Document by K. Sharp
Make sure the web server has a valid SSL certificate. See https://uit.stanford.edu/service/ssl for more information. If you are setting this on on your development machine make sure that it is registered to Stanford.
SetEnv SIMPLESAMLPHP_CONFIG_DIR /Users/irinaz/Sites/siepr/simplesamlphp/config Alias /simplesaml /Users/irinaz/Sites/siepr/simplesamlphp/www <Directory /Users/irinaz/Sites/siepr/simplesamlphp/www> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> </Directory>
and add the following to the bottom of the file:
$metadata['https://idp.stanford.edu/'] = array( 'name' => array( 'en' => 'Stanford University WebLogin', ), 'description' => 'Stanford University WebAuth', 'SingleSignOnService' => 'https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO', 'certFingerprint' => '2b:41:a2:66:6a:4e:3F:40:c6:30:55:6a:1f:ec:c3:e3:0b:ce:ee:8f' );
New config shoud be using certData instead of certFingerprint.
In the "default-sp" section, change "idp" => null, to: "idp" => "https://idp.stanford.edu/', and add the following: 'privatekey' => 'saml.pem', 'certificate' => 'saml.crt', 'authproc' => array( 20 => 'saml:NameIDAttribute', ),
7a. Make sure the following config options are set:
'baseurlpath' => 'https://<YOUR WEB SERVER HOSTNAME>.stanford.edu/simplesaml/', 'certdir' => "/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/cert/', 'metadatadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/metadata/', 'attributenamemapdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/attributemap/', 'loggingdir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/log/', 'datadir' => '/<YOUR SIMPLESAMLPHP LOCATION>/simplesamlphp/data/',
7b. Change auth.adminpassword to something better than "123"
7c. Change secretsalt to something other than default by following instructions in config.php
7d. Change technicalcontact_name and technicalcontact_email to your name and email address
7e. Change timezone to 'America/Los_Angeles"
7f. Change "enable.saml20-idp" to true
7g. Replace the "authproc.sp" section with the following: 'authproc.sp' => array( 10 => array( 'class' => 'core:AttributeMap', 'removeurnprefix', 'oid2name', ), 20 => array( 'class' => 'authorize:Authorize', // use Regular Expression to define which workgroup members can login // this example lets in anyone from earthsci:web-authors or earthsci:web-developers, make sure that you use correct workgroup here 'eduPersonEntitlement' => array( '/earthsci:(web-authors|web-developers)/', ) ), // Adopts language from attribute to use in UI 90 => 'core:LanguageAdaptor', ),
7h. It is recommended that you do not use "store.type" => "phpsession".
If PHP on your server includes memcache, change "store.type" => "memcache" and (other memcache configuration TBD).
Otherwise, change
"store.type" => "sql",
and set store.sql.dsn, store.sql.username, and store.sql.password to access your Drupal database.
11. For Drupal 7.x, install module simplesamlphp_auth. For integration with SPDB use stanford_ssp module
For Drupal 8.x, install modules simplesamlphp_auth and externalauth.
12. Configure simplesamlphp_auth
Check activate
Leave default-sp as authentication source
Change login text to "Stanford WebLogin"
Check "Register Users (auto provisioning)"
uncheck "Allow SAML users to set Drupal passwords" under Local Authentication
check "Allow authentication with local Drupal accounts" and restrict to administrator role and/or user 1
option URL for after logging out
Under "User Info and Syncing":
Use "displayName" as attribute for user"s name
use "urn:mace:dir:attribute-def:uid" as attribute for unique identifier for user (SUNet ID)
use "mail" for user mail address
check "synchronize user name on every login"
check "synchronize user email on every login"
set automatic role population like: "web_author:eduPersonEntitlement,=,earthsci:web-authors|web_developer:eduPersonEntitlement,=,earths:web-developer"
check "reevaluate roles every time user logs in"
uncheck "Automatically enable SAML authentication for existing users"
Additional feature - mapping roles to groups
In Stanford SSP module - uncheck button
User Info and Syncing Tab for SimpleSAMLPHP Auth Settings:
Automatic role population field:
subsite_editor:eduPersonEntitlement,=,earthsci:webdev|staff:suAffiliation,=,stanford:staff|faculty:suAffiliation,=,stanford:faculty|postdoc:suAffiliation,=,stanford:student:postdoc|student:suAffiliation,=,stanford:student
The following files are used in cofiguraiton