
1 前言
一个问题,一篇文章,一出故事。
笔者需要simpleSAMLphp作为服务的提供者,于是产生本文。
2 最佳实践
2.1 准备simpleSAMLphp环境
如果你没有simpleSAMLphp环境,请参阅以下章节准备,
2.2 配置simpleSAML成为Idp
2.2.1 启用身份提供者
vim /var/www/simplesamlphp/config/config.php
参数修改如下,
$config = [ #... 'enable.saml20-idp' => true, #... ];
参数解析如下,
– 参数“enable.saml20-idp”声明启用对SAML 2.0 IdP支持
2.2.2 启用认证模块
touch /var/www/simplesamlphp/modules/exampleauth/enable
2.2.3 配置身份验证源
本章使用企业最常用的LDAP作为身份验证源,详细配置请参阅如下文档,
2.2.4 准备SSL证书
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out simplesamlphp.cmdschool.org.crt -keyout simplesamlphp.cmdschool.org.pem
配置向导如下,
Generating a RSA private key ..............................................................++++ ................................++++ writing new private key to 'simplesamlphp.cmdschool.org.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:DG Organization Name (eg, company) [Default Company Ltd]:simplesamlphp.cmdschool.org Organizational Unit Name (eg, section) []:cmdschool.org Common Name (eg, your name or your server's hostname) []:simplesamlphp.cmdschool.org Email Address []:will@cmdschool.org
以上创建有效期10年的自签名证书,我们更建议你直接申请到腾讯云申请权威机构颁发的证书,
https://cloud.tencent.com/product/ssl
需要注意的是,证书的名字不重要,请使用Apache证书的公钥(“*.crt”)和私钥(*.key)代替上面的“*.crt”和“*.pem”证书即可。
2.2.5 配置SSL证书
cp simplesamlphp.cmdschool.org.crt /var/www/simplesamlphp/cert/ cp simplesamlphp.cmdschool.org.pem /var/www/simplesamlphp/cert/
使用以上命令完成证书部署后,你需要使用如下命令修改配置加载证书,
vim /var/www/simplesamlphp/metadata/saml20-idp-hosted.php
修改如下配置,
$metadata['__DYNAMIC:1__'] = [ #... 'privatekey' => 'simplesamlphp.cmdschool.org.pem', 'certificate' => 'simplesamlphp.cmdschool.org.crt', #... ];
正确配置加载后,请以管理员身份登录管理界面验证,
https://simplesamlphp.cmdschool.org
单击【联盟】->【SAML 2.0 IdP元信息】->【现实元信息】
然后在“下载X509证书作为PEM编码的文件”下单击【idp.crt】即可下载证书并验证
2.2.6 添加uri到NameFormat属性
vim /var/www/simplesamlphp/metadata/saml20-idp-hosted.php
修改如下配置,
$metadata['__DYNAMIC:1__'] = [ #... 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => [ // Convert LDAP names to oids. 100 => ['class' => 'core:AttributeMap', 'name2oid'], ], #... ];
以上配置请具体参阅如下属性解析,
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
2.2.6 添加SPs(以下只是范例,具体请参阅实际的需求)
vim /var/www/simplesamlphp/metadata/saml20-sp-remote.php
修改如下配置,
<?php #... $metadata['https://saml2sp.example.org'] = [ 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', ]; #...
参阅文档
===========================
Idp配置文档
—————-
https://simplesamlphp.org/docs/1.17/simplesamlphp-idp.html
https://simplesamlphp.org/docs/latest/simplesamlphp-idp.html
没有评论