Note
These changes are only required for SimpleSAMLphp. No action is required for other authentication modules, such as CAS or SAML SP 2.0.
To implement SimpleSAML in Cloud Next, do one of the following:
For a Cloud Next site: If you do not have a SimpleSAML setup, set up SimpleSAMLphp authentication on Cloud Next.
For a Cloud Classic site: If you have an existing SimpleSAML setup and want to upgrade to Cloud Next, update SimpleSAMLphp configuration for Cloud Next.
Setting up SimpleSAMLphp authentication on Cloud Next
Important
This is applicable only if you are setting up SimpleSAML for the first time in your existing Cloud Next site. This is not applicable if SimpleSAML is already configured in your Cloud Classic site.
To set up SimpleSAMLphp authentication on applications with the current Drupal version:
Note
For Drupal 7, the following steps might not apply since the use of Composer is optional.
Require the
drupal/simplesamlphp_auth
project.Access the root directory of your site’s Git code repository.
Install the module with Composer. This installs
drupal/externalauth
andsimplesamlphp/simplesamlphp
.composer require drupal/simplesamlphp_auth
Use symlinks to keep the SimpleSAMLphp configuration and metadata files outside your package. This ensures that you can update the SimpleSAMLphp configuration files through Composer without overwriting your custom configurations.
Create the directories where you want to keep the custom configuration files:
mkdir -p simplesamlphp_files/config simplesamlphp_files/metadata ln -sf ../../../simplesamlphp_files/config vendor/simplesamlphp/simplesamlphp/config
Replace any config directory with a symlink to the one created earlier. You must symlnk the config directory because you set the metadata directory as a config setting.
Note
To set the configuration, you can define an environment variable:
SIMPLESAMLPHP_CONFIG_DIR
through Cloud API.To ensure that the process repeats automatically whenever the project is updated, add the following directive in the
composer.json
file:"scripts": { "post-update-cmd": [ "rm -rf vendor/simplesamlphp/simplesamlphp/config", "ln -sf ../../../simplesamlphp_files/config vendor/simplesamlphp/simplesamlphp/config" ], "post-install-cmd": [ "rm -rf vendor/simplesamlphp/simplesamlphp/config", "ln -sf ../../../simplesamlphp_files/config vendor/simplesamlphp/simplesamlphp/config" ] },
In your docroot, create a symlink to allow access to the SimpleSAMLphp user interface.
ln -s ../vendor/simplesamlphp/simplesamlphp/www docroot/simplesaml
Create the
config.php
andauthsources.php
files.After creating the directories, create the
config.php
,authsources.php
, andmetadata/saml20-idp-remote.php
files with the appropriate content.To create an incomplete
metadata/saml20-idp-remote.php
file, copy the template:cp vendor/simplesamlphp/simplesamlphp/metadata-templates/saml20-idp-remote.php simplesamlphp_files/metadata/saml20-idp-remote.php
Note
This file is filled with the metadata obtained from your IdP.
To test, copy the
authsources.php
file:cp vendor/simplesamlphp/simplesamlphp/config-templates/authsources.php simplesamlphp_files/config/authsources.php
For the
config.php
file, generate a new hash_salt and an admin password:LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
vendor/simplesamlphp/simplesamlphp/bin/pwgen.php
Update the following snippet in the
config.php
file to replace$hashSalt
and$adminPassword
with the values obtained in the preceding step. In addition, update the name and email of your technical contact.<?php use SimpleSAML\Logger; $config = []; /* * Perform any global overrides */ $config['technicalcontact_name'] = "Your Name"; $config['technicalcontact_email'] = "[email protected]"; $config['secretsalt'] = $hashSalt; $config['auth.adminpassword'] = $adminPassword; $config['admin.protectindexpage'] = TRUE; $samlfiles = __DIR__ . '/../'; $config['metadatadir'] = $samlfiles . 'metadata/'; $config['certdir'] = $samlfiles . 'cert/'; /* * Perform any local only overrides */ if (file_exists($samlfiles . 'config.local.php')) { // Instead of adding all the local configuration, include a file that can be added to .gitignore include 'config.local.php'; } /* * Perform any Acquia Cloud overrides */ if (isset($_ENV['AH_SITE_ENVIRONMENT'])) { // do Acquia specific translations here // Prevent Varnish from interfering with SimpleSAMLphp. // SSL terminated at the ELB / balancer so we correctly set the SERVER_PORT // and HTTPS for SimpleSAMLphp baseurl configuration. $protocol = 'http://'; $port = '80'; if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { $_SERVER['SERVER_PORT'] = 443; $_SERVER['HTTPS'] = 'true'; $protocol = 'https://'; $port = $_SERVER['SERVER_PORT']; } $config['baseurlpath'] = $protocol . $_SERVER['HTTP_HOST'] . ':' . $port . '/simplesaml/'; $config['trusted.url.domains'] = [$_SERVER['HTTP_HOST']]; // Setup basic file based logging. $config['logging.handler'] = 'file'; // on Cloud Next, the preferred location is /shared/logs // on Cloud Classic, the preferred location is the same directory as ACQUIA_HOSTING_DRUPAL_LOG $config['loggingdir'] = (file_exists('/shared/logs/'))?'/shared/logs/':dirname(getenv('ACQUIA_HOSTING_DRUPAL_LOG')); $config['logging.logfile'] = 'simplesamlphp-' . date('Ymd') . '.log'; // Retrieve database credentials from creds.json $creds_json = file_get_contents('/var/www/site-php/' . $_ENV['AH_SITE_GROUP'] . '.' . $_ENV['AH_SITE_ENVIRONMENT'] . '/creds.json'); $creds = json_decode($creds_json, true); $database = $creds['databases'][$_ENV['AH_SITE_GROUP']]; // On Cloud Classic, the current active database host is determined by a DNS lookup if (isset($database['db_cluster_id'])) { require_once "/usr/share/php/Net/DNS2_wrapper.php"; try { $resolver = new Net_DNS2_Resolver([ 'nameservers' => [ '127.0.0.1', 'dns-master', ], ]); $response = $resolver->query("cluster-{$database['db_cluster_id']}.mysql", 'CNAME'); $database['host'] = $response->answer[0]->cname; } catch (Net_DNS2_Exception $e) { Logger::warning('DNS entry not found'); } } $config['store.type'] = 'sql'; $config['store.sql.dsn'] = sprintf('mysql:host=%s;port=%s;dbname=%s', $database['host'], $database['port'], $database['name']); $config['store.sql.username'] = $database['user']; $config['store.sql.password'] = $database['pass']; $config['store.sql.prefix'] = 'simplesaml'; }
Note
SSO providers might fail to connect if you specify the port number as
443
. If you see errors, do not specify the port number.Deploy your updated site to cloud.
Access your site at the /simplesaml path to view the SimpleSAMLphp interface.
(Optional) register your Service Provider (SP) with your Identity Provider (IdP).
Retrieve the SP’s metadata from:
https://<your website>/simplesaml/module.php/saml/sp/metadata.php/default-sp
. This is accessible on the Federation tab in the SimpleSAMLphp user interface.
Register your IdP metadata.
Obtain your IdP’s metadata. The metadata is available in the XML format.#. Parse the XML file to an appropriate PHP array. You can leverage the tool available at
/simplesaml/admin/metadata-converter.php
.Appended the array to the existing metadata file:
simplesamlphp_files/metadata/saml20-idp-remote.php
.
Testing the SimpleSAMLphp setup
After you deploy your updated code in the site to Cloud, you must test the SimpleSAMLphp setup.
To test the SimpleSAMLphp setup:
Access the site:
https://samltest.id/upload.php
.Enter your site’s metadata URL. For more information on obtaining SP metadata, see Obtaining SP metadata.
Click Fetch.
Access
https://samltest.id/saml/idp
to download the file.Upload the file to the XML to SimpleSAMLphp metadata converter included with SimpleSAMLphp at
http://[example.com]/simplesaml/admin/metadata-converter.php
. You must replace[example.com]
with the domain name of your website.
Testing in SimpleSAMLphp
You can test the Authentication tab against the default-sp
option.
Updating SimpleSAMLphp configuration for Cloud Next
Important
This is applicable only if SimpleSAML is already configured in your Cloud Classic site, and you want to upgrade to Cloud Next. This is not applicable if you are setting up SimpleSAML for the first time in your existing Cloud Next site.
In Cloud Classic, the system parses the config.json
or
creds.json
file for each environment to retrieve the necessary
information.
To determine the active primary data server, the platform relies on a local DNS system because of the original failover mechanism in Cloud Classic. If that database is unreachable, the platform updates the DNS entry to ensure that the other database server is primary. Prior to the database switch, certain checks occur for replication lag and other factors.
The platform relies on Net_DNS2 to handle the DNS resolution. This helps to determine the currently active database in the cluster.
Logging directories
In Cloud Classic, the logging directory location was
/mnt/tmp/<environment>
. However, in Cloud Next, the location is
/shared/logs/
.
Therefore, if you want to straddle Cloud Classic and Cloud Next, update the following snippet:
// Setup basic logging.
$config['logging.handler'] = 'file';
$config['loggingdir'] = dirname(getenv('ACQUIA_HOSTING_DRUPAL_LOG'));
$config['logging.logfile'] = 'simplesamlphp-' . date('Ymd') . '.log';
Other recommended changes
To reconfigure your SimpleSAMLphp setup on Cloud Next, see Setting up SimpleSAMLphp authentication on Cloud Next.