...
In this tutorial, we will set up a simple Service Provider, written in PHP, and connect it to the SURFconext infrastructure, using the SimpleSAMLphp product.
The tutorial assumes you are using a Linux environment; however, there is no reason to assume that this approach won't work on different operating systems that support PHP.
...
- The resulting private key (
saml.key
) and certificate (saml.crt
) need to be placed in thecert/
subdirectory in the SimpleSAMLphp root (/var/simplesaml
).
The
Tooltip | ||||||||
---|---|---|---|---|---|---|---|---|
|
thus becomes:
Code Block | ||
---|---|---|
| ||
<?php $config = array([ // This is a authentication source which handles SimpleSAMLphp admin authentication. 'admin' => array([ 'core:AdminPassword', )], // An authentication source which can authenticate against SURFconext 'default-sp' => array([ 'saml:SP', 'privatekey' => 'saml.key', 'certificate' => 'saml.crt', 'idp' => 'https://engine.test.surfconext.nl/authentication/idp/metadata', ), )// The entries below are all OPTIONAL but RECOMMENDED to tell SURFconext // some details about your service. 'name' => [ 'en' => 'Name of the Service', 'nl' => 'Naam van de Dienst', ], 'description' => [ 'en' => 'Description of the Service', 'nl' => 'Omschrijving van de dienst', ], ], ]; |
Info |
---|
Be aware of the environment your IdP lives in. In the example above the production test environment of SURFconext is used. A common mistake is to try to connect to the test enviromnent environment of SURFconext, and make use of the production environments link. Use one of the followingYou can find the right entityID inside the metadata for each environment: |
...
Code Block | ||
---|---|---|
| ||
<?php $metadata['https://engine.test.surfconext.nl/authentication/idp/metadata'] = [ 'name' => [ 'en' => 'SURFconext test', 'nl' => 'SURFconext test', ], 'SingleSignOnService' => 'https://engine.test.surfconext.nl/authentication/idp/single-sign-on/key:20190208', 'certificate' => 'engineblock.test.surfconext.nl.20190208.pem', // convert OID formatted attributes from SAML assertion to 'name' similar to LDAP // so they will be available as 'mail' and 'displayName' 'authproc' => [ 50 => [ 'class' => 'core:AttributeMap', 'oid2name', ], ], ]; |
Where the .pem file is a file placed under the cert/
directory containing the SAML signing certificate you can find this file at https://metadata.test.surfconext.nl/ under "Assertion signing certificate".
...
Next, we need to add the SP to SURFconext. SURFnet doesn't allow just anyone to connect directly to its production platform. To register, put the metadata URL (https://mfsp.example.org/simplesaml/module.php/saml/sp/metadata.php/default-sp) in the SP Dashboard form, fill it out and publish the entity to TEST.
If not using the SP dahsboard, send an email to support@surfconext.nl.
...
When visiting this script, you will now be required to log on via SURFconext.
Further configuration
We recommend you consider Securing your simpleSAMLphp setup.
That's all folks!
Please direct any questions or comments about this document to support@surfconext.nl.