1 基础知识
1.1 断言的基本概念
1.1.1 断言的介绍
– 断言即assertion的翻译
– 断言是计算机编程的概念
– 断言目的是验证软件运行达到开发者预期的结果
– 断言位置执行到后,对应的断言应为真,否则程序将中止执行并报错
– 断言可以协助程序员编写更加稳定和高品质且稳定的代码
范例如下,
x = 1; assert x > 0; x++; assert x > 1;
1.1.2 断言的方式
assert Expression1 assert Expression1:Expression2
解析如下,
表达式“Expression1”为布尔值
表达式“Expression2”为断言失败输出的失败消息(即“Expression1”假是输出“Expression2”的消息)
1.2 SAML
1.2.1 SAML的介绍
– SAML即Security Assertion Markup Language的英文缩写
– SAML是一种交换身份验证和授权数据的开放标准
– SAML特别适用于身份提供者与服务提供者之间交换身份验证和授权数据
– SAML是一种基于XML的安全断言
1.2.2 SAML的工作原理
– 委托人(通常是人类用户),委托人向服务提供者请求服务
– 身份提供者(ldP),服务提供者向身份提供者请求并获得身份验证断言
– 服务提供者(SP),服务提供者根据身份提供者的断言决定是否为委托人提供服务
1.2.3 SAML的实例
– SSO(Web浏览器单点登录)
1.3 SimpleSAMLphp
1.3.1 SimpleSAMLphp的简介
SimpleSAMLphp由PHP编写
SimpleSAMLphp用户处理身份验证
1.3.2 SimpleSAMLphp的功能
– 基于SAML 2.0成为服务提供商(SP)
– 基于SAML 2.0成为身份提供者(IdP)
1.3.3 SimpleSAMLphp支持的身份协议和框架
– A-Select
– CAS
– OpenID
– WF-Federation
– OAuth
1.3.4 SimpleSAMLphp支持的模块
详细请参阅 以下链接,
https://simplesamlphp.org/modules/
1.3.5 运行环境
– PHP 8.1.0及以上版本
– 必要的扩展,date、dom、fileinfo、filter、hash、json、libxml、mbstring、openssl、pcre、session、simplexml、sodium、SPL and zlib
– 可选扩展,posix、intl、cURL、ldap、radius、session、memcache、predis(redis)
– 数据库扩展,pdo、mysql、pgsql等
基于以上,你可能要预安装以下扩展,
mbstring、openssl、simplexml、sodium、zlib、intl、cURL、ldap、radius、memcache、predis
2 最佳实践
2.1 系统环境
2.1.1 环境信息
OS = RHEL 8.x x86_64
IP Address = any
Host Name = simplesamlphp.cmdschool.org
2.1.2 更新系统
dnf update -y
2.1 部署PHP环境
2.1.1 部署PHP环境
2.1.2 确定已经安装的模块
php -m
快速的方法,我们使用如下命令,
php -m | grep -i date
2.1.3 安装扩展mbstring
cd ~/php-8.3.7/ext/mbstring phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=pdo_mysql' > /etc/php.d/pdo_mysql.ini systemctl reload php-fpm
如果遇到如下错误提示,
configure: error: Package requirements (oniguruma) were not met: Package 'oniguruma', required by 'virtual:world', not found
使用如下命令解决依赖关系,
dnf install -y oniguruma-devel
2.1.4 安装扩展openssl
cd ~/php-8.3.7/ext/openssl/ cp config0.m4 config.m4 phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=pdo_mysql' > /etc/php.d/pdo_mysql.ini systemctl reload php-fpm
2.1.5 安装扩展sodium
cd ~/php-8.3.7/ext/sodium phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=sodium' > /etc/php.d/sodium.ini systemctl reload php-fpm
如果你遇到如下提示,
configure: error: Package requirements (libsodium >= 1.0.8) were not met: Package 'libsodium', required by 'virtual:world', not found
使用如下命令解决依赖关系,
dnf install -y libsodium-devel
2.1.6 安装扩展zlib
cd ~/php-8.3.7/ext/zlib cp config0.m4 config.m4 phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=zlib' > /etc/php.d/zlib.ini systemctl reload php-fpm
2.1.7 安装扩展intl
cd ~/php-8.3.7/ext/intl phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=intl' > /etc/php.d/intl.ini systemctl reload php-fpm
如果遇到如下错误提示,
configure: error: Package requirements (icu-uc >= 50.1 icu-io icu-i18n) were not met: Package 'icu-uc', required by 'virtual:world', not found Package 'icu-io', required by 'virtual:world', not found Package 'icu-i18n', required by 'virtual:world', not found
使用如下命令解决依赖关系,
dnf install -y libicu-devel
2.1.8 安装扩展curl
cd ~/php-8.3.7/ext/curl/ phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=curl' > /etc/php.d/curl.ini systemctl reload php-fpm
如果遇到如下错误提示,
configure: error: Package requirements (libcurl >= 7.29.0) were not met: Package 'libcurl', required by 'virtual:world', not found
使用如下命令解决依赖关系,
dnf install -y libcurl-devel
2.1.9 安装扩展ldap
cd ~/php-8.3.7/ext/ldap phpize ./configure make make install rsync -avP /usr/lib64/extensions/no-debug-zts-20230831/ /usr/lib64/php-zts/modules echo 'extension=ldap' > /etc/php.d/ldap.ini systemctl reload php-fpm
如果遇到如下错误提示,
configure: error: Cannot find ldap.h
使用如下命令解决依赖关系,
dnf install -y openldap-devel
如果遇到如下错误提示,
configure: error: Cannot find ldap libraries in /usr/lib.
使用如下命令解决依赖关系,
ln -s /usr/lib64/libldap.so /usr/lib/
2.2 安装Nginx
2.2.1 配置安装源
vim /etc/yum.repos.d/nginx.repo
加入如下配置,
[nginx] name=nginx baseurl=http://nginx.org/packages/rhel/9/x86_64/ enabled=1 gpgcheck=0
2.2.2 安装软件包
dnf install -y nginx
2.3 部署SimpleSAMLphp
2.3.1 下载软件包
cd ~ wget -O simplesamlphp-2.2.2-full.tar.gz https://objects.githubusercontent.com/github-production-release-asset-2e65be/17167136/8989f3f0-86ac-497a-9c4c-e813880d27cc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240806%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240806T021225Z&X-Amz-Expires=300&X-Amz-Signature=e5ef1510cddc6491b79ee4c2c79cbc5923ed7dc9e9ddd80902aa3eda2d9afeec&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=17167136&response-content-disposition=attachment%3B%20filename%3Dsimplesamlphp-2.2.2-full.tar.gz&response-content-type=application%2Foctet-stream
以上只是演示,如果不能下载请使用浏览器从如下连接中下载,
https://github.com/simplesamlphp/simplesamlphp/releases
https://simplesamlphp.org/download/
2.3.2 解压软件包
cd ~ tar -xf simplesamlphp-2.2.2-full.tar.gz
2.3.3 部署软件包
cd ~ mv simplesamlphp-2.2.2 /var/www/simplesamlphp chown apache:apache -R /var/www/simplesamlphp/ chmod 775 -R /var/www/simplesamlphp/
2.4 配置SimpleSAMLphp
2.4.1 创建虚拟服务器配置
vim /etc/nginx/conf.d/auth.cmdschool.org_443.conf
加入如下配置,
server { listen 0.0.0.0:443 ssl; server_name auth.cmdschool.org; ssl_certificate /etc/pki/tls/certs/auth.cmdschool.org_bundle.crt; ssl_certificate_key /etc/pki/tls/private/auth.cmdschool.org.key; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; location ^~ /simplesaml { alias /var/www/simplesamlphp/public; location ~^(?/simplesaml)(?.+?\.php)(?/.*)?$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$phpfile; # Must be prepended with the baseurlpath fastcgi_param SCRIPT_NAME /simplesaml$phpfile; fastcgi_param PATH_INFO $pathinfo if_not_empty; } } }
配置应用的证书可到腾讯云申请,详细请查阅下文,此处不再详述,
https://cloud.tencent.com/product/ssl
创建配置文件后,我们使用如下命令验证配置,
nginx -t
确认配置有效后,你需要使用如下命令重载服务使配置生效,
systemctl reload nginx.service
2.4.2 修改配置文件
cp /var/www/simplesamlphp/config/config.php.dist /var/www/simplesamlphp/config/config.php vim /var/www/simplesamlphp/config/config.php
参数修改如下,
$config = [ #... 'baseurlpath' => 'simplesaml/', 'auth.adminpassword' => 'adminpwd', 'technicalcontact_name' => 'Administrator', 'technicalcontact_email' => 'will@cmdschool.org', 'language.default' => 'en', 'timezone' => 'Asia/Shanghai', #... ];
参数解析如下,
– 参数“baseurlpath”声明登录的站点跟路径
– 参数“auth.adminpassword”声明管理员登录的密码
– 参数“auth.adminpassword”声明管理员登录的密码
– 参数“technicalcontact_name”声明管理员名称
– 参数“technicalcontact_email”声明管理员邮箱地址
– 参数“language.default”声明系统的默认语言
– 参数“timezone”声明系统的默认时区
然后,你需要使用人如下命令修改“secretsalt”参数的“secret salt”以便生成加密的安全哈希,
SECRET="$(tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo)" sed -i "s~defaultsecretsalt~$SECRET~g" /var/www/simplesamlphp/config/config.php
修改后,请使用如下命令确认,
grep -i "'secretsalt' =>" /var/www/simplesamlphp/config/config.php
可见如下输出,
'secretsalt' => 'nfh3pqdroquhdnhadglu3x89qh0xrr98',
2.4.3 测试默认主页
https://auth.cmdschool.org/simplesaml/index.php
如果登录遇到页面提示如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 0 [builtin] (N/A) Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/core). Backtrace: 5 vendor/symfony/http-kernel/Kernel.php:598 (Symfony\Component\HttpKernel\Kernel::buildContainer) 4 vendor/symfony/http-kernel/Kernel.php:505 (Symfony\Component\HttpKernel\Kernel::initializeContainer) 3 vendor/symfony/http-kernel/Kernel.php:763 (Symfony\Component\HttpKernel\Kernel::preBoot) 2 vendor/symfony/http-kernel/Kernel.php:185 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
mkdir -p /var/cache/simplesamlphp/core chown apache:apache /var/cache/simplesamlphp/core chmod 775 /var/cache/simplesamlphp/core
问题解决后,你可见如下页面,
2.4.4 测试管理主页
https://auth.cmdschool.org/simplesaml/admin/index.php
如果登录遇到页面提示如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 0 [builtin] (N/A) Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/admin). Backtrace: 5 vendor/symfony/http-kernel/Kernel.php:598 (Symfony\Component\HttpKernel\Kernel::buildContainer) 4 vendor/symfony/http-kernel/Kernel.php:505 (Symfony\Component\HttpKernel\Kernel::initializeContainer) 3 vendor/symfony/http-kernel/Kernel.php:763 (Symfony\Component\HttpKernel\Kernel::preBoot) 2 vendor/symfony/http-kernel/Kernel.php:185 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
mkdir -p /var/cache/simplesamlphp/admin chown apache:apache /var/cache/simplesamlphp/admin chmod 775 /var/cache/simplesamlphp/admin
如果登录遇到页面提示如下错误,
SimpleSAML\Error\ConfigurationError: The configuration (config/authsources.php) is invalid: Missing configuration file Backtrace: 9 src/SimpleSAML/Configuration.php:195 (SimpleSAML\Configuration::loadFromFile) 8 src/SimpleSAML/Configuration.php:285 (SimpleSAML\Configuration::getConfig) 7 src/SimpleSAML/Auth/Source.php:343 (SimpleSAML\Auth\Source::getById) 6 src/SimpleSAML/Utils/Auth.php:62 (SimpleSAML\Utils\Auth::requireAdmin) 5 modules/admin/src/Controller/Config.php:120 (SimpleSAML\Module\admin\Controller\Config::main) 4 vendor/symfony/http-kernel/HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw) 3 vendor/symfony/http-kernel/HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle) 2 vendor/symfony/http-kernel/Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
cp /var/www/simplesamlphp/config/authsources.php.dist /var/www/simplesamlphp/config/authsources.php
问题解决后,你可见如下页面,
登录信息如下,
admin username: admin
admin password: adminpwd
参阅文档
==================
SimpleSAMLphp官方安装教程
————
https://simplesamlphp.org/docs/stable/simplesamlphp-install.html
SimpleSAMLphp官方主页
—————–
https://simplesamlphp.org/
SimpleSAMLphp官方github
—————–
https://github.com/simplesamlphp/simplesamlphp
SimpleSAMLphp文档
—————–
https://simplesamlphp.org/docs/stable/index.html
断言的概念
—————–
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
https://baike.baidu.com/item/%E6%96%AD%E8%A8%80/13021995?fr=aladdin
SAML的概念
————-
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
没有评论