1 前言
一个问题,一篇文章,一出故事。
笔者需要simpleSAMLphp作为MySQL DB的身份提供者,于是产生本文。
2 最佳实践
2.1 准备simpleSAMLphp环境
如果你没有simpleSAMLphp环境,请参阅以下章节准备,
2.2 配置simpleSAML成为Idp
2.2.1 启用身份提供者
vim /var/www/simplesamlphp/config/config.php
参数修改如下,
$config = [ #... 'enable.saml20-idp' => true, #... ];
参数解析如下,
– 参数“enable.saml20-idp”声明启用对SAML 2.0 IdP支持
2.2.2 启用sql认证模块
vim /var/www/simplesamlphp/config/config.php
参数修改如下,
'module.enable' => [ #... 'sqlauth' => true ],
模块解析,
模块“authcrypt:Hash”,使用散列密码进行用户名和密码验证。
模块“authcrypt:Htpasswd”,根据.htpasswd 文件进行用户名和密码验证。
模块“authX509:authX509userCert”,使用 SSL 客户端证书对 LDAP 数据库进行身份验证。
模块“exampleauth:UserPass”,根据用户名和密码列表进行身份验证。
模块“exampleauth:Static”,自动以具有一组属性的用户身份登录。
模块“ldap:LDAP”,向 LDAP 服务器验证用户身份。
模块“ldap:LDAPMulti”,将用户验证到多个 LDAP 服务器之一。用户可以从下拉列表中选择 LDAP 服务器。
模块“sqlauth:SQL”,根据数据库验证用户身份。
模块“radius:Radius”,向 Radius 服务器验证用户身份。
模块“multiauth:MultiAuth”,允许用户从身份验证源列表中进行选择。
模块“saml:SP”,根据 SAML IdP 进行身份验证。可用于桥接。
模块“authYubiKey:YubiKey”,使用 YubiKey 进行身份验证 。
模块“authtwitter:Twitter”,使用 Twitter OAuth API 对您的 Twitter 帐户进行身份验证。
模块“papi:PAPI”,通过 PAPI 协议进行身份验证。
2.2.3 准备测试所需的用户数据表
mysql -uroot -p
创建数据库
CREATE DATABASE `simplesaml`;
创建用户并授予权限
CREATE USER 'simplesaml'@'localhost' IDENTIFIED BY 'simplesamlpwd'; GRANT ALL PRIVILEGES ON `simplesaml`.* TO 'simplesaml'@'localhost';
测试应用登录权限,
mysql -usimplesaml -psimplesamlpwd
创建用户表
USE simplesaml; CREATE TABLE `users` ( `uid` varchar(50) NOT NULL, `givenName` varchar(50) NOT NULL, `email` varchar(100) NOT NULL, `eduPersonPrincipalName` varchar(100) NOT NULL, `password` varchar(256) NOT NULL, `salt` varchar(50) NOT NULL, PRIMARY KEY (`uid`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
插入范例数据
USE simplesaml; INSERT INTO `users` (`uid`, `givenName`, `email`, `eduPersonPrincipalName`, `password`, `salt`) VALUES ('user1', 'John Doe', 'john.doe@cmdschool.org', 'john.doe@cmdschool.org', SHA2(CONCAT('salt1', 'password123'), 256), 'salt1'), ('user2', 'Jane Smith', 'jane.smith@cmdschool.org', 'jane.smith@cmdschool.org', SHA2(CONCAT('salt2', 'password456'), 256), 'salt2'), ('user3', 'Bob Johnson', 'bob.johnson@cmdschool.org', 'bob.johnson@cmdschool.org', SHA2(CONCAT('salt3', 'password789'), 256), 'salt3');
验证插入的数据,
SELECT * FROM simplesaml.users;
可见如下输出,
+-------+-------------+---------------------------+---------------------------+------------------------------------------------------------------+-------+ | uid | givenName | email | eduPersonPrincipalName | password | salt | +-------+-------------+---------------------------+---------------------------+------------------------------------------------------------------+-------+ | user1 | John Doe | john.doe@cmdschool.org | john.doe@cmdschool.org | 08a86fd061dea3df8ddf52692d51e5c6c3ac02a9ff83e17dc7debd956e397965 | salt1 | | user2 | Jane Smith | jane.smith@cmdschool.org | jane.smith@cmdschool.org | 8fef1ff5ca8ed87592c10978457a0b1f74cf590ffbc14b0bef57a7fc2616edd6 | salt2 | | user3 | Bob Johnson | bob.johnson@cmdschool.org | bob.johnson@cmdschool.org | 14a5bae7e8015b0da9ea7eef579b6cf2ddcea9db39f75cb5d8dabbc2d70bc580 | salt3 | +-------+-------------+---------------------------+---------------------------+------------------------------------------------------------------+-------+ 3 rows in set (0.000 sec)
2.2.4 配置身份验证源
vim /var/www/simplesamlphp/config/authsources.php
$config = [ 'simplesaml-sql' => [ 'sqlauth:SQL', 'dsn' => 'mysql:host=localhost;port=3306;dbname=simplesaml', 'username' => 'simplesaml', 'password' => 'simplesamlpwd', 'query' => 'SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = :username ' . 'AND password = SHA2(CONCAT((SELECT salt FROM users WHERE uid = :username), :password), 256);', ], #... ];
验证查询语句,
SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = 'user1' AND password = SHA2(CONCAT((SELECT salt FROM user s WHERE uid = 'user1'), 'password123'), 256);
可见如下输出,
+-------+-----------+------------------------+------------------------+ | uid | givenName | email | eduPersonPrincipalName | +-------+-----------+------------------------+------------------------+ | user1 | John Doe | john.doe@cmdschool.org | john.doe@cmdschool.org | +-------+-----------+------------------------+------------------------+ 1 row in set (0.000 sec)
2.2.5 验证身份证源
管理严身份登录,
单击【Test】->【simplesaml-sql】
如上图所示,
输入用户名:user1
密码:password123
单击【登录】即可验证之前的设置是否正确
2.2.6 配置默认的SAML SP
vim /var/www/simplesamlphp/config/authsources.php
修改如下配置,
'default-sp' => [ 'saml:SP', 'entityID' => 'https://myapp.cmdschool.org/', 'idp' => null, 'discoURL' => null, 'proxymode.passAuthnContextClassRef' => false, ],
注:以上只是准备一个空的应用服务提供者,暂时不设置实际的。
2.2.7 准备IdP所需的SSL证书
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out auth.cmdschool.org.crt -keyout auth.cmdschool.org.pem
配置向导如下,
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:DG Organization Name (eg, company) [Default Company Ltd]:auth.cmdschool.org Organizational Unit Name (eg, section) []:cmdschool.org Common Name (eg, your name or your server's hostname) []:auth.cmdschool.org Email Address []:will@cmdschool.org
以上创建有效期10年的自签名证书,我们更建议你直接申请到腾讯云申请权威机构颁发的证书,
https://cloud.tencent.com/product/ssl
需要注意的是,证书的名字不重要,请使用Apache证书的公钥(“*.crt”)和私钥(*.key)代替上面的“*.crt”和“*.pem”证书即可。
2.2.5 配置IdP
cp auth.cmdschool.org.crt /var/www/simplesamlphp/cert/ cp auth.cmdschool.org.pem /var/www/simplesamlphp/cert/ chown apache:apache /var/www/simplesamlphp/cert/*
使用以上命令完成证书部署后,你需要使用如下命令修改配置加载证书,
cp /var/www/simplesamlphp/metadata/saml20-idp-hosted.php.dist /var/www/simplesamlphp/metadata/saml20-idp-hosted.php vim /var/www/simplesamlphp/metadata/saml20-idp-hosted.php
修改如下配置,
$metadata['https://auth.cmdschool.org/saml-idp'] = [ 'host' => '__DEFAULT__', 'privatekey' => 'auth.cmdschool.org.pem', 'certificate' => 'auth.cmdschool.org.crt', 'auth' => 'simplesaml-sql', ];
正确配置加载后,请以管理员身份登录管理界面验证,
https://simplesamlphp.cmdschool.org
单击【联盟】->【SAML 2.0 IdP元信息】->【现实元信息】
然后在“下载X509证书作为PEM编码的文件”下单击【idp.crt】即可下载证书并验证
2.2.6 设置SAML属性的名称格式为URI格式
vim /var/www/simplesamlphp/metadata/saml20-idp-hosted.php
修改如下配置,
$metadata['https://auth.cmdschool.org/saml-idp'] = [ /* Uncomment the following to use the uri NameFormat on attributes. */ 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => [ // Convert LDAP names to oids. 100 => ['class' => 'core:AttributeMap', 'name2oid'], ], ];
以上配置请具体参阅如下属性解析,
https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
2.2.6 将SPs添加到IdP
https://auth.cmdschool.org/simplesaml/module.php/admin/federation
以上管理员登录单击【联盟】并提取以下三个连接,
https://auth.cmdschool.org/simplesaml/module.php/saml/sp/metadata/default-sp
https://auth.cmdschool.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
https://auth.cmdschool.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp
然后增加如下配置,
cp /var/www/simplesamlphp/metadata/saml20-idp-remote.php.dist /var/www/simplesamlphp/metadata/saml20-idp-remote.php vim /var/www/simplesamlphp/metadata/saml20-idp-remote.php
修改如下配置,
<?php $metadata['https://auth.cmdschool.org/simplesaml/module.php/saml/sp/metadata/default-sp'] = [ 'AssertionConsumerService' => 'https://auth.cmdschool.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', 'SingleLogoutService' => 'https://auth.cmdschool.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', ]; #...
参阅文档
================
https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html
没有评论