How To Configure SSO in Apache using SimpleSAMLphp, AD FS on CentOS, RHEL8

This tutorial will show you how to configure single sign-on (SSO) in Apache using Active Directory Federation Service (AD FS) and SimpleSAMLphp on CentOS, RHEL 8 Linux.
 
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system. 
 
Apache is the most widely-used web server in the world. It provides many powerful features including dynamically loadable modules, robust media support, and extensive integration with other popular software. 
 
SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication. It authenticates the user against a SAML 2.0 IdP, and grants access to resources depending on attributes received from the identity provider (IdP). 
 
Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. 
 
The following information will be used throughout this tutorial:
FQDN			IP Address	Purpose		        OS
idp.techsupportpk.com	192.168.105.70	AD DS, AD FS		Windows 2019
sp.techsupportpk.com	192.168.105.72	Apache, SimpleSAMLphp	CentOS 8
 
These instructions can also be applied if you are running Oracle Linux on your system.
 

Prerequisites

To follow this tutorial along, you will need one (physical or virtual) machine installed with CentOS, or RHEL 8. This guide assume that you already have Active Directory Federation Service (AD FS) in place.

Make sure you have proper DNS entries for your Linux and AD FS FQDN:

Make sure you have proper FQDN entries in /etc/hosts file on your Linux system:
 
Make sure your Linux and AD FS machines are reachable to each-other using their FQDN:

Ping your AD FS FQDN from your Linux machine like below:

When you have all the prerequisites in place, you can proceed with below steps.

Video Tutorial

If you wish, you can watch below quick video tutorial to configure single-sign-on in Apache:

 
 

Install Required Packages

Log in to your Linux system using non-root sudo privileges and install the required packages like below:
sudo dnf -y install epel-release
sudo dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
sudo dnf -y install http://mirror.centos.org/centos/7/os/x86_64/Packages/ntpdate-4.2.6p5-29.el7.centos.2.x86_64.rpm
sudo dnf -y install httpd mod_ssl openssl php71 php71-php php71-php-fpm php71-php-gd php71-php-mysqlnd php71-php-mcrypt php71-php-mbstring php71-php-common php71-php-curl php71-php-pecl-redis php71-php-pecl-memcache php71-php-xml php71-php-ldap php71-php-cli php71-php-json php71-php-pdo git wget nano tar 
 

Configure PHP

sudo ln -s /usr/bin/php71 /usr/bin/php
sudo nano /etc/opt/remi/php71/php.ini
 
Update following parameter with your correct timezone:
date.timezone = Asia/Karachi
 
Start PHP to make changes effect:
sudo systemctl start php71-php-fpm
sudo systemctl enable php71-php-fpm
 

Download SimpleSAMLphp

At the time of writing this article, the latest stable release of SimpleSAMLphp is ( 1.18.8). You can check latest stable release at GitHub page before download.
 
You can download stable release on your Linux system from GitHub repository like below:
cd ~
wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.18.8/simplesamlphp-1.18.8.tar.gz
sudo tar -xf simplesamlphp-1.18.8.tar.gz -C /var/
sudo mv /var/simplesamlphp-1.18.8/ /var/simplesamlphp
sudo chmod -R 755 /var/simplesamlphp/
 

Create Self-signed SSL Certificate

Type below command to generate a self-signed SSL certificate for your Apache:
sudo openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out /var/simplesamlphp/cert/sp.crt -keyout /var/simplesamlphp/cert/sp.pem
 
Enter the following information accordingly:
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Tech Support
Organizational Unit Name (eg, section) []:IT Support
Common Name (eg, your name or your server's hostname) []:sp.techsupportpk.com
Email Address []:support@techsupportpk.com
 
Type below command to generate a self-signed SSL certificate for your identity provider: 
sudo openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out /var/simplesamlphp/cert/idp.crt -keyout /var/simplesamlphp/cert/idp.pem
 
Enter the following information accordingly:
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Tech Support
Organizational Unit Name (eg, section) []:IT Support
Common Name (eg, your name or your server's hostname) []:idp.techsupportpk.com
Email Address []:support@techsupportpk.com 
 

Configure SimpleSAMLphp

Type below command to generated a random string to be used as secretsalt:
sudo tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
 
Copy the generated string, save it in a text file, we will use it in a while:
 
You will need to log in with administrator account to access some of the secure pages of SimpleSAMLphp from its web interface. Type below command to generate hashed password for administrator account:
php /var/simplesamlphp/bin/pwgen.php
Copy the generated hashed password, save it in a text file, we will use it in a while:
 
Edit config.php with any of your preferred text editor:
sudo nano /var/simplesamlphp/config/config.php
 
Locate the following parameters, and replace their values with yours:
'technicalcontact_name' => 'Support',
'technicalcontact_email' => 'support@techsupportpk.com',

Replace timezone value with yours:
'timezone' => 'Asia/Karachi',

Replace secretsalt value with the one you generated earlier:
'secretsalt' => 'defaultsecretsalt',

Replace auth.adminpassword with the one you generated earlier:
'auth.adminpassword' => '123',
Save and close the editor when you are finished. 
 
 

Configure Apache

Create a simplesamlphp.conf file like below:
sudo nano /etc/httpd/conf.d/simplesamlphp.conf
 
Add following parameters in it:
Alias /simplesaml /var/simplesamlphp/www

<Directory /var/simplesamlphp/www>
    <IfModule mod_authz_core.c>
       Require all granted
    </IfModule>
</Directory>
Save and close the editor when you are finished. 
 
Create a VirtualHost configuration file like an example below:
sudo nano /etc/httpd/conf.d/sp.techsupportpk.conf
 
Add following parameters in it, replace highlighted text with yours:
<VirtualHost *:80>
   ServerName sp.techsupportpk.com
   Redirect / https://sp.techsupportpk.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName sp.techsupportpk.com
   DocumentRoot /var/www/sp.techsupportpk.com
   SSLEngine On
   SSLCertificateFile /var/simplesamlphp/cert/sp.crt
   SSLCertificateKeyFile /var/simplesamlphp/cert/sp.pem
</VirtualHost>
Create a directory that serve your web contents like an example below:
sudo mkdir -p /var/www/sp.techsupportpk.com
 
Test Apache configuration with below command:
sudo apachectl configtest
 
If everything configured correctly, you will see the output like below:
Syntax OK
If you see any configuration error, fix them first, then proceed to next.
 
Type below command to start Apache:
sudo systemctl start httpd
sudo systemctl enable httpd
sudo systemctl status httpd
 
Synchronize your Linux system clock with your AD FS like below:
sudo ntpdate idp.techsupportpk.com
 
You will see output like below:
3 Mar 14:16:43 ntpdate[10657]: step time server 192.168.105.70 offset -0.614219 sec
 
Open up web browser, type https://sp.techsupportpk.com/simplesaml in the address bar, ignore browser SSL warning:
 

You will see SimpleSAMLphp dashboard like below.
 
Click Login as administrator 
 
 
 
Enter your password you created with pwgen.php command and click Login:


Once you logged in, click Configuration tab to verify your PHP installation, you can safely ignore optional warnings as we don't need it.
 

Navigate to Federation tab, click XML to SimpleSAMLphp metadata converter

Click Choose File to upload your AD FS metadata xml file, click Parse

This will return two sets of data:
 
The first: saml20-sp-remote can be ignored as we do not need it.

Scroll down to saml20-idp-remote section and copy the contents of this field to the clipboard.



Go back to your Linux terminal, edit saml20-idp-remote.php file like below:
sudo nano /var/simplesamlphp/metadata/saml20-idp-remote.php
 
Paste copied contents in it:

Save and close the editor when you are finished.

Edit authsources.php with any of your preferred text editor:
sudo nano /var/simplesamlphp/config/authsources.php
 
Add your AD FS as an identity provider in authsource.php like below:
'techsupportpk-sp' => array(
    'saml:SP',
    'entityID' => null,
    'idp' => 'http://idp.techsupportpk.com/adfs/services/trust',
    'discoURL' => null,
    'sign.logout' => TRUE,
    'SignLogoutRequest' => TRUE,
    'SignLogoutResponse' => TRUE,
    'redirect.sign' => TRUE,
    'assertion.encryption' => TRUE,
    'privatekey' => 'idp.pem',
    'certificate' => 'idp.crt',
    'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),
Save and close the editor when you are finished.

After modification, authsources.php will look similar to like below:
 
Go back to your browser, refresh https://sp.techsupportpk.com/simplesaml page, navigate to Federation tab, and you will see your recently added SP metadata like below:

 
You will need this SP metadata url to configure your AD FS Relying Party Trust in the next step.

 

Configure AD FS Relying Party Trust

Log in to your AD FS machine, access SP metadata url with any of your preferred web browser, save metadata file anywhere on your AD FS machine. Once you have SP metadata file downloaded, rename it like techsupportpk-sp.xml
 
Open up AD FS Management console, Right-click Relying Party Trust, Click Add Relying Party Trust 
 
Keep default Claims aware, click Start

Click Import data about the replying party from a file, click Browse, select your SP metadata xml file, click Next

 
 
You can safely ignore this warning popup, Click OK

Enter the display name, click Next
 
Keep the Permit everyone access polity, Click Next
 
Click Next
 
Click Close
 
Right-click on your Relying Party Trust entity, click Edit Claim Issuance Policy
 
Click Add Rule
 
Select Send LDAP Attributes as Claim, click Next
 
Configure claim rule like below:
 
Click Finish when you are done.
 
Add another rule, select Transform an Incoming Claim, click Next
 
Configure rule like below:
 
Click Finish when you are done.
 
Click Apply, OK

At this stage, your AD FS Relying Party Trust configuration is ready to serve the purpose.
 
 

Verify AD FS Relying Party Trust Configuration

From a web browser, access your https://sp.techsupportpk.com/simplesaml and navigate to Authentication tab, click Test configured authentication sources

 
Click on a authentication source you added for AD FS like (techsupportpk-sp) in our case.


If everything configured correctly, you will be taken to your AD FS login page:


Enter your valid username and password like below to sign-in:
 
 
Upon successful login, you’ll be bounced back to SimpleSAMLphp with information of your authentication claims as you can see in screenshot below:
 
 
If you face any issue, double-check everything you configured and then check the logs for hints as to what could have gone wrong.

Verify Apache SSO

To test Apache single-sign-on (SSO) functionality we configured, lets create a simple index.php page in /var/www/sp.techsupportpk.com/ like an example below:
cd /var/www/sp.techsupportpk.com
sudo nano index.php
 
Add following code in it:
<html>
<head>
<title>Testing without authentication</title>
</head>
<body>
<?php echo '<h2>This page is accessible to everyone without authentication!<h2>';
    echo '<a href="login.php">Login</a>';
?>
</body>
</html>
Save and close the editor when you are finished.
 
Create a simple login.php page to test SSO functionality:
sudo nano login.php

Add following code in it: 
<?php
require_once ('/var/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('techsupportpk-sp');
$as->requireAuth();

$attributes = $as->getAttributes();
?>
<html>
<head>
<title>Index Page</title>
</head>
<body>
<?php echo '<h2>This simple login page is accessible to only authenticated users!<h2>';
?>

<?php
echo '<pre>';
print_r($attributes);
echo '</pre>';

echo '<a href="logout.php">Logout</a>';

?>
</body>
</html>
Save and close the editor when you are finished.

Create a simple logout.php page to test SSO logout function.
<?php
require_once ('/var/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('techsupportpk-sp');

$as->logout(array(
'ReturnTo' => '/logged_out.php',
'ReturnStateParam' => 'LogoutState',
'ReturnStateStage' => 'MyLogoutState',
));
?>
Save and close the editor when you are finished.
 
Create a simple logged_out.php page: 
sudo nano logged_out.php
 
Add following code in it"
<?php

require_once ('/var/simplesamlphp/lib/_autoload.php');

try {
if ($_REQUEST['LogoutState']) {
$state = SimpleSAML_Auth_State::loadState((string)$_REQUEST['LogoutState'], 'MyLogoutState');
}
else {
echo "Were you logged in?";
exit;
}
}
catch (Exception $e) {
echo 'Caught exception: ', $e->getMessage(), "\n";
exit;
}
$ls = $state['saml:sp:LogoutStatus']; // Only works for SAML SP
if ($ls['Code'] === 'urn:oasis:names:tc:SAML:2.0:status:Success' && !isset($ls['SubCode'])) {
// Successful logout.
echo("You have been logged out.");
} else {
// Logout failed. Tell the user to close the browser.
echo("We were unable to log you out of all your sessions. To be completely sure that you are logged out, you need to close your web browser.");
}
?>
Save and close the editor when you are finished.
 
Open up web browser, enter https://sp.techsupportpk.com/ in the address bar, you will see your simple index.php page as shown in screenshot below:
 

When you click on Login, you will be taken to your AD FS login page as shown in screenshot below:
 

Once signed-in with valid credentials, you will be redirected to your simple login.php page as shown in screenshot below:
 
 
Click logout to test logout functionality.

Conclusion

Now that you have successfully configured SSO in Apache using SimpleSAMLphp and Active Directory Federation Service, you can start deploying your applications with SSO functionality.

No comments:

Comments with links will not be published.

Powered by Blogger.