To implement SimpleSAML in Cloud Next, do one of the following:
- For a Cloud Next site: If you do not have a SimpleSAML setup, set up SimpleSAMLphp authentication on Cloud Next.
- For a Cloud Classic site: If you have an existing SimpleSAML setup and want to upgrade to Cloud Next, update SimpleSAMLphp configuration for Cloud Next.
Setting up SimpleSAMLphp authentication on Cloud Next
To set up SimpleSAMLphp authentication on applications with the current Drupal version:
- Require the
drupal/simplesamlphp_auth
project.- Access the root directory of your site’s Git code repository.
Install the module with Composer. This installs
drupal/externalauth
andsimplesamlphp/simplesamlphp
.composer require drupal/simplesamlphp_auth
- Use symlinks to keep the SimpleSAMLphp configuration and metadata files outside your package. This ensures that you can update the SimpleSAMLphp configuration files through Composer without overwriting your custom configurations.
Create the directories where you want to keep the custom configuration files:
mkdir -p simplesamlphp_files/config simplesamlphp_files/metadata ln -sf ../../../simplesamlphp_files/config vendor/simplesamlphp/simplesamlphp/config
- Replace any config directory with a symlink to the one created earlier. You must symlnk the config directory because you set the metadata directory as a config setting.
To ensure that the process repeats automatically whenever the project is updated, add the following directive in the
composer.json
file:"scripts": { "post-update-cmd": [ "rm -rf vendor/simplesamlphp/simplesamlphp/config", "ln -sf ../../../simplesamlphp_files/config vendor/simplesamlphp/simplesamlphp/config" ], "post-install-cmd": [ "rm -rf vendor/simplesamlphp/simplesamlphp/config", "ln -sf ../../../simplesamlphp_files/config vendor/simplesamlphp/simplesamlphp/config" ] },
- In your docroot, create a symlink to allow access to the SimpleSAMLphp user interface.
For simpleSAMLphp Authentication versions earlier than 2.x:
ln -s ../vendor/simplesamlphp/simplesamlphp/www docroot/simplesaml
For simpleSAMLphp Authentication versions 2.x and later:
ln -s ../vendor/simplesamlphp/simplesamlphp/public docroot/simplesaml
- Create the
config.php
andauthsources.php
files.- After creating the directories, create the
config.php
,authsources.php
, andmetadata/saml20-idp-remote.php
files with the appropriate content. To create an incomplete
metadata/saml20-idp-remote.php
file, copy the template:cp vendor/simplesamlphp/simplesamlphp/metadata-templates/saml20-idp-remote.php simplesamlphp_files/metadata/saml20-idp-remote.php
To test, copy the
authsources.php
file:cp vendor/simplesamlphp/simplesamlphp/config-templates/authsources.php simplesamlphp_files/config/authsources.php
For the
config.php
file, generate a new hash_salt and an admin password:LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
vendor/simplesamlphp/simplesamlphp/bin/pwgen.php
Update the following snippet in the
config.php
file to replace$hashSalt
and$adminPassword
with the values obtained in the preceding step. In addition, update the name and email of your technical contact.<?php use SimpleSAML\Logger; $config = []; /* * Perform any global overrides */ $config['technicalcontact_name'] = "Your Name"; $config['technicalcontact_email'] = "[email protected]"; $config['secretsalt'] = $hashSalt; $config['auth.adminpassword'] = $adminPassword; $config['admin.protectindexpage'] = TRUE; $samlfiles = __DIR__ . '/../'; $config['metadatadir'] = $samlfiles . 'metadata/'; $config['certdir'] = $samlfiles . 'cert/'; /* * Perform any local only overrides */ if (file_exists($samlfiles . 'config.local.php')) { // Instead of adding all the local configuration, include a file that can be added to .gitignore include 'config.local.php'; } /* * Perform any Acquia Cloud overrides */ if (isset($_ENV['AH_SITE_ENVIRONMENT'])) { // do Acquia specific translations here // Prevent Varnish from interfering with SimpleSAMLphp. // SSL terminated at the ELB / balancer so we correctly set the SERVER_PORT // and HTTPS for SimpleSAMLphp baseurl configuration. $protocol = 'http://'; $port = '80'; if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { $_SERVER['SERVER_PORT'] = 443; $_SERVER['HTTPS'] = 'true'; $protocol = 'https://'; $port = $_SERVER['SERVER_PORT']; } $config['baseurlpath'] = $protocol . $_SERVER['HTTP_HOST'] . ':' . $port . '/simplesaml/'; $config['trusted.url.domains'] = [$_SERVER['HTTP_HOST']]; // Setup basic file based logging. $config['logging.handler'] = 'file'; // on Cloud Next, the preferred location is /shared/logs // on Cloud Classic, the preferred location is the same directory as ACQUIA_HOSTING_DRUPAL_LOG $config['loggingdir'] = (file_exists('/shared/logs/'))?'/shared/logs/':dirname(getenv('ACQUIA_HOSTING_DRUPAL_LOG')); $config['logging.logfile'] = 'simplesamlphp-' . date('Ymd') . '.log'; // Retrieve database credentials from creds.json $creds_json = file_get_contents('/var/www/site-php/' . $_ENV['AH_SITE_GROUP'] . '.' . $_ENV['AH_SITE_ENVIRONMENT'] . '/creds.json'); $creds = json_decode($creds_json, true); $database = $creds['databases'][$_ENV['AH_SITE_GROUP']]; // On Cloud Classic, the current active database host is determined by a DNS lookup if (isset($database['db_cluster_id'])) { require_once "/usr/share/php/Net/DNS2_wrapper.php"; try { $resolver = new Net_DNS2_Resolver([ 'nameservers' => [ '127.0.0.1', 'dns-master', ], ]); $response = $resolver->query("cluster-{$database['db_cluster_id']}.mysql", 'CNAME'); $database['host'] = $response->answer[0]->cname; } catch (Net_DNS2_Exception $e) { Logger::warning('DNS entry not found'); } } $config['store.type'] = 'sql'; $config['store.sql.dsn'] = sprintf('mysql:host=%s;port=%s;dbname=%s', $database['host'], $database['port'], $database['name']); $config['store.sql.username'] = $database['user']; $config['store.sql.password'] = $database['pass']; $config['store.sql.prefix'] = 'simplesaml'; }
- Deploy your updated site to cloud.
- Access your site at the /simplesaml path to view the SimpleSAMLphp interface.
- After creating the directories, create the
- (Optional) register your Service Provider (SP) with your Identity Provider (IdP).
- Retrieve the SP’s metadata from:
https://<your website>/simplesaml/module.php/saml/sp/metadata.php/default-sp
. This is accessible on the Federation tab in the SimpleSAMLphp user interface.
- Retrieve the SP’s metadata from:
- Register your IdP metadata.
- Obtain your IdP’s metadata. The metadata is available in the XML format.#. Parse the XML file to an appropriate PHP array. You can leverage the tool available at
/simplesaml/admin/metadata-converter.php
. - Appended the array to the existing metadata file:
simplesamlphp_files/metadata/saml20-idp-remote.php
.
- Obtain your IdP’s metadata. The metadata is available in the XML format.#. Parse the XML file to an appropriate PHP array. You can leverage the tool available at
Testing the SimpleSAMLphp setup
After you deploy your updated code in the site to Cloud, you must test the SimpleSAMLphp setup.
Testing in SimpleSAMLphp
You can test the Authentication tab against the default-sp
option.
Updating SimpleSAMLphp configuration for Cloud Next
To use the $databases
object instead of the DNS method, you must update the code:
Logging directories
In Cloud Classic, the logging directory location was /mnt/tmp/<environment>
. However, in Cloud Next, the location is /shared/logs/
.
Therefore, if you want to straddle Cloud Classic and Cloud Next, update the following snippet:
// Setup basic file based logging.
$config['logging.handler'] = 'file';
// on Cloud Next, the preferred location is /shared/logs
// on Cloud Classic, the preferred location is the same directory as ACQUIA_HOSTING_DRUPAL_LOG
$config['loggingdir'] = (file_exists('/shared/logs/'))?'/shared/logs/':dirname(getenv('ACQUIA_HOSTING_DRUPAL_LOG'));
$config['logging.logfile'] = 'simplesamlphp-' . date('Ymd') . '.log';
Other recommended changes
To reconfigure your SimpleSAMLphp setup on Cloud Next, see Setting up SimpleSAMLphp authentication on Cloud Next.