-
Notifications
You must be signed in to change notification settings - Fork 1
Installation and configuration of test saml idp
To use a Docker container SAML IDP locally for testing and development, install some method of running Docker on your machine. We used Docker Desktop for Mac.
Set up and install the SSO SAML Test Environment using the following tutorial:
https://medium.com/disney-streaming/setup-a-single-sign-on-saml-test-environment-with-docker-and-nodejs-c53fc1a984c9
The above post utilizes the following Docker container. More information for installation can be found here:
https://hub.docker.com/r/kristophjunge/test-saml-idp
INSTRUCTIONS
- Pull the Docker container
$ docker pull kristophjunge/test-saml-idp
-
Run the Docker container.
Note: Our command was slightly different than the tutorial. It would not take the name argument, so we skipped it.
$ docker run \ -p 8080:8080 \ -p 8443:8443 \ -e SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000 \ -e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/users/saml/auth \ -e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000 \ -d kristophjunge/test-saml-idpNote the values entered above. The following three global variables are used again later:
- If you are using devise_saml_authenticatable, the SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE will likely be the same as below.
- The SIMPLESAMLPHP_SP_ENTITY_ID can be whatever you want but you will need to set this inside your application configurations.
- The SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE is where you want the IDP to send SAMLResponse and the user once the IDP logout SAMLRequest has been processed.
Confirm that the container is running. This can be done one of three ways.
- Check in Docker Desktop
- Navigate to http://localhost:8080/simplesaml
- CLI command
$ docker ps
-
Test logging with the default users The application comes with two default users. Test at least one of them with the following:
Users UID | Username | Password | Group | Email ================================================================== 1 | user1 | user1pass | group1 | user1@example.com 2 | user2 | user2pass | group2 | user2@example.comNote: These default users do not have sufficient information to use in Competitions. Follow the next steps to complete the process if you want to use these accounts.
To test login:
- Visit http://localhost:8080/simplesaml
- Click the "Authentication" tab
- Click the "Test configured authentication sources" link
- Log in as user1:user1pass
To log in as an administrator
- Click the "Authentication" tab
- Click the "Login as administrator" link
- Log in as admin:secret
-
Add your users with their necessary attributes to the idp
-
Open a CLI window for the container. This can be done via one of the following:
- A button or tab in Docker Desktop in the Containers/Apps list view; or
- Run the following command, replacing <YOUR_DOCKER_PROCESS> with your local Docker container process.
$ docker exec -it <YOUR_DOCKER_PROCESS> /bin/sh -
Edit the following file to add your users:
/var/www/simplesamlphp/config/authsources.php
The attribute map here should use the lefthand values from your application's attribute map (found in the SP application's /config/competitions_config.yml file). You may add to the 'example-userpass' array.
For example:
'abc123:secret' => array( 'uid' => array('abc123@example.edu'), 'eduPersonAffiliation' => array('anything'), 'email' => 'a-cee@example.edu', 'firstname' => 'Anthony', 'lastname' => 'Cee', ), 'def456:secret' => array( 'uid' => array('def456@example.edu'), 'eduPersonAffiliation' => array('anything_else'), 'email' => 'd-frank@example.edu', 'firstname' => 'David', 'lastname' => 'Frank', ),If you want to use the default user accounts, you'll need to add firstname and lastname attributes to those entries.
Note: We don't use eduPersonAffiliation, but you may use it to differentiate user types as needed.
Find a list of our development users at the end of this file.
-
CONGRATULATIONS: You now have an IDP running in a docker container.
You can now skip the SP section of the tutorial and do the following in your existing rails application using the devise_saml_authenticatable gem.
-
Open a browser to the following website to get the values to enter from the idp. http://localhost:8080/simplesaml/saml2/idp/metadata.php
-
You will need to make changes to the following config settings for devise_saml_authenticatable, wherever you've decided to keep them. For example, here is where they are stored in ARIG's Competitions application.
/config/secrets.yml
idp_cert: <VALUE FOUND IN SIMPLE SAML METADATA AT X509Certificate of the above metadata URL>/config/competitions_config.yml Example from ARIG's Competitions application.
idp_entity_id: <SIMPLESAMLPHP_SP_ENTITY_ID from step 2 above> idp_entity_name: 'NetID' default_user_key: 'email' attribute_map: { 'email': 'email', 'firstname': 'first_name', 'lastname': 'last_name', 'uid': 'uid' } sign_out_url: "http://localhost:3000" assertion_consumer_service_url: 'http://localhost:3000/users/saml/auth' assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' # found in the above URL (SingleLogoutService Binding) name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" # found in the above URL (NameIDFormat) issuer: <SIMPLESAMLPHP_SP_ENTITY_ID from step 2 above> authn_context: '' idp_slo_target_url: 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php' # found in the above URL (SingleLogoutService:Location) idp_sso_target_url: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php' # found in the above URL (SingleSignOnService:Location) -
Restart the docker container IDP through Docker Desktop with the restart button.
-
Restart the server for your SP.
$ ctrl + c $ rails s
CONGRATULATIONS: YOUR SP IS CONFIGURED.
You should now be able to login using the users you created.
APPPENDIX OF USERS
'jd1:secret' => array(
'uid' => array('jd1@x.edu'),
'eduPersonAffiliation' => array('X'),
'email' => 'j-doe@x.edu',
'firstname' => 'John',
'lastname' => 'Doe',
),
'bz1:secret' => array(
'uid' => array('bz1@x.edu'),
'eduPersonAffiliation' => array('X'),
'email' => 'b-zoom@x.edu',
'firstname' => 'Billy',
'lastname' => 'Zoom',
),
'db1:secret' => array(
'uid' => array('db1@x.edu'),
'eduPersonAffiliation' => array('X'),
'email' => 'd-bonebrake@x.edu',
'firstname' => 'D.J.',
'lastname' => 'Bonebrake',
),
'ec1:secret' => array(
'uid' => array('ec1@x.edu'),
'eduPersonAffiliation' => array('X'),
'email' => 'd-bonebrake@x.edu',
'firstname' => 'D.J.',
'lastname' => 'Bonebrake',
),
'dy1:secret' => array(
'uid' => array('dy1@velourunderground.org'),
'eduPersonAffiliation' => array('vu'),
'email' => 'd-yule@velourunderground.org',
'firstname' => 'Doug',
'lastname' => 'Yule',
),
'jc1:secret' => array(
'uid' => array('jc1@velourunderground.org'),
'eduPersonAffiliation' => array('vu'),
'email' => 'j-cale@velourunderground.org',
'firstname' => 'John',
'lastname' => 'Cale',
),
'lr1:secret' => array(
'uid' => array('lr1@velourunderground.org'),
'eduPersonAffiliation' => array('vu'),
'email' => 'l-reed@velourunderground.org',
'firstname' => 'Lou',
'lastname' => 'Reed',
),
'mt1:secret' => array(
'uid' => array('mt1@velourunderground.org'),
'eduPersonAffiliation' => array('vu'),
'email' => 'm-tucker@velourunderground.org',
'firstname' => 'Moe',
'lastname' => 'Tucker',
),
'sm1:secret' => array(
'uid' => array('sm1@velourunderground.org'),
'eduPersonAffiliation' => array('vu'),
'email' => 's-morrison@velourunderground.org',
'firstname' => 'Sterling',
'lastname' => 'Morrison',
),