Updating Valghalla and setting up SSO🔗
Updating Valghalla to latest tag.🔗
Instructions can be found here.
Installing SimpleSAMLPHP🔗
Download the latest available version from here:
wget -O /var/simplesamlphp.tar.gz https://simplesamlphp.org/download?latest
Extract the archive, delete it, and move into it:
cd /var
tar -zxvf simplesamlphp.tar.gz
rm simplesamlphp.tar.gz
cd simplesamlphp
config.php configuration:🔗
vim conig/config.php
baseurlpath:
-
'baseurlpath' => 'simplesaml/',
technicalcontact_email:
-
'technicalcontact_email' => 'sysadmin@bellcom.dk',
timezone:
-
'timezone' => 'Europe/Copenhagen',
secretsalt:
-
Make sure you generate one with this command:
LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echoExample:
'secretsalt' => 'q6p9xdc0le2pjfvc2ad155woufulaiii',
auth.adminpassword:
-
Make sure you generate a has with this command - Also remember to save this password somewhere safe:
bin/pwgen.phpExample:
'auth.adminpassword' => '$2y$10$XS3HmEQ9nMjW0S0k3CKuueCx/rpqXattdl5fx7vtV6Rs5PYmNYhTO',
logging.level:
-
'logging.level' => SimpleSAML\Logger::DEBUG,
store.type:
-
'store.type' => 'memcache',
Apache config🔗
SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
Alias /simplesaml /var/simplesamlphp/www
<Directory /var/simplesamlphp/www>
<IfModule !mod_authz_core.c>
# For Apache 2.2:
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
# For Apache 2.4:
Require all granted
</IfModule>
</Directory>
php_admin_value open_basedir /var/www/website.com:/usr/share/php:/var/simplesamlphp
Remember to change according to your site, then run this command:
systemctl restart apache2
Metadata🔗
We'll generate this in [url]/simplesaml/admin/metadata-converter.php
Check the metadata titles. The idp would usually be saml20-idp-remote and if you don't have a hosted SP, then that would be something like saml20-sp-remote. The files you're looking for are in metadata/, called saml20-idp-remote.php and saml20-sp-remote.php.
Paste the $metadata arrays into those files.
Authsources🔗
We need to define authentication sources now.
vim config/authsources.php
If we have a remote sp and idp, get the entity-id of the idp and paste it at 'idp' => null.
Example:
'idp' => 'https://serviceprovider.remote.com/thingie',
If we have our own sp, find the sp profile you created earlier and put the idp in (example above).
To find the entity-id of the SP, go here: [website]/simplesaml/module.php/core/frontpage_federation.php
and find your SP. That will the entity id to paste into your entity-id in your sp.
Example:
https://website.com/simplesaml/module.php/saml/sp/metadata.php/custom-sp
Drupal configuration🔗
First, we need to install and enable the simplesaml module:
drush en simplesamlphp_auth # This might be wrong, maybe use composer?
Then go to [website]/admin/config/people/simplesamlphp_auth
- Check
Activate authentication via SimpleSAMLphp - Check
Force https for login links - Make sure
Autenticaton source for this SP (default: default-sp)points to the right SP Which attribute from simpleSAMLphp should be used as user's name *
Which attribute from simpleSAMLphp should be used as unique identifier for the user *:
Which attribute from simpleSAMLphp should be used as user mail address:
-
Check
Register users (i.e., auto-provisioning)(under User Provisioning) -
Check
Allow SAML users to set Drupal passwords.(under Drupal Authentication) -
Check
Allow authentication with local Drupal accounts -
Which ROLES should be allowed to login with local accounts?Chose roles -
Which users should be allowed to login with local accounts?: 1 -
Optionally, specify a URL for users to go to after logging out: Usually just the frontpage or login. -
Save settings
And you're done!