Information for: DEVELOPERS   PARTNERS   SUPPORT

Configuring authentication sources for SimpleSAMLphp

The information on this documentation page is part of the SimpleSAMLphp installation process.

After creating the acquia_config.php file, you must provide information about your service provider (SP) and identity provider (IdP) to SimpleSAMLphp in an authsources.php file, which configures the service provider.

The values in the authsources.php file control the following settings:

  • Entity ID of your SP, which is a unique identifier for your SP. This value defaults to the URL of the service provider’s metadata. You may want to override this value with a more human-readable name.
  • Entity ID of your IdP, which is a unique identifier for your IdP. This value must match the entity ID value in the metadata provided to you by your IdP.
  • The NameIDFormat, which your IdP includes in its metadata.
  • The location of a self-signed SSL certificate, if your IdP requires your service provider to have a self-signed SSL certificate.

If your application has separate IdPs for both non-production and production environments, you must set entityID values based on environment. You can change the value of entityID based on the hostname or any other criteria necessary.

To ensure that your authsources.php can be available for general use, Acquia recommends storing the authsources.php file in your Git repository.

Multisite and Site Factory applications

For multisite applications, including Site Factory, you can use the default-sp array defined in authsources.php as a common configuration. For an example, see Modifying authsources.php for multisite use. If you don’t specify a value for entityID, Acquia will use the metadata URL, creating unique values for all environments and websites.

Creating and configuring authentication sources

To create and configure the authsources.php file SimpleSAMLphp needs, complete the following steps:

  1. Download the authsources.php file, and then save the file in the simplesamlphp/config directory.
  2. Review the customizations described in Modifying authsources.php for multisite use, and then apply any modifications that meet your application’s needs.
  3. Save the authsources.php file, and then commit the file to your Git repository.

Next, you must configure your identity provider.

Example authsources.php file

<?php

// This file is available at
// https://docs.acquia.com/resource/simplesaml/sources/

$config = array(
    // This is a authentication source which handles admin authentication.
    'admin' => array(
        // The default is to use core:AdminPassword, but it can be replaced with
        // any authentication source.

        'core:AdminPassword',
    ),
    'default-sp' => array(
        'saml:SP',
        // The entityID is the entityID of the SP that the IdP is expecting.
        // This value must be exactly what the IdP is expecting. If the
        // entityID is not set, it defaults to the URL of the SP's metadata.
        // Don't declare an entityID for Site Factory.
        'entityID' => 'SP EntityID',

        // If the IdP requires the SP to hold a certificate, the location
        // of the self-signed certificate.
        // If you need to generate a SHA256 cert, see
        // https://gist.github.com/guitarte/5745b94c6883eaddabfea68887ba6ee6
        'certificate' => "../cert/saml.crt",
        'privatekey' => "../cert/saml.pem",
        'redirect.sign' => TRUE,
        'redirect.validate' => TRUE,

        // The entityID of the IdP.
        // This is included in the metadata from the IdP.
        'idp' => 'IdP EntityID',

        // NameIDFormat is included in the metadata from the IdP
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',

        // If the IdP does not pass any attributes, but provides a NameID in
        // the authentication response, we can filter and add the value as an
        // attribute.
        // See https://simplesamlphp.org/docs/stable/saml:nameidattribute
        'authproc' => array(
                20 => array(
                        'class' => 'saml:NameIDAttribute',
                        'format' => '%V',
                ),
        ),
        // The RelayState parameter needs to be set if SSL is terminated
        // upstream. If you see the SAML response come back with
        // https://example.com:80/saml_login, you likely need to set this.
        // See https://github.com/simplesamlphp/simplesamlphp/issues/420
        'RelayState' => 'https://' . $_SERVER['HTTP_HOST'] . '/saml_login',

        // If working with ADFS, Microsoft may soon only allow SHA256 certs.
        // You must specify signature.algorithm as SHA256.
        // Defaults to SHA1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1)
        // See https://docs.microsoft.com/en-us/security/trusted-root/program-requirements

        // 'signature.algorithm'  => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
    ),
);

Modifying authsources.php for multisite use

When configuring SimpleSAMLphp for multisite use, add logic to your authsources.php file to create different keys in the array for each website in the multisite. For example, the Dev environment may contain two websites: siteA.example.com and siteB.example.com. Your authsources.php file should populate the $config array with an array for each website, as indicated by subsite-a and subsite-b in the following example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
$config = array(
    'subsite-a' => array(
        'saml:SP',
        'entityID' => 'Subsite-A-SP',
        'certificate' => "../cert/saml-sitesite-a.crt",
        'privatekey' => "../cert/saml-sitesite-a.pem",
        'redirect.sign' => TRUE,
        'redirect.validate' => TRUE,
        'idp' => 'IdP EntityID',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    ),
    'subsite-b' => array(
        'saml:SP',
        'entityID' => 'Subsite-B-SP',
        'certificate' => "../cert/saml-site-b.crt",
        'privatekey' => "../cert/saml-site-b.pem",
        'redirect.sign' => TRUE,
        'redirect.validate' => TRUE,
        'idp' => 'IdP EntityID',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    ),
);

Troubleshooting the authsources.php file

If your application displays the following error message:

Caused by: sspmod_saml_Error: Requester/InvalidNameIDPolicy

you must patch /simplesamlphp/modules/saml/lib/Message.php to set the NameIDPolicy to FALSE, as indicated by the following example:

// NameIDFormat is included in the metadata from the IdP
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
// If the IdP does not pass any attributes,
// but provides a NameID in the authentication response
'NameIDPolicy' => false,

// We can filter and add the value as an attribute
// https://simplesamlphp.org/docs/stable/saml:nameidattribute