Diferencia entre revisiones de «SIU-Guarani/version3.11.0/interfaces/saml»
m (Afellay movió la página SIU-Guarani/Version3.11.0/interfaces/saml a SIU-Guarani/version3.11.0/interfaces/saml) |
m (Se cambia la url del idp, por la que corresponde en el colab) |
||
Línea 12: | Línea 12: | ||
*Descargar módulo SAML Guaraní | *Descargar módulo SAML Guaraní | ||
*:<source lang="php" enclose="div"> | *:<source lang="php" enclose="div"> | ||
− | svn co https:// | + | svn co https://colab.siu.edu.ar/svn/guarani3/nodos/<siglas institución>/gestion/trunk/<3.11.x>/saml_module /path/to/idp/modules/authguarani |
</source> | </source> | ||
Revisión del 15:56 13 oct 2015
Sumario
Configuración SAML para vincular Gestión con Autogestión
Prerequisitos
Contar con una instalación funcional de Gestión y Autogestión
Configuración
- Descargar iDP
- mkdir /path/to/idp
wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.13.2.tar.gz -O idp.tar.gz && tar zxvf idp.tar.gz -C /path/to/idp --strip 1
- Descargar módulo SAML Guaraní
- svn co https://colab.siu.edu.ar/svn/guarani3/nodos/<siglas institución>/gestion/trunk/<3.11.x>/saml_module /path/to/idp/modules/authguarani
- Contenido de config/authsources.php, completar con los datos de la instalación actual
- <?php
$config = array(
'guarani-sql' => array(
'authguarani:SQLBCRYPT',
'dsn' => 'pgsql:host=localhost;port=5432;dbname=gestion_trunk',
'schema' => 'negocio',
'username' => 'postgres',
'password' => 'postgres',
'query' => "SELECT mdp_personas.clave,
mdp_personas.autenticacion,
mdp_personas.usuario as usuario
FROM mdp_personas
WHERE mdp_personas.usuario = :username
",
),
);
- En config/config.php modificar:
- Setear la entrada 'baseurlpath' a 'simplesaml/'
- Cambiar la contraseña de admin modificando la entrada auth.adminpassword
- Activar idp saml20 poniendo en true la entrada enable.saml20-idp
- Activar la entrada enable.http_post
- En metadata/saml20-idp-hosted.php
- En la entrada auth poner guarani-sql
- Descomentar el bloque indicado por el siguiente comentario Uncomment the following to use the uri NameFormat on attributes.
- El archivo metadata/saml20-sp-remote.php debe tener el siguiente contenido. Modificar las variables url_autogestion y url_sp por las que estén publicadas en la instalación
- <?php
$url_autogestion = 'http://localhost/g3w3_sso';
$metadata[$url_autogestion.'/acceso'] = array(
'AssertionConsumerService' => $url_autogestion.'/acceso?auth=saml',
'SingleLogoutService' => $url_autogestion.'/acceso/logout?auth=saml',
);
$url_sp = 'http://localhost/toba_2.6_sp';
$metadata[$url_sp.'/module.php/saml/sp/metadata.php/default-sp'] = array (
'entityid' => $url_sp.'/module.php/saml/sp/metadata.php/default-sp',
'contacts' =>
array (
),
'metadata-set' => 'shib13-sp-remote',
'SingleLogoutService' => $url_sp.'/module.php/saml/sp/saml2-logout.php/default-sp',
'AssertionConsumerService' =>
array (
0 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
),
1 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp',
'index' => 1,
),
2 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => $url_sp.'/module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 2,
),
3 =>
array (
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'Location' => $url_sp.'/module.php/saml/sp/saml1-acs.php/default-sp/artifact',
'index' => 3,
),
),
);
- Configurar alias idp, crear el archivo /path/to/idp/idp.conf
- Alias /simplesaml /path/to/idp/www
<Directory /path/to/idp/www>
<IfModule mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
- Linkear el archivo a sites-enabled de Apache:
- sudo ln -s /path/to/idp/idp.conf /etc/apache2/sites-enabled
- Reiniciar Apache
- sudo service apache2 restart
Luego de seguir estos pasos ya se debería poder acceder a http://localhost/simplesaml utilizando las credenciales de Administrador definidas anteriormente.
- Generar certificados del server
- mkdir /path/to/idp/cert
cd /path/to/idp/cert
openssl req -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem
Configurar Autogestión
- En instalacion/login.php agregar la entrada saml:
- ...
'saml' => array(
'activo' => true,
'clase' => 'modelo\\autenticacion\\auth_saml',
'parametros' => array(
'settings_file' => \siu\bootstrap::get_dir_instalacion() . '/saml/settings.php',
'saml_uid' => 'usuario',// 'urn:oid:0.9.2342.19200300.100.1.1', //se matchea con local_uid
'local_uid' => 'usuario' //puede ser 'persona'
),
),
...
- Crear el archivo instalacion/saml/settings.php con el siguiente contenido, modificando las variables $url_autogestion y $url_idp. También hay que setear el fingerprint que se puede obtener con el siguiente comando:
- openssl x509 -noout -in /path/to/idp/cert/server.crt -fingerprint
- <?php
//settings y advanced_settings de la libreria de saml.
$url_autogestion = 'http://localhost/g3w3_sso';
$url_idp = 'http://localhost/simplesaml';
return $settings = array (
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => false,
// Enable debug mode (to print errors)
'debug' => false,
// Service Provider Data that we are deploying
'sp' => array (
// Identifier of the SP entity (must be a URI)
'entityId' => $url_autogestion.'/acceso',
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array (
// URL Location where the <Response> from the IdP will be returned
'url' => $url_autogestion.'/acceso?auth=saml',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => array (
// URL Location where the <Response> from the IdP will be returned
'url' => $url_autogestion.'/acceso/logout',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'nameIdFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
// 'x509cert' => file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt'),
// 'privateKey' > file_get_contents(\siu\bootstrap::get_dir_instalacion() . '/saml/saml.pem'),
),
// Identity Provider Data that we want connect with our SP
'idp' => array (
// Identifier of the IdP entity (must be a URI)
'entityId' => $url_idp.'/saml2/idp/metadata.php',
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array (
// URL Target of the IdP where the SP will send the Authentication Request Message
'url' => $url_idp.'/saml2/idp/SSOService.php',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-POST binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array (
// URL Location of the IdP where the SP will send the SLO Request
'url' => $url_idp.'/saml2/idp/SingleLogoutService.php',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Public x509 certificate of the IdP
// 'x509cert' => \siu\bootstrap::get_dir_instalacion() . '/saml/saml.crt',
/*
*Instead of use the whole x509cert you can use a fingerprint
*(openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
'certFingerprint' => 'AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9',
),
//Advanced settings
// Security settings
'security' => array (
/** signatures and encryptions offered */
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
'nameIdEncrypted' => false,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [The Metadata of the SP will offer this info]
'authnRequestsSigned' => false,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
'logoutRequestSigned' => false,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
'logoutResponseSigned' => false,
/* Sign the Metadata
False || True (use sp certs) || array (
keyFileName => 'metadata.key',
certFileName => 'metadata.crt'
)
*/
'signMetadata' => false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
// <samlp:LogoutResponse> elements received by this SP to be signed.
'wantMessagesSigned' => false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [The Metadata of the SP will offer this info]
'wantAssertionsSigned' => false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
'wantNameIdEncrypted' => false,
),
// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array (
'technical' => array (
'givenName' => 'CAMBIAR',
'emailAddress' => 'CAMBIAR'
),
'support' => array (
'givenName' => 'CAMBIAR',
'emailAddress' => 'CAMBIAR'
),
),
// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array (
'en-US' => array(
'name' => 'CAMBIAR',
'displayname' => 'CAMBIAR',
'url' => 'CAMBIAR.com'
),
),
);
Configuración Gestión
- En lib/toba/instalacion/instalacion.ini agregar la entrada:
- autenticacion = saml
- El archivo lib/toba/instalacion/saml.ini debe tener el siguiente contenido, reemplazando la url del idp por la correcta y el fingerprint generado anteriormente:
- [basicos]
path_sp = 3ros/simplesamlphp
auth_source = default-sp
atributo_usuario=usuario
permite_login_toba= 0
[sp]
baseurlpath = /toba_2.6_sp/
session.phpsession.cookiename = TOBA_SESSID
idp = http://localhost/simplesaml/saml2/idp/metadata.php
[idp:http://localhost/simplesaml/saml2/idp/metadata.php]
name = Your IdP
SingleSignOnService = http://localhost/simplesaml/saml2/idp/SSOService.php
SingleLogoutService = http://localhost/simplesaml/saml2/idp/SingleLogoutService.php
certFingerprint = AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
IMPORTANTE
Debido a una particularidad de SimplesamlPHP, si el idp y sp se implementan con SimplesamlPHP DEBEN estar en diferentes hosts, si esto no es así el comportamiento no está determinado. Aquí está el link a la documentación de SimplesamlPHP https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_9_1. Una salida a este problema es definir un virtual host para el idp (en vez de un alias).