Plugins/Auth/Saml: Difference between revisions
From Mahara Wiki
< Plugins | Auth
(Created page with "Authentication plugin for SAML 2.0 based SSO integration. This uses the excellent [http://rnd.feide.no/simplesamlphp SimpleSAMLPHP] software as a Service Provider. The plugin is…") |
No edit summary |
||
(10 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Authentication plugin for SAML 2.0 based SSO integration. This uses the excellent [ | Authentication plugin for SAML 2.0 based SSO integration. This uses the excellent [https://simplesamlphp.org/ SimpleSAMLPHP] software as a Service Provider. | ||
The plugin is | The plugin is shipped as part of core Mahara. | ||
To use / test the plugin you will need to do the following: | |||
===Have a memcached server running=== | |||
And know what the IP address / port number you can use to connect on. | |||
To install one locally (on linux) go | |||
sudo apt-get install memcached | |||
This should set you up with one running on port 11211 - to test that this is correct you can go | |||
telnet 127.0.0.1 11211 | |||
and you should get a connection | |||
===Have the php-memcached module installed=== | |||
To install it go | |||
sudo apt-get install php-memcached | |||
sudo phpenmod memcached | |||
sudo service apache2 restart | |||
===Update your config.php file so that it knows to use memcached for SAML sessions=== | |||
Add the following settings | |||
$cfg->ssphpsessionhandler = 'memcached'; | |||
$cfg->memcacheservers = '127.0.0.1:11211'; // change if your memcached server is on different IP/port | |||
===Ensure the correct SSPHP files are present=== | |||
If you are installing/using Mahara via git you will need to install the ssphp module via running the command in the parent to the htdocs directory (where the Makefile file lives) | |||
make cleanssphp && make ssphp | |||
This should remove any older version and install the latest version, via composer, for the Mahara version you are using | |||
===Ensure the plugin is active in Mahara=== | |||
Under Administration menu (wrench icon) -> Extensions -> Plugin administration. | |||
See [https://manual.mahara.org/en/18.10/administration/extensions.html#authentication-saml Manual - SAML config] for more information | |||
Click on the configuration for auth SAML (cog) icon to check that the plugin is set up correctly. | |||
Follow the 'View metadata' link to fetch the Service Provider (SP) metadata that you will need to provide to the IdPs that you wish to authenticate against. | |||
===Now we need to perform the institution level configuration=== | |||
Within each institution, add the SAML 2.0 Identity Provider: | |||
See [https://manual.mahara.org/en/18.10/administration/institutions.html#saml-authentication Manual - SAML institution config] for more information | |||
===To customise your SAML IdP Metadata=== | |||
If you site has more than one Identity Provider being used then when a user tries logging into the site via the SSO button they are taken to a 'Identity Provider discovery' page to choose which IdP they should login with. | |||
If the metadata supplied by the IdP is containing the values for | |||
* OrganizationName | |||
* OrganizationDisplayName | |||
* Logo | |||
then these will be used on the discovery page. | |||
If your IdP's metadata doesn't supply them - please ask if they can update things at their end and supply updated metadata.xml file. This will be the best option especially if you are using the metadata refresh url! | |||
If they can't (or won't) then you can add in the changes manually. To do this | |||
1) Log in as site admin and edit an institution that is using the SAML metadata | |||
2) Edit the SAML auth instance | |||
In | 3) In the 'Institution Identity Provider SAML metadata' field make the following changes | ||
a) If you want a logo image | |||
Inside the metadata.xml file: | |||
Place just before </IDPSSODescriptor> line | |||
*[[ | |||
<Extensions> | |||
<mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"> | |||
<mdui:Logo width="120" height="30" xml:lang="en">[URL to logo]</mdui:Logo> | |||
</mdui:UIInfo> | |||
</Extensions> | |||
And update the [URL to logo] to point to a logo for the IdP reachable via the Internet, eg https://mahara.org/theme/mahara-org/images/site-logo.svg | |||
and alter height / width values if needed - a 120 x 30px png / svg image works best | |||
b) To set the provider details | |||
Place just after </IDPSSODescriptor> line | |||
<Organization> | |||
<OrganizationName xml:lang="en">[Provider name]</OrganizationName> | |||
<OrganizationDisplayName xml:lang="en">[Identity provider name]</OrganizationDisplayName> | |||
</Organization> | |||
- Change [Provider name] to the name of the organization the IdP belongs to, eg Mahara.org | |||
- Change [Identity Provider name] to the name of the IdP system, eg Mahara Single Sign On | |||
'''Note''' Depending on the way your IdP structures it's metadata you may need to prefix the new Extensions and Organization* lines with same prefix as in the </IDPSSODescriptor> line, eg if that line looks like </md:IDPSSODescriptor> then you will need to add 'md:' to the lines that don't start it | |||
==Dealing with backups to a staging server== | |||
If you have a testing/staging server that is using it's own setup of SAML for testing purposes then you will want to avoid killing it when making a backup of the site from the production instance. For example, you have this scenario: | |||
Production Mahara site with SAML ===========> Identity provider production endpoint | |||
connects to | |||
Staging / Testing Mahara site ===========> Identity provider testing endpoint | |||
or Identity provider production endpoint | |||
Then when you make your backup you want to avoid the SAML not working on the staging / testing site. To do this you will need to do the following: | |||
===Before making backup=== | |||
1) Begin with the staging / testing site working correctly - make sure you can login correctly to the Identity Provider endpoint as expected. Then make a backup of the certificate .crt and .pem files found in your dataroot directory so they won't be overwritten or deleted via an rsync, eg: | |||
cp /path/to/dataroot/certificate/server.crt /path/to/dataroot/certificate/server.crt.staging | |||
cp /path/to/dataroot/certificate/server.pem /path/to/dataroot/certificate/server.pem.staging | |||
1a) If your staging / testing site connects to a different Identity Provider than the production site then you should also backup the metadata dataroot directory /path/to/dataroot/metadata/ to put backk after the backup | |||
1b) And we need to find and save the database value for the SP Identity. It can be found via: | |||
SELECT value FROM auth_config WHERE field ='spentityid'; | |||
===After making backup=== | |||
2) When production site gets backed up to staging the best option is to get rsync to ignore the /path/to/dataroot/certificate/ and /path/to/dataroot/metadata/ directories. But if you can't do that then we need to copy the backed up files back into place, eg: | |||
cp /path/to/dataroot/certificate/server.crt.staging /path/to/dataroot/certificate/server.crt | |||
cp /path/to/dataroot/certificate/server.pem.staging /path/to/dataroot/certificate/server.pem | |||
2a) Put back the backed up staging / testing metadata if needed | |||
2b) And then we need to update the database so we have the right SP identity again. The my_SP_value will be what you got from (1b), eg: | |||
UPDATE auth_config SET value = 'my_SP_value' WHERE field ='spentityid'; | |||
That should get the SAML working again. | |||
If you hadn't made backups of those files / db information then you will need to generate the SAML certificate in the staging / testing site again via the Admin -> Extensions -> SAML configuration (admin/extensions/pluginconfig.php?plugintype=auth&pluginname=saml) and give the information at 'View metadata' to your Identity Provider again. | |||
[[Category:plugins]][[Category:Authentication Plugins]] |
Latest revision as of 09:31, 24 November 2021
Authentication plugin for SAML 2.0 based SSO integration. This uses the excellent SimpleSAMLPHP software as a Service Provider.
The plugin is shipped as part of core Mahara.
To use / test the plugin you will need to do the following:
Have a memcached server running
And know what the IP address / port number you can use to connect on.
To install one locally (on linux) go
sudo apt-get install memcached
This should set you up with one running on port 11211 - to test that this is correct you can go
telnet 127.0.0.1 11211
and you should get a connection
Have the php-memcached module installed
To install it go
sudo apt-get install php-memcached sudo phpenmod memcached sudo service apache2 restart
Update your config.php file so that it knows to use memcached for SAML sessions
Add the following settings
$cfg->ssphpsessionhandler = 'memcached'; $cfg->memcacheservers = '127.0.0.1:11211'; // change if your memcached server is on different IP/port
Ensure the correct SSPHP files are present
If you are installing/using Mahara via git you will need to install the ssphp module via running the command in the parent to the htdocs directory (where the Makefile file lives)
make cleanssphp && make ssphp
This should remove any older version and install the latest version, via composer, for the Mahara version you are using
Ensure the plugin is active in Mahara
Under Administration menu (wrench icon) -> Extensions -> Plugin administration. See Manual - SAML config for more information
Click on the configuration for auth SAML (cog) icon to check that the plugin is set up correctly.
Follow the 'View metadata' link to fetch the Service Provider (SP) metadata that you will need to provide to the IdPs that you wish to authenticate against.
Now we need to perform the institution level configuration
Within each institution, add the SAML 2.0 Identity Provider:
See Manual - SAML institution config for more information
To customise your SAML IdP Metadata
If you site has more than one Identity Provider being used then when a user tries logging into the site via the SSO button they are taken to a 'Identity Provider discovery' page to choose which IdP they should login with.
If the metadata supplied by the IdP is containing the values for
- OrganizationName
- OrganizationDisplayName
- Logo
then these will be used on the discovery page.
If your IdP's metadata doesn't supply them - please ask if they can update things at their end and supply updated metadata.xml file. This will be the best option especially if you are using the metadata refresh url!
If they can't (or won't) then you can add in the changes manually. To do this
1) Log in as site admin and edit an institution that is using the SAML metadata
2) Edit the SAML auth instance
3) In the 'Institution Identity Provider SAML metadata' field make the following changes
a) If you want a logo image Inside the metadata.xml file:
Place just before </IDPSSODescriptor> line
<Extensions> <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"> <mdui:Logo width="120" height="30" xml:lang="en">[URL to logo]</mdui:Logo> </mdui:UIInfo> </Extensions>
And update the [URL to logo] to point to a logo for the IdP reachable via the Internet, eg https://mahara.org/theme/mahara-org/images/site-logo.svg and alter height / width values if needed - a 120 x 30px png / svg image works best
b) To set the provider details
Place just after </IDPSSODescriptor> line
<Organization> <OrganizationName xml:lang="en">[Provider name]</OrganizationName> <OrganizationDisplayName xml:lang="en">[Identity provider name]</OrganizationDisplayName> </Organization>
- Change [Provider name] to the name of the organization the IdP belongs to, eg Mahara.org
- Change [Identity Provider name] to the name of the IdP system, eg Mahara Single Sign On
Note Depending on the way your IdP structures it's metadata you may need to prefix the new Extensions and Organization* lines with same prefix as in the </IDPSSODescriptor> line, eg if that line looks like </md:IDPSSODescriptor> then you will need to add 'md:' to the lines that don't start it
Dealing with backups to a staging server
If you have a testing/staging server that is using it's own setup of SAML for testing purposes then you will want to avoid killing it when making a backup of the site from the production instance. For example, you have this scenario:
Production Mahara site with SAML ===========> Identity provider production endpoint connects to Staging / Testing Mahara site ===========> Identity provider testing endpoint or Identity provider production endpoint
Then when you make your backup you want to avoid the SAML not working on the staging / testing site. To do this you will need to do the following:
Before making backup
1) Begin with the staging / testing site working correctly - make sure you can login correctly to the Identity Provider endpoint as expected. Then make a backup of the certificate .crt and .pem files found in your dataroot directory so they won't be overwritten or deleted via an rsync, eg:
cp /path/to/dataroot/certificate/server.crt /path/to/dataroot/certificate/server.crt.staging cp /path/to/dataroot/certificate/server.pem /path/to/dataroot/certificate/server.pem.staging
1a) If your staging / testing site connects to a different Identity Provider than the production site then you should also backup the metadata dataroot directory /path/to/dataroot/metadata/ to put backk after the backup
1b) And we need to find and save the database value for the SP Identity. It can be found via:
SELECT value FROM auth_config WHERE field ='spentityid';
After making backup
2) When production site gets backed up to staging the best option is to get rsync to ignore the /path/to/dataroot/certificate/ and /path/to/dataroot/metadata/ directories. But if you can't do that then we need to copy the backed up files back into place, eg:
cp /path/to/dataroot/certificate/server.crt.staging /path/to/dataroot/certificate/server.crt cp /path/to/dataroot/certificate/server.pem.staging /path/to/dataroot/certificate/server.pem
2a) Put back the backed up staging / testing metadata if needed
2b) And then we need to update the database so we have the right SP identity again. The my_SP_value will be what you got from (1b), eg:
UPDATE auth_config SET value = 'my_SP_value' WHERE field ='spentityid';
That should get the SAML working again.
If you hadn't made backups of those files / db information then you will need to generate the SAML certificate in the staging / testing site again via the Admin -> Extensions -> SAML configuration (admin/extensions/pluginconfig.php?plugintype=auth&pluginname=saml) and give the information at 'View metadata' to your Identity Provider again.