Skip to content

SimpleSAMLphp Implementation Notes

Jump to bottom
Greg Clapp edited this page Jul 9, 2018 · 7 revisions

Implementation Notes

NOTE: As of 7/5/2018, this has not been merged into master and exists only in branch POWR-238b for proof of concept purposes. http://powr-238c-portlandor.pantheonsite.io/simplesaml

The SimpleSAMLphp admin password is stored as a Terminus secret and may be retrieved using the Terminus Secrets plugin. Use the command "terminus secrets:show portlandor.powr-238c simplesaml_adminpassword". The Terminus Secrets plugin must be installed locally and a machine token installed. Additionally, the Secrets plugin requires port 2222, which is currently blocked on the Rose network. It is necessary to use the Guest wireless network or other network to retrieve this secret."

Installation

There are two components in this implementation, the SimpleSAMLphp application and the simplesamlphp_auth module for D8.

The SimpleSAMLphp app is installed and managed using Composer in the /vendor directory (composer require simplesamlphp/simplesamlphp). A symlink has been created at /web/simplesaml and added to the repo to provide web access to the app.

web/simplesaml -> ../vendor/simplesamlphp/simplesamlphp/www

The simplesamlphp_auth module is installed using Composer. NOTE: the module is not currently enabled by default, due to some issues that may occur if the admin password and secret salt values have not been added using the Terminus Secrets plugin in the environment.

Configuration

SimpleSAMLphp

The SimpleSAMLphp config files are located at /web/private/simplesamlphp/config, not directly in /vendor/simplesaml/simplesaml. A post-install script in composer.json is used to create a symlink to the private config file directory.

There are two configuration files in use: config.php and authsources.php.

/web/private/simplesamlphp/config/config.php

This is the main config file for the app. It is also referenced by the simplesamlphp_auth module. The custom entries in this file were derived from this Pantheon installation guide: https://pantheon.io/docs/shibboleth-sso/.

There are a number of customizations at the top of the file. They are noted in the PHP comments. There is also a function _get_simplesaml_secrets, which retrieves the secrets stored by the Terminus Secrets plugin at /web/private/secrets.json and stores them in the array $secrets. This is done so that secrets are not stored in a config file in the repo.

The secrets required by SimpleSAMLphp are:

  • simplesaml_adminpassword
  • simplesaml_secretsalt

To retrieve the values of the secrets from the command line, use the command "terminus secrets:show portlandor.powr-238b simplesaml_adminpassword". In this example, portlandor.powr-238b is the environment (could be portlandor.test). The Terminus Secrets plugin must be installed locally to access the secrets commands.

The following additional config settings are prescribed by Pantheon:

'baseurlpath' => 'https://'. $host .':443/simplesaml/', // SAML should always connect via 443
'certdir' => 'cert/',
'loggingdir' => $_ENV['HOME'] . '/files/private/log/',
'datadir' => 'data/',
'tempdir' => $_ENV['HOME'] . '/tmp/simplesaml',
// Your $config array continues for a while...
// until we get to the "store.type" value, where we put in DB config...
'store.type' => 'sql',
'store.sql.dsn' => 'mysql:host='. $db['host'] .';port='. $db['port'] .';dbname='. $db['database'],
'store.sql.username' => $db['username'],
'store.sql.password' => $db['password'],

NOTE: For the "baseurlpath" value, Pantheon says that port 443 must be used in the path, but that will break in our environments.

In addition, the following two settings retrieve their values from the $secrets array, and to keep the SimpleSAML admin pages protected by password:

'secretsalt' => $secrets['simplesaml_secretsalt'],
'auth.adminpassword' => $secrets['simplesaml_adminpassword'],
'admin.protectindexpage' => true,
'admin.protectmetadata' => true,

/web/private/simplesamlphp/config/authsources.php

No customizations have currently been made to this file. Even though it uses all default values, it must be included, or the app will break. Further configuration may be necessary here.

App Configuration

The app has not yet been configured to work with ADFS.

simplesamlphp_auth Module

The module is configurable through the Drupal 8 admin UI. No configuration has been done yet here.

Clone this wiki locally