This section explains how to configure the WSO2 Identity Server with SimpleSAMLphp as a service provider. Initially it is necessary to setup SimpleSAMLphp as a service provider. The steps below are tested with Ubuntu.
To setup SimpleSAMLphp as a service provider
Install Apache.
# apt-get install apache2
Install PHP and related extensions.
# apt-get install php5 # apt-get install php5-cli # apt-get install php5-common # apt-get install php5-curl # apt-get install php-pear # apt-get install php5-mcrypt
For Ubuntu users, please install the following extension as well:
# apt-get install php5-json
Install SimpleSAMLphp using the following commands.
# cd /var/simplesamlphp/ # wget https://github.com/simplesamlphp/simplesamlphp/releases/download/simplesamlphp-1.11.0/simplesamlphp-1.11.0.tar.gz # tar xvf simplesamlphp-1.11.0.tar.gz # mv simplesamlphp-1.11.0 simplesamlphp # cd simplesamlphp # cp -r metadata-templates/*.php metadata/ # cp -r config-templates/*.php config
Configure SimpleSAMLphp web in Apache.
# cd /var/www/html # ln -s /var/simplesamlphp/simplesamlphp/www simplesaml
Start Apache.
# apachectl start
- Access the SimpleSAMLphp web app from the following location:
http://localhost/simplesaml
. Set the SimpleSAMLphp administrator login configuration as follows:
# cd /var/simplesamlphp/simplesamlphp # vi config/config.php
- Look for 'auth.adminpassword' and change its value from the default and save the file.
- Click on 'Login as administrator' from the web page
http://localhost/simplesaml
. Add a Service Provider to SimpleSAMLphp.
# cd /var/simplesamlphp/simplesamlphp # vi config/authsources.php
Add the following section to the file and save.
'wso2-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => 'simplesaml', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'https://localhost:9443/samlsso', // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, ),
Here we assume WSO2 IS is running in localhost on 9443.
Add the Identity Provider metadata.
# cd /var/simplesamlphp/simplesamlphp # vi metadata/saml20-idp-remote.php
Add the following section to the file and save.
$metadata['https://localhost:9443/samlsso'] = array( 'name' => array( 'en' => 'WSO2 IS', 'no' => 'WSO2 IS', ), 'description' => 'Login with WSO2 IS SAML2 IdP.', 'SingleSignOnService' => 'https://localhost:9443/samlsso', 'SingleLogoutService' => 'https://localhost:9443/samlsso', 'certFingerprint' => '6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d' );
Note that metadata ['
https://localhost:9443/samlsso
'] should match value of 'idp' in step 11.6bf8e136eb36d4a56ea05c7ae4b9a45b63bf975d is the thumbprint of the default certificate ships with WSO2 IS. SAML2 Response is signed with this certificate.
- Install WSO2 Identity Server. The WSO2 Identity Server is available for download here.
Start WSO2 Identity Server and add a Service Provider under SAML SSO.
Issuer: simplesaml
Assertion Consumer URL: http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/wso2-sp
Enable Assertion Signing: True
Enable Single Logout: True
Logout URL: http://localhost/simplesamlphp/www/module.php/saml/sp/saml2-logout.php/wso2-sp
Keep the defaults for the rest.
In the Main menu of the management console, click List under Identity Providers. Then click Resident Identity Provider.
- On the page that appears, open the SAML2 Web SSO Configuration section under Inbound Authentication Configuration.
- The ID value of the identity provider should be the SAML endpoint of the Identity Server:
https://{yourhost}:{port}/samlsso
- Test SimpleSAMLphp.
- Go to http://localhost/simplesaml and then to "Authentication" and click on "Test configured authentications sources"
- Pick "wso2-sp". You are redirected to WSO2 IS SAML2 IdP for login.