1 基础知识
1.1 断言的基本概念
1.1.1 断言的介绍
– 断言即assertion的翻译
– 断言是计算机编程的概念
– 断言目的是验证软件运行达到开发者预期的结果
– 断言位置执行到后,对应的断言应为真,否则程序将中止执行并报错
– 断言可以协助程序员编写更加稳定和高品质且稳定的代码
范例如下,
x = 1; assert x > 0; x++; assert x > 1;
1.1.2 断言的方式
assert Expression1 assert Expression1:Expression2
解析如下,
表达式“Expression1”为布尔值
表达式“Expression2”为断言失败输出的失败消息(即“Expression1”假是输出“Expression2”的消息)
1.2 SAML
1.2.1 SAML的介绍
– SAML即Security Assertion Markup Language的英文缩写
– SAML是一种交换身份验证和授权数据的开放标准
– SAML特别适用于身份提供者与服务提供者之间交换身份验证和授权数据
– SAML是一种基于XML的安全断言
1.2.2 SAML的工作原理
– 委托人(通常是人类用户),委托人向服务提供者请求服务
– 身份提供者(ldP),服务提供者向身份提供者请求并获得身份验证断言
– 服务提供者(SP),服务提供者根据身份提供者的断言决定是否为委托人提供服务
1.2.3 SAML的实例
– SSO(Web浏览器单点登录)
1.3 SimpleSAMLphp
1.3.1 SimpleSAMLphp的简介
SimpleSAMLphp由PHP编写
SimpleSAMLphp用户处理身份验证
1.3.2 SimpleSAMLphp的功能
– 基于SAML 2.0成为服务提供商(SP)
– 基于SAML 2.0成为身份提供者(IdP)
1.3.3 SimpleSAMLphp支持的身份协议和框架
– A-Select
– CAS
– OpenID
– WF-Federation
– OAuth
1.3.4 SimpleSAMLphp支持的模块
详细请参阅 以下链接,
https://simplesamlphp.org/modules/
1.3.5 运行环境
– PHP 8.1.0及以上版本
– 必要的扩展,date、dom、fileinfo、filter、hash、json、libxml、mbstring、openssl、pcre、session、simplexml、sodium、SPL and zlib
– 可选扩展,posix、intl、cURL、ldap、radius、session、memcache、predis(redis)
– 数据库扩展,pdo、mysql、pgsql等
基于以上,你可能要预安装以下扩展,
mbstring、openssl、simplexml、sodium、zlib、intl、cURL、ldap、radius、memcache、predis
2 最佳实践
2.1 系统环境
2.1.1 环境信息
OS = RHEL 8.x x86_64
IP Address = any
Host Name = simplesamlphp.cmdschool.org
2.1.2 更新系统
dnf update -y
2.1 部署PHP环境
2.1.1 部署PHP环境
针对实际的测试结果,某些模块你可能需要预先编译到PHP,而不是以插件的形式加载,以下编译参数功能参考,
cd ~/php-8.2.16 ./configure --bindir=/usr/bin/ \ --sbindir=/usr/sbin/ \ --sysconfdir=/etc/ \ --libdir=/usr/lib64/ \ --mandir=/usr/share/man/ \ --includedir=/usr/include/ \ --with-config-file-path=/etc/php.ini \ --with-config-file-scan-dir=/etc/php.d/ \ --with-fpm-user=apache \ --with-fpm-group=apache \ --enable-fpm \ --with-fpm-systemd \ --with-libdir=lib64 \ --enable-zts \ --enable-static \ --enable-shared \ --with-mysqli \ --enable-mysqlnd \ --with-pdo-mysql \ --with-zlib \ --with-zip \ --with-openssl \ --with-curl \ --enable-exif \ --enable-mbstring \ --enable-gd \ --enable-sockets \ --with-sodium \ --enable-intl \ --with-ldap
如果遇到如下错误提示,
configure: error: Package requirements (oniguruma) were not met: Package 'oniguruma', required by 'virtual:world', not found
如果你遇到如下提示,
configure: error: Package requirements (libsodium >= 1.0.8) were not met: Package 'libsodium', required by 'virtual:world', not found
使用如下命令解决依赖关系,
dnf install -y libsodium-devel
如果遇到如下错误提示,
configure: error: Package requirements (icu-uc >= 50.1 icu-io icu-i18n) were not met: Package 'icu-uc', required by 'virtual:world', not found Package 'icu-io', required by 'virtual:world', not found Package 'icu-i18n', required by 'virtual:world', not found
使用如下命令解决依赖关系,
dnf install -y libicu-devel
如果遇到如下错误提示,
configure: error: Package requirements (libcurl >= 7.29.0) were not met: Package 'libcurl', required by 'virtual:world', not found
可通过如下命令解决依赖关系,
dnf install -y libcurl-devel
如果遇到如下错误提示,
configure: error: Cannot find ldap.h
使用如下命令解决依赖关系,
dnf install -y openldap-devel
如果遇到如下错误提示,
configure: error: Cannot find ldap libraries in /usr/lib.
使用如下命令解决依赖关系,
ln -s /usr/lib64/libldap.so /usr/lib/
2.1.2 确定已经安装的模块
php -m
快速的方法,我们使用如下命令,
php -m | grep -i date
2.2 安装Nginx
2.2.1 配置安装源
vim /etc/yum.repos.d/nginx.repo
加入如下配置,
[nginx] name=nginx baseurl=http://nginx.org/packages/rhel/9/x86_64/ enabled=1 gpgcheck=0
2.2.2 安装软件包
dnf install -y nginx
2.3 部署SimpleSAMLphp
2.3.1 下载软件包
cd ~ wget -O simplesamlphp-2.1.3-full.tar.gz https://objects.githubusercontent.com/github-production-release-asset-2e65be/17167136/8989f3f0-86ac-497a-9c4c-e813880d27cc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240806%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240806T021225Z&X-Amz-Expires=300&X-Amz-Signature=e5ef1510cddc6491b79ee4c2c79cbc5923ed7dc9e9ddd80902aa3eda2d9afeec&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=17167136&response-content-disposition=attachment%3B%20filename%3Dsimplesamlphp-2.1.3-full.tar.gz&response-content-type=application%2Foctet-stream
以上只是演示,如果不能下载请使用浏览器从如下连接中下载,
https://github.com/simplesamlphp/simplesamlphp/releases
https://simplesamlphp.org/download/
2.3.2 解压软件包
cd ~ tar -xf simplesamlphp-2.1.3-full.tar.gz
2.3.3 部署软件包
cd ~ mv simplesamlphp-2.1.3 /var/www/simplesamlphp chown apache:apache -R /var/www/simplesamlphp/ chmod 775 -R /var/www/simplesamlphp/
2.4 配置SimpleSAMLphp
2.4.1 创建虚拟服务器配置
vim /etc/nginx/conf.d/auth.cmdschool.org_443.conf
加入如下配置,
server { listen 0.0.0.0:443 ssl; server_name auth.cmdschool.org; ssl_certificate /etc/pki/tls/certs/auth.cmdschool.org_bundle.crt; ssl_certificate_key /etc/pki/tls/private/auth.cmdschool.org.key; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; location ^~ /simplesaml { alias /var/www/simplesamlphp/public; location ~^(?/simplesaml)(?.+?\.php)(?/.*)?$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$phpfile; # Must be prepended with the baseurlpath fastcgi_param SCRIPT_NAME /simplesaml$phpfile; fastcgi_param PATH_INFO $pathinfo if_not_empty; } } }
配置应用的证书可到腾讯云申请,详细请查阅下文,此处不再详述,
https://cloud.tencent.com/product/ssl
创建配置文件后,我们使用如下命令验证配置,
nginx -t
确认配置有效后,你需要使用如下命令重载服务使配置生效,
systemctl reload nginx.service
2.4.2 修改配置文件
cp /var/www/simplesamlphp/config/config.php.dist /var/www/simplesamlphp/config/config.php vim /var/www/simplesamlphp/config/config.php
参数修改如下,
$config = [ #... 'baseurlpath' => 'simplesaml/', 'cachedir' => '/var/cache/simplesamlphp', 'auth.adminpassword' => 'adminpwd', 'technicalcontact_name' => 'Administrator', 'technicalcontact_email' => 'will@cmdschool.org', 'language.default' => 'en', 'timezone' => 'Asia/Shanghai', #... ];
参数解析如下,
– 参数“baseurlpath”声明登录的站点跟路径
– 参数“auth.adminpassword”声明管理员登录的密码
– 参数“auth.adminpassword”声明管理员登录的密码
– 参数“technicalcontact_name”声明管理员名称
– 参数“technicalcontact_email”声明管理员邮箱地址
– 参数“language.default”声明系统的默认语言
– 参数“timezone”声明系统的默认时区
根据上面的缓存目录要求,你需要配置该目录的权限,
chown apache:apache -R /var/cache/simplesamlphp chmod 775 -R /var/cache/simplesamlphp
然后,你需要使用人如下命令修改“secretsalt”参数的“secret salt”以便生成加密的安全哈希,
SECRET="$(tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo)" sed -i "s~defaultsecretsalt~$SECRET~g" /var/www/simplesamlphp/config/config.php
修改后,请使用如下命令确认,
grep -i "'secretsalt' =>" /var/www/simplesamlphp/config/config.php
可见如下输出,
'secretsalt' => 'nfh3pqdroquhdnhadglu3x89qh0xrr98',
2.4.3 测试默认主页
https://auth.cmdschool.org/simplesaml/index.php
如果登录遇到页面提示如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 2 src/SimpleSAML/Error/ExceptionHandler.php:35 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException) 0 [builtin] (N/A) Caused by: Symfony\Component\ErrorHandler\Error\ClassNotFoundError: Attempted to load class "AttributeRouteControllerLoader" from namespace "Symfony\Bundle\FrameworkBundle\Routing". Did you forget a "use" statement for another namespace? Backtrace: 10 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:166 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::getRouting_LoaderService) 9 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:153 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::getRouterService) 8 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:237 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::getRouterListenerService) 7 /var/cache/simplesamlphp/core/ContainerA4v0e04/getHttpKernelService.php:22 (ContainerA4v0e04\getHttpKernelService::do) 6 /var/cache/simplesamlphp/core/ContainerA4v0e04/SimpleSAML_KernelProdContainer.php:93 (ContainerA4v0e04\SimpleSAML_KernelProdContainer::load) 5 vendor/symfony/dependency-injection/Container.php:215 (Symfony\Component\DependencyInjection\Container::make) 4 vendor/symfony/dependency-injection/Container.php:197 (Symfony\Component\DependencyInjection\Container::get) 3 vendor/symfony/http-kernel/Kernel.php:213 (Symfony\Component\HttpKernel\Kernel::getHttpKernel) 2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
rm -rf /var/cache/simplesamlphp/core
如果登录遇到页面提示如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 0 [builtin] (N/A) Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/core). Backtrace: 5 vendor/symfony/http-kernel/Kernel.php:626 (Symfony\Component\HttpKernel\Kernel::buildContainer) 4 vendor/symfony/http-kernel/Kernel.php:537 (Symfony\Component\HttpKernel\Kernel::initializeContainer) 3 vendor/symfony/http-kernel/Kernel.php:767 (Symfony\Component\HttpKernel\Kernel::preBoot) 2 vendor/symfony/http-kernel/Kernel.php:190 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
mkdir -p /var/cache/simplesamlphp/core chown apache:apache /var/cache/simplesamlphp/core chmod 775 /var/cache/simplesamlphp/core
问题解决后,你可见如下页面,
2.4.4 测试管理主页
https://auth.cmdschool.org/simplesaml/admin/index.php
如果登录遇到页面提示如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 2 src/SimpleSAML/Error/ExceptionHandler.php:35 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException) 0 [builtin] (N/A) Caused by: Symfony\Component\ErrorHandler\Error\ClassNotFoundError: Attempted to load class "AttributeRouteControllerLoader" from namespace "Symfony\Bundle\FrameworkBundle\Routing". Did you forget a "use" statement for another namespace? Backtrace: 10 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:166 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::getRouting_LoaderService) 9 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:153 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::getRouterService) 8 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:237 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::getRouterListenerService) 7 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/getHttpKernelService.php:22 (ContainerEA4pbkX\getHttpKernelService::do) 6 /var/cache/simplesamlphp/admin/ContainerEA4pbkX/SimpleSAML_KernelProdContainer.php:93 (ContainerEA4pbkX\SimpleSAML_KernelProdContainer::load) 5 vendor/symfony/dependency-injection/Container.php:215 (Symfony\Component\DependencyInjection\Container::make) 4 vendor/symfony/dependency-injection/Container.php:197 (Symfony\Component\DependencyInjection\Container::get) 3 vendor/symfony/http-kernel/Kernel.php:213 (Symfony\Component\HttpKernel\Kernel::getHttpKernel) 2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
rm -rf /var/cache/simplesamlphp/admin
如果登录遇到页面提示如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 0 [builtin] (N/A) Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/admin). Backtrace: 5 vendor/symfony/http-kernel/Kernel.php:598 (Symfony\Component\HttpKernel\Kernel::buildContainer) 4 vendor/symfony/http-kernel/Kernel.php:505 (Symfony\Component\HttpKernel\Kernel::initializeContainer) 3 vendor/symfony/http-kernel/Kernel.php:763 (Symfony\Component\HttpKernel\Kernel::preBoot) 2 vendor/symfony/http-kernel/Kernel.php:185 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
mkdir -p /var/cache/simplesamlphp/admin chown apache:apache /var/cache/simplesamlphp/admin chmod 775 /var/cache/simplesamlphp/admin
如果登录遇到页面提示如下错误,
SimpleSAML\Error\ConfigurationError: The configuration (config/authsources.php) is invalid: Missing configuration file Backtrace: 9 src/SimpleSAML/Configuration.php:195 (SimpleSAML\Configuration::loadFromFile) 8 src/SimpleSAML/Configuration.php:285 (SimpleSAML\Configuration::getConfig) 7 src/SimpleSAML/Auth/Source.php:343 (SimpleSAML\Auth\Source::getById) 6 src/SimpleSAML/Utils/Auth.php:62 (SimpleSAML\Utils\Auth::requireAdmin) 5 modules/admin/src/Controller/Config.php:120 (SimpleSAML\Module\admin\Controller\Config::main) 4 vendor/symfony/http-kernel/HttpKernel.php:181 (Symfony\Component\HttpKernel\HttpKernel::handleRaw) 3 vendor/symfony/http-kernel/HttpKernel.php:76 (Symfony\Component\HttpKernel\HttpKernel::handle) 2 vendor/symfony/http-kernel/Kernel.php:197 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可使用如下命令解决,
cp /var/www/simplesamlphp/config/authsources.php.dist /var/www/simplesamlphp/config/authsources.php
问题解决后,你可见如下页面,
登录信息如下,
admin username: admin
admin password: adminpwd
如果登录后,你遇到如下错误提示,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 2 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException) 0 [builtin] (N/A) Caused by: SimpleSAML\Assert\AssertionFailedException: Please set a valid and unique SP entityID Backtrace: 10 vendor/simplesamlphp/assert/src/Assert.php:364 (SimpleSAML\Assert\Assert::__callStatic) 9 modules/saml/src/Auth/Source/SP.php:106 (SimpleSAML\Module\saml\Auth\Source\SP::__construct) 8 src/SimpleSAML/Auth/Source.php:314 (SimpleSAML\Auth\Source::parseAuthSource) 7 src/SimpleSAML/Auth/Source.php:75 (SimpleSAML\Auth\Source::getSourcesOfType) 6 modules/admin/src/Controller/Federation.php:336 (SimpleSAML\Module\admin\Controller\Federation::getHostedSP) 5 modules/admin/src/Controller/Federation.php:117 (SimpleSAML\Module\admin\Controller\Federation::main) 4 vendor/symfony/http-kernel/HttpKernel.php:163 (Symfony\Component\HttpKernel\HttpKernel::handleRaw) 3 vendor/symfony/http-kernel/HttpKernel.php:75 (Symfony\Component\HttpKernel\HttpKernel::handle) 2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
你只需要准备一个空的应用服务提供者,暂时不设置实际的,则可避免以上错误,
vim /var/www/simplesamlphp/config/authsources.php
修改如下配置,
'default-sp' => [ 'saml:SP', 'entityID' => 'https://myapp.cmdschool.org/', 'idp' => null, 'discoURL' => null, 'proxymode.passAuthnContextClassRef' => false, ],
参阅文档
==================
SimpleSAMLphp官方安装教程
————
https://simplesamlphp.org/docs/stable/simplesamlphp-install.html
SimpleSAMLphp官方主页
—————–
https://simplesamlphp.org/
SimpleSAMLphp官方github
—————–
https://github.com/simplesamlphp/simplesamlphp
SimpleSAMLphp文档
—————–
https://simplesamlphp.org/docs/stable/index.html
断言的概念
—————–
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
https://baike.baidu.com/item/%E6%96%AD%E8%A8%80/13021995?fr=aladdin
SAML的概念
————-
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
错误修复
———–
https://github.com/simplesamlphp/simplesamlphp/issues/2133
没有评论