如何部署Oracle Linux 9.x simpleSAMLphp 2.1.3?

目录或认证服务

1 基础知识

1.1 断言的基本概念

1.1.1 断言的介绍

– 断言即assertion的翻译
– 断言是计算机编程的概念
– 断言目的是验证软件运行达到开发者预期的结果
– 断言位置执行到后,对应的断言应为真,否则程序将中止执行并报错
– 断言可以协助程序员编写更加稳定和高品质且稳定的代码
范例如下,

x = 1;
assert x > 0;
x++;
assert x > 1;

1.1.2 断言的方式

assert Expression1
assert Expression1:Expression2

解析如下,
表达式“Expression1”为布尔值
表达式“Expression2”为断言失败输出的失败消息(即“Expression1”假是输出“Expression2”的消息)

1.2 SAML

1.2.1 SAML的介绍

– SAML即Security Assertion Markup Language的英文缩写
– SAML是一种交换身份验证和授权数据的开放标准
– SAML特别适用于身份提供者与服务提供者之间交换身份验证和授权数据
– SAML是一种基于XML的安全断言

1.2.2 SAML的工作原理

– 委托人(通常是人类用户),委托人向服务提供者请求服务
– 身份提供者(ldP),服务提供者向身份提供者请求并获得身份验证断言
– 服务提供者(SP),服务提供者根据身份提供者的断言决定是否为委托人提供服务

1.2.3 SAML的实例

– SSO(Web浏览器单点登录)

1.3 SimpleSAMLphp

1.3.1 SimpleSAMLphp的简介

SimpleSAMLphp由PHP编写
SimpleSAMLphp用户处理身份验证

1.3.2 SimpleSAMLphp的功能

– 基于SAML 2.0成为服务提供商(SP)
– 基于SAML 2.0成为身份提供者(IdP)

1.3.3 SimpleSAMLphp支持的身份协议和框架

– A-Select
– CAS
– OpenID
– WF-Federation
– OAuth

1.3.4 SimpleSAMLphp支持的模块

详细请参阅 以下链接,
https://simplesamlphp.org/modules/

1.3.5 运行环境

– PHP 8.1.0及以上版本
– 必要的扩展,date、dom、fileinfo、filter、hash、json、libxml、mbstring、openssl、pcre、session、simplexml、sodium、SPL and zlib
– 可选扩展,posix、intl、cURL、ldap、radius、session、memcache、predis(redis)
– 数据库扩展,pdo、mysql、pgsql等
基于以上,你可能要预安装以下扩展,
mbstring、openssl、simplexml、sodium、zlib、intl、cURL、ldap、radius、memcache、predis

2 最佳实践

2.1 系统环境

2.1.1 环境信息

OS = RHEL 8.x x86_64
IP Address = any
Host Name = simplesamlphp.cmdschool.org

2.1.2 更新系统

dnf update -y

2.1 部署PHP环境

2.1.1 部署PHP环境

如何基于Oracle Linux 9.x编译安装PHP-FPM 8.x?


针对实际的测试结果,某些模块你可能需要预先编译到PHP,而不是以插件的形式加载,以下编译参数功能参考,

cd ~/php-8.2.16
./configure --bindir=/usr/bin/ \
--sbindir=/usr/sbin/ \
--sysconfdir=/etc/ \
--libdir=/usr/lib64/ \
--mandir=/usr/share/man/ \
--includedir=/usr/include/ \
--with-config-file-path=/etc/php.ini \
--with-config-file-scan-dir=/etc/php.d/ \
--with-fpm-user=apache \
--with-fpm-group=apache \
--enable-fpm \
--with-fpm-systemd \
--with-libdir=lib64 \
--enable-zts \
--enable-static \
--enable-shared \
--with-mysqli \
--enable-mysqlnd  \
--with-pdo-mysql \
--with-zlib \
--with-zip \
--with-openssl \
--with-curl \
--enable-exif \
--enable-mbstring \
--enable-gd \
--enable-sockets \
--with-sodium \
--enable-intl \
--with-ldap

如果遇到如下错误提示,

configure: error: Package requirements (oniguruma) were not met:

Package 'oniguruma', required by 'virtual:world', not found

如果你遇到如下提示,

configure: error: Package requirements (libsodium >= 1.0.8) were not met:

Package 'libsodium', required by 'virtual:world', not found

使用如下命令解决依赖关系,

dnf install -y libsodium-devel

如果遇到如下错误提示,

configure: error: Package requirements (icu-uc >= 50.1 icu-io icu-i18n) were not met:

Package 'icu-uc', required by 'virtual:world', not found
Package 'icu-io', required by 'virtual:world', not found
Package 'icu-i18n', required by 'virtual:world', not found

使用如下命令解决依赖关系,

dnf install -y libicu-devel

如果遇到如下错误提示,

configure: error: Package requirements (libcurl >= 7.29.0) were not met:

Package 'libcurl', required by 'virtual:world', not found

可通过如下命令解决依赖关系,

dnf install -y libcurl-devel

如果遇到如下错误提示,

configure: error: Cannot find ldap.h

使用如下命令解决依赖关系,

dnf install -y openldap-devel

如果遇到如下错误提示,

configure: error: Cannot find ldap libraries in /usr/lib.

使用如下命令解决依赖关系,

ln -s /usr/lib64/libldap.so /usr/lib/

2.1.2 确定已经安装的模块

php -m

快速的方法,我们使用如下命令,

php -m | grep -i date

2.2 安装Nginx

2.2.1 配置安装源

vim /etc/yum.repos.d/nginx.repo 

加入如下配置,

[nginx]
name=nginx
baseurl=http://nginx.org/packages/rhel/9/x86_64/
enabled=1
gpgcheck=0

2.2.2 安装软件包

dnf install -y nginx

2.3 部署SimpleSAMLphp

2.3.1 下载软件包

cd ~
wget -O simplesamlphp-2.1.3-full.tar.gz https://objects.githubusercontent.com/github-production-release-asset-2e65be/17167136/8989f3f0-86ac-497a-9c4c-e813880d27cc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240806%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240806T021225Z&X-Amz-Expires=300&X-Amz-Signature=e5ef1510cddc6491b79ee4c2c79cbc5923ed7dc9e9ddd80902aa3eda2d9afeec&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=17167136&response-content-disposition=attachment%3B%20filename%3Dsimplesamlphp-2.1.3-full.tar.gz&response-content-type=application%2Foctet-stream

以上只是演示,如果不能下载请使用浏览器从如下连接中下载,
https://github.com/simplesamlphp/simplesamlphp/releases
https://simplesamlphp.org/download/

2.3.2 解压软件包

cd ~
tar -xf simplesamlphp-2.1.3-full.tar.gz

2.3.3 部署软件包

cd ~
mv simplesamlphp-2.1.3 /var/www/simplesamlphp
chown apache:apache -R /var/www/simplesamlphp/
chmod 775 -R /var/www/simplesamlphp/

2.4 配置SimpleSAMLphp

2.4.1 创建虚拟服务器配置

vim /etc/nginx/conf.d/auth.cmdschool.org_443.conf

加入如下配置,

server {
    listen 0.0.0.0:443 ssl;
    server_name auth.cmdschool.org;

    ssl_certificate        /etc/pki/tls/certs/auth.cmdschool.org_bundle.crt;
    ssl_certificate_key    /etc/pki/tls/private/auth.cmdschool.org.key;
    ssl_protocols          TLSv1.3 TLSv1.2;
    ssl_ciphers            EECDH+AESGCM:EDH+AESGCM;

    location ^~ /simplesaml {
        alias /var/www/simplesamlphp/public;

        location ~^(?/simplesaml)(?.+?\.php)(?/.*)?$ {
            include          fastcgi_params;
            fastcgi_pass     127.0.0.1:9000;
            fastcgi_param SCRIPT_FILENAME $document_root$phpfile;

            # Must be prepended with the baseurlpath
            fastcgi_param SCRIPT_NAME /simplesaml$phpfile;

            fastcgi_param PATH_INFO $pathinfo if_not_empty;
        }
    }
}

配置应用的证书可到腾讯云申请,详细请查阅下文,此处不再详述,
https://cloud.tencent.com/product/ssl
创建配置文件后,我们使用如下命令验证配置,

nginx -t

确认配置有效后,你需要使用如下命令重载服务使配置生效,

systemctl reload nginx.service

2.4.2 修改配置文件

cp /var/www/simplesamlphp/config/config.php.dist /var/www/simplesamlphp/config/config.php
vim /var/www/simplesamlphp/config/config.php

参数修改如下,

$config = [
    #...
    'baseurlpath' => 'simplesaml/',
    'cachedir' => '/var/cache/simplesamlphp',
    'auth.adminpassword' => 'adminpwd',
    'technicalcontact_name' => 'Administrator',
    'technicalcontact_email' => 'will@cmdschool.org',
    'language.default' => 'en',
    'timezone' => 'Asia/Shanghai',
    #...
];

参数解析如下,
– 参数“baseurlpath”声明登录的站点跟路径
– 参数“auth.adminpassword”声明管理员登录的密码
– 参数“auth.adminpassword”声明管理员登录的密码
– 参数“technicalcontact_name”声明管理员名称
– 参数“technicalcontact_email”声明管理员邮箱地址
– 参数“language.default”声明系统的默认语言
– 参数“timezone”声明系统的默认时区
根据上面的缓存目录要求,你需要配置该目录的权限,

chown apache:apache -R /var/cache/simplesamlphp
chmod 775 -R /var/cache/simplesamlphp

然后,你需要使用人如下命令修改“secretsalt”参数的“secret salt”以便生成加密的安全哈希,

SECRET="$(tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo)"
sed -i "s~defaultsecretsalt~$SECRET~g" /var/www/simplesamlphp/config/config.php

修改后,请使用如下命令确认,

grep -i "'secretsalt' =>" /var/www/simplesamlphp/config/config.php

可见如下输出,

    'secretsalt' => 'nfh3pqdroquhdnhadglu3x89qh0xrr98',

2.4.3 测试默认主页

https://auth.cmdschool.org/simplesaml/index.php
如果登录遇到页面提示如下错误,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 src/SimpleSAML/Error/ExceptionHandler.php:35 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: Symfony\Component\ErrorHandler\Error\ClassNotFoundError: Attempted to load class "AttributeRouteControllerLoader" from namespace "Symfony\Bundle\FrameworkBundle\Routing".
Did you forget a "use" statement for another namespace?
Backtrace:
10 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:166 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::getRouting_LoaderService)
9 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:153 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::getRouterService)
8 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:237 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::getRouterListenerService)
7 /var/cache/simplesamlphp/core/ContainerA4v0e04/getHttpKernelService.php:22 (ContainerA4v0e04\getHttpKernelService::do)
6 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:93 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::load)
5 vendor/symfony/dependency-injection/Container.php:215 (Symfony\Component\DependencyInjection\Container::make)
4 vendor/symfony/dependency-injection/Container.php:197 (Symfony\Component\DependencyInjection\Container::get)
3 vendor/symfony/http-kernel/Kernel.php:213 (Symfony\Component\HttpKernel\Kernel::getHttpKernel)
2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

可使用如下命令解决,

rm -rf /var/cache/simplesamlphp/core

如果登录遇到页面提示如下错误,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
0 [builtin] (N/A)
Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/core).
Backtrace:
5 vendor/symfony/http-kernel/Kernel.php:626 (Symfony\Component\HttpKernel\Kernel::buildContainer)
4 vendor/symfony/http-kernel/Kernel.php:537 (Symfony\Component\HttpKernel\Kernel::initializeContainer)
3 vendor/symfony/http-kernel/Kernel.php:767 (Symfony\Component\HttpKernel\Kernel::preBoot)
2 vendor/symfony/http-kernel/Kernel.php:190 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

可使用如下命令解决,

mkdir -p /var/cache/simplesamlphp/core
chown apache:apache /var/cache/simplesamlphp/core
chmod 775 /var/cache/simplesamlphp/core

问题解决后,你可见如下页面,

2.4.4 测试管理主页

https://auth.cmdschool.org/simplesaml/admin/index.php
如果登录遇到页面提示如下错误,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 src/SimpleSAML/Error/ExceptionHandler.php:35 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: Symfony\Component\ErrorHandler\Error\ClassNotFoundError: Attempted to load class "AttributeRouteControllerLoader" from namespace "Symfony\Bundle\FrameworkBundle\Routing".
Did you forget a "use" statement for another namespace?
Backtrace:
10 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:166 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::getRouting_LoaderService)
9 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:153 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::getRouterService)
8 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:237 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::getRouterListenerService)
7 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/getHttpKernelService.php:22 (ContainerEA4pbkX\getHttpKernelService::do)
6 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:93 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::load)
5 vendor/symfony/dependency-injection/Container.php:215 (Symfony\Component\DependencyInjection\Container::make)
4 vendor/symfony/dependency-injection/Container.php:197 (Symfony\Component\DependencyInjection\Container::get)
3 vendor/symfony/http-kernel/Kernel.php:213 (Symfony\Component\HttpKernel\Kernel::getHttpKernel)
2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

可使用如下命令解决,

rm -rf /var/cache/simplesamlphp/admin

如果登录遇到页面提示如下错误,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
0 [builtin] (N/A)
Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/admin).
Backtrace:
5 vendor/symfony/http-kernel/Kernel.php:598 (Symfony\Component\HttpKernel\Kernel::buildContainer)
4 vendor/symfony/http-kernel/Kernel.php:505 (Symfony\Component\HttpKernel\Kernel::initializeContainer)
3 vendor/symfony/http-kernel/Kernel.php:763 (Symfony\Component\HttpKernel\Kernel::preBoot)
2 vendor/symfony/http-kernel/Kernel.php:185 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

可使用如下命令解决,

mkdir -p /var/cache/simplesamlphp/admin
chown apache:apache /var/cache/simplesamlphp/admin
chmod 775 /var/cache/simplesamlphp/admin

如果登录遇到页面提示如下错误,

SimpleSAML\Error\ConfigurationError: The configuration (config/authsources.php) is invalid: Missing configuration file
Backtrace:
9 src/SimpleSAML/Configuration.php:195 (SimpleSAML\Configuration::loadFromFile)
8 src/SimpleSAML/Configuration.php:285 (SimpleSAML\Configuration::getConfig)
7 src/SimpleSAML/Auth/Source.php:343 (SimpleSAML\Auth\Source::getById)
6 src/SimpleSAML/Utils/Auth.php:62 (SimpleSAML\Utils\Auth::requireAdmin)
5 modules/admin/src/Controller/Config.php:120 (SimpleSAML\Module\admin\Controller\Config::main)
4 vendor/symfony/http-kernel/HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 vendor/symfony/http-kernel/HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 vendor/symfony/http-kernel/Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

可使用如下命令解决,

cp /var/www/simplesamlphp/config/authsources.php.dist /var/www/simplesamlphp/config/authsources.php

问题解决后,你可见如下页面,

登录信息如下,
admin username: admin
admin password: adminpwd
如果登录后,你遇到如下错误提示,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: SimpleSAML\Assert\AssertionFailedException: Please set a valid and unique SP entityID
Backtrace:
10 vendor/simplesamlphp/assert/src/Assert.php:364 (SimpleSAML\Assert\Assert::__callStatic)
9 modules/saml/src/Auth/Source/SP.php:106 (SimpleSAML\Module\saml\Auth\Source\SP::__construct)
8 src/SimpleSAML/Auth/Source.php:314 (SimpleSAML\Auth\Source::parseAuthSource)
7 src/SimpleSAML/Auth/Source.php:75 (SimpleSAML\Auth\Source::getSourcesOfType)
6 modules/admin/src/Controller/Federation.php:336 (SimpleSAML\Module\admin\Controller\Federation::getHostedSP)
5 modules/admin/src/Controller/Federation.php:117 (SimpleSAML\Module\admin\Controller\Federation::main)
4 vendor/symfony/http-kernel/HttpKernel.php:163 (Symfony\Component\HttpKernel\HttpKernel::handleRaw)
3 vendor/symfony/http-kernel/HttpKernel.php:75 (Symfony\Component\HttpKernel\HttpKernel::handle)
2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

你只需要准备一个空的应用服务提供者,暂时不设置实际的,则可避免以上错误,

vim /var/www/simplesamlphp/config/authsources.php

修改如下配置,

    'default-sp' => [
        'saml:SP',
        'entityID' => 'https://myapp.cmdschool.org/',
        'idp' => null,
        'discoURL' => null,
        'proxymode.passAuthnContextClassRef' => false,
    ],

参阅文档
==================
SimpleSAMLphp官方安装教程
————
https://simplesamlphp.org/docs/stable/simplesamlphp-install.html

SimpleSAMLphp官方主页
—————–
https://simplesamlphp.org/

SimpleSAMLphp官方github
—————–
https://github.com/simplesamlphp/simplesamlphp

SimpleSAMLphp文档
—————–
https://simplesamlphp.org/docs/stable/index.html

断言的概念
—————–
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
https://baike.baidu.com/item/%E6%96%AD%E8%A8%80/13021995?fr=aladdin

SAML的概念
————-
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

错误修复
———–
https://github.com/simplesamlphp/simplesamlphp/issues/2133

没有评论

发表回复

目录或认证服务
如何解决SSSD的用户条目的UPN与PAC不匹配问题?

1 前言 一个问题,一篇文章,一出故事。 今天遇到域用户输入正确的用户名和密码不能登录问题,详细错误 …

目录或认证服务
如何解决SSSD的多域用户ID冲突问题?

1 前言 一个问题,一篇文章,一出故事。 笔者在生产环境中遇到SSSD因为同时使用两个不同的域导致U …

目录或认证服务
如何部署Oracle Linux 9.x simpleSAMLphp 2.1.6?

1 基础知识 1.1 断言的基本概念 1.1.1 断言的介绍 – 断言即assertio …