp/config-templates to somewhere outside vendor directory, such as conf/simplesamlphp. You also need saml20-idp-remote.php from vendor/simplesamlphp/simplesamlphp/metadata-templates.
In config.php set following values for Lagoon:
Base URL path where SimpleSAMLphp is accessed:
1
'baseurlpath' => 'https://YOUR_DOMAIN.TLD/simplesaml/',
Copied!
Store sessions to database:
1
'store.type' => 'sql',
2
3
'store.sql.dsn' => vsprintf('mysql:host=%s;port=%s;dbname=%s', [
4
getenv('MARIADB_HOST'),
5
getenv('MARIADB_PORT'),
6
getenv('MARIADB_DATABASE'),
7
]),
Copied!
Alter other settings to your liking:
    Check the paths for logs and certs.
    Secure SimpleSAMLphp dashboard
    Set up level of logging
    Set technicalcontact and timezone
Add authsources (IdPs) to authsources.php, see example:
authsources.php
1
'default-sp' => [
2
'saml:SP',
3
4
// The entity ID of this SP.
5
'entityID' => 'https://YOUR_DOMAIN.TLD',
6
7
// The entity ID of the IdP this should SP should contact.
8
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
9
'idp' => 'https://YOUR_IDP_DOMAIN.TLD',
10
11
// The URL to the discovery service.
12
// Can be NULL/unset, in which case a builtin discovery service will be used.
13
'discoURL' => null,
14
15
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
16
17
'certificate' => '/app/conf/simplesamlphp/certs/saml.crt',
18
'privatekey' => '/app/conf/simplesamlphp/certs/saml.pem',
19
'redirect.sign' => TRUE,
20
'redirect.validate' => TRUE,
21
22
'authproc' => [
23
50 => [
24
'class' => 'core:AttributeCopy',
25
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'eduPersonPrincipalName',
26
],
27
51 => [
28
'class' => 'core:AttributeCopy',
29
'urn:oid:2.5.4.42' => 'givenName',
30
],
31
52 => [
32
'class' => 'core:AttributeCopy',
33
'urn:oid:2.5.4.4' => 'sn',
34
],
35
53 => [
36
'class' => 'core:AttributeCopy',
37
'urn:oid:0.9.2342.19200300.100.1.3' => 'mail',
38
],
39
],
40
],
Copied!
Add IdP metadata to saml20-idp-remote.php, see example:
Plain Text
1
<?php
2
/**
3
* SAML 2.0 remote IdP metadata for SimpleSAMLphp.
4
*
5
* Remember to remove the IdPs you don't use from this file.
6
*
7
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
8
*/
9
10
/**
11
* Some IdP.
12
*/
13
$metadata['https://YOUR_IDP_DOMAIN.TLD'] = [
14
'entityid' => 'https://YOUR_IDP_DOMAIN.TLD',
15
'name' => [
16
'en' => 'Some IdP',
17
],
18
'description' => 'Some IdP',
19
20
...
21
22
];
Copied!
In your build process, copy config files to SimpleSAMLphp:
    vendor/simplesamlphp/simplesamlphp/config/authsources.php
    vendor/simplesamlphp/simplesamlphp/config/config.php
    vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php

Create NGINX conf for SimpleSAMLphp

Create file lagoon/nginx/location_prepend_simplesamlphp.conf:
location_prepend_simplesamlphp.conf
1
location ^~ /simplesaml {
2
alias /app/vendor/simplesamlphp/simplesamlphp/www;
3
4
location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
5
include fastcgi_params;
6
fastcgi_pass ${NGINX_FASTCGI_PASS:-php}:9000;
7
fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
8
# Must be prepended with the baseurlpath
9
fastcgi_param SCRIPT_NAME /simplesaml$phpfile;
10
fastcgi_param PATH_INFO $pathinfo if_not_empty;
11
}
12
}
Copied!
This will route /simplesaml URLs to SimpleSAMLphp in vendor.

Add additional Nginx conf to Nginx image

Modify nginx.dockerfile and add location_prepend_simplesamlphp.conf to the image:
nginx.dockerfile
1
ARG CLI_IMAGE
2
FROM ${CLI_IMAGE} as cli
3
4
FROM amazeeio/nginx-drupal
5
6
COPY --from=cli /app /app
7
8
COPY lagoon/nginx/location_prepend_simplesamlphp.conf /etc/nginx/conf.d/drupal/location_prepend_simplesamlphp.conf
9
RUN fix-permissions /etc/nginx/conf.d/drupal/location_prepend_simplesamlphp.conf
10
11
# Define where the Drupal Root is located
12
ENV WEBROOT=public
Copied!
Last modified 4mo ago