Skip to Content

SimpleSAMLphp 1.4 SP Installation on Linux

Installation
Download SimpleSAMLphp from Google Code here Extract the file 'simplesamlphp_1_4.zip'
unzip simplesamlphp_1_4.zip -d /opt/
Go to the /opt directory and change owner to www-data:www-data (or whatever account your Apache webserver runs under) of simplesamlphp_1_4 directory
cd /opt
chown www-data:www-data -R simplesamlphp_1_4
Create an Alias in apache. Open the Apache configuration file for your website (e.g. /etc/apache2/sites-available/default-ssl) and add the following before the line </VirtualHost> for port 443
Alias /simplesaml /opt/simplesamlphp_1_4/www
and restart apache, e.g;
/etc/init.d/apache2 restart
Configuration
Go to the /opt/simplesamlphp_1_4 directory and copy template configuration files as follows
cp -p config-templates/config.php config/config.php
cp -p metadata-templates/saml20-sp-hosted.php metadata/saml20-sp-hosted.php
cp -p metadata-templates/saml20-idp-remote.php  metadata/saml20-idp-remote.php
Go to config folder and open config.php
find the text 'auth.adminpassword' and set a new password
find the text 'enable.saml20-sp' and check if the value is set to 'true'
The file saml20-sp-hosted.php is used to generate Metadata that describes your SP to other IdPs.
Go to /opt/simplesamlphp_1_4/metadata
open saml20-sp-hosted.php file which automaticaly generates metadata on the fly The file by default looks like
<?php
$metadata = array(
        '__DYNAMIC:1__' => array(
                'host'  => '__DEFAULT__'
        )
);
?>
change to static values and don't forget to replcace YOUR_HOST and YOUR_HOST_SHORT with your corect values
for example: if you work on moodle.heanet.ie the value if YOUR_HOST will be moodle.heanet.ie and YOUR_HOST_SHORT will be moodle .
<?php
$metadata = array(
        'https://YOUR_HOST/simplesaml' => array(
                'host'  => 'YOUR_HOST',
                'certificate' => 'YOUR_HOST.crt',
                'privatekey'  => 'YOUR_HOST.key',
                'redirect.sign' => 'TRUE',
                'redirect.validate' => 'TRUE',
                'privatekey_pass' => 'MySSLCertKeyPassword',
        )
);
?>
As you can see from above, a certificate and key is needed to secure the messages sent between your SP and other IdPs.
HEAnet's Server Certificate Service(SCS) can be used to obtain a signed certificate for this purpose. You will find instructions on how to generate a Certificate Signing Request (CSR) on the SCS website.
Once you have obtained a certificate, save the certificate (and it's associated key) into the directory /opt/simplesamlphp_1_4/cert/ and edit saml20-sp-hosted.php with by replacing YOUR_HOST.crt and YOUR_HOST.key with correct values.
You must define an entityID of your SP, this is the name your SP will be reffered to by other IdP's. By convention, the entitiy ID should be a URL that resolves to your metadata e.g, https://YOUR_HOST/simplesaml/sp/saml2/metadata.php
Metadata
Register your SP's metadata within the Edugate federation. If you are registering from an institution that operates an IdP within the federation go to the Edugate Resource Registry and login. If you find that you are not an approved resource admin, the Resource Registry Administrator for your organisation will be notified after your attempted login and will either approve you as an Resource Administrator or request your SP's metadata and register your SP on your behalf (your metadata should be available at https://YOUR_HOST/simplesaml/sp/saml2/metadata.php.
If you are authorised to register your metadata, you will need to complete all fields in the resource registry (follow the 'Add a new resource description' link). You must declare what attributes from the Edugate schema you Require and Desire, so that other IdP's can decide what attributes to release to your service.
If your service is not owned by an organisation that is an identiy provider in the Edugate federation, you will need to register as a federation partner, an existing identity provider within the Edugate federation can sponsor you as a federation partner and add your metadata to the federation on your behalf.
Once you have registered within the Resource Registry, you can configure your SP to accept federated logins from IdP's in the Edugate federation. You will need to add the federation metadata as a trusted source of IdPs in simpleSAMLphp. The Edugate federation metadata is available at https://edugate-pilot.heanet.ie. Use this URL when following the automated-metadata instructions available here .
Attributes
You do not need to configure attribute filters in simpleSAMLphp as the automated metadata management (descibed above) will control your attribute requirements through the Edugate Resource Registry.






Who is Edugate for?

Edugate provides a single access mechanism that can enable access to online resources supporting alliances, research collaboration, consortia and shared services. Now users can use the credentials issued by their institution to access Edugate enabled web-sites and benefit from a personalised and persistent experience, with privacy features that put the user in control.

Enable users to use the campus directory credential to access Edugate enabled web sites beyond the campus boundary from anywhere, whilst protecting the campus directory from unnecessary searches and the user credentials from use on web sites beyond your control. 
 

Your patrons are individuals, not IP Addresses!
 
Enable publishers to provide users with a consistent and personalised experience regardless of their location or the device they are using.
Improve the end-user experience by providing Single-Sign-On and reducing the frequency of prompts for campus credentials.
Connect your patrons to your subscribed resources, regardless of where the user performs their search.

Restrict access to your club or society web-site to valid campus users without needing the campus IT department to provide you with access to the entire campus user database.
For student unions, Edugate enables online elections that can authenticate all students currently enrolled without needing to expose campus credentials or personal information.

Example: UL Students Union

Provide your suppliers with a means to interact with all campus members. Whether its parking management, physical access management, catering or sports facilities, Edugate can provide a secure means to validate staff and student status. Access cards or tokens can be issued online in a self-service manner, removing the some, if not all, of the paperwork.

Example: Apcoa Parking Management

When establishing any online service that will be used by multiple institutions, Edugate will provide a means to authorise access to the service by user, role or institution without having to issue usernames/passwords or other credentials to the users of the service.
Most research projects are collaborations and when it comes to hosting collaborative tools or sharing documents and data, Edugate enables the hosting partner to seamlessly grant access to the project content.

Example: NDLR Repository
Example: HEAR and DARE

Campus IT managers and IT security officers are increasingly reluctant to synchronise user credentials or open up campus directory services to applications that are hosted in the cloud. Even locally hosted managed applications that require the campus credential to be processed by the application present a security risk. Edugate is built on the open SAML federated access standard that is used in the financial services, aerospace and governmant eID and provides Single-Sign-On without the risks.

e-Government
Whether it's a central or local government service that needs to validate that a student is a current student, Edugate can open up the potential for numerous e-Government services for students (e.g. Grants and Tax Credits)

e-Commerce
When offering a student discount online, relying on a campus email address leaves the offer open to abuse since many institutions offer 'email for life'. Edugate will allow you to know if a customer is a current student and which institution the customer is affiliated to.