SAML Authentication plugin for limesurvey (based on simpleSAMLphp)
The limesurvey-saml-0.1 works with limesurvey 2.0.5
This plugin allow you enable different workflows:
-
SAML ONLY
Allow to only let saml authentication login.
When the user access to the login page, he will be redirected to the IdP. After authenticate:
a) If is the first time, the user account will be created (stored in the file)
b) If the account already exists, the user account will be updated (stored in the file)
HOW get that mode?
Easy, check the param 'force_saml_login' of the plugin configuration
-
INTERNAL AUTH BACKEND + SAML
Enable SAML as an extra authentication backend. (Keep 'force_saml_login' disabled)
Author: Sixto Martin Garcia [email protected]
http://es.linkedin.com/in/sixtomartin/en
GPL2 http://www.gnu.org/licenses/gpl.html
- How install and configure simpleSAMLphp as SP
- How install and enable the SAML plugin
First of all install the simpleSAMLphp library dependences:
CentOS --> yum install php5 php-ldap php-mcrypt php-mbstring php-xml mod_ssl openssl
Debian --> apt-get install php5 php5-mcrypt php5-mhash php5-mysql openssl
Now we can download the latest version of simpleSAMLphp, now is the 1.11: ::
Directly --> http://simplesamlphp.googlecode.com/files/simplesamlphp-1.11.0.tar.gz From subversion repository --> svn co http://simplesamlphp.googlecode.com/svn/tags/simplesamlphp-1.11.0
Put the simplesamlphp directory at /var/www/simplesamlphp
simpleSAMLphp requires a SSL cert. We can buy one or create it.
Create a self-signed cert .........................
In order to generate a self-signed cert you need openssl:
Centos --> yum install openssl
Debian --> apt-get install openssl
Using OpenSSL we will generate a self-signed certificate in 3 steps.
-
Generate private key:
openssl genrsa -out server.pem 1024
-
Generate CSR: (In the "Common Name" set the domain of your instance)
openssl req -new -key server.pem -out server.csr
-
Generate Self Signed Key:
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
Override the certs of the /var/www/simplesamlphp/cert
folder with the generated certs.
Copy the default config file from the template directory:
cp /var/www/simplesamlphp/config-templates/config.php /var/www/simplesamlphp/config/config.php
And configure some values:
'auth.adminpassword' => 'secret' # Set a new password for admin web interface
'enable.saml20-idp' => true, # Enable ssp as IdP
'secretsalt' => 'secret', # Set a Salt, in the config file there is documentation to generate it
'technicalcontact_name' => 'Admin name', # Set admin data
'technicalcontact_email' => '[email protected]',
'session.cookie.domain' => '.example.com', # Set the global domain, to share cookie with the rest of componnets
In production environment set also those values:
'admin.protectindexpage' => true, # To protect the index page of simpleSAMLphp
'debug' => FALSE,
'showerrors' => FALSE, # To hide error-trace
Change the permission for some directories, execute the following command at the simpleSAMLphp folder:
chown -R apache:apache cert log data metadata
Copy the default authsource file from the template directory:
cp /var/www/simplesamlphp/config-templates/authsources.php /var/www/simplesamlphp/config/authsources.php
And set admin and an sp source. Something like:
<?php
$config = array(
'admin' => array(
'core:AdminPassword',
),
'limesurvey' => array(
'saml:SP',
'entityID' => 'https://sp.example.com/simplesaml/module.php/saml/sp/metadata.php/limesurvey',
'idp' => 'https://idp.example.com/simplesaml/saml2/idp/metadata.php', # Set the entityID of the IdP you gonna use
'privatekey' => 'server.pem',
'certificate' => 'server.crt',
),
);
?>
And now paste the metadata of your IdP in simpleSAMLphp format at /var/www/simplesamlphp/metadata/saml20-idp-remote.php
The apache configuration may look like this:
<VirtualHost *:80> ServerName sp.example.com DocumentRoot /var/www/simplesamlphp/www
Alias /simplesaml /var/simplesamlphp/www
<VirtualHost *:443> ServerName sp.example.com DocumentRoot /var/www/simplesamlphp/www
Alias /simplesaml /var/simplesamlphp/www
SSLEngine on
SSLCertificateFile /var/www/simplesamlphp/cert/server.crt
SSLCertificateKeyFile /var/www/simplesamlphp/cert/server.pem
Make sure that your IdP server runs HTTPS (SSL)
To get Saml2 run correctly we need have sure that all machine's clock are synced.
Install ntp:
Centos --> yum install ntp
Debian --> apt-get install ntp
Configure the ntp service /etc/ntp.conf
:
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org
Check the
ntp server list and use the server that is near from your server.
Enable the server and put it on the system boot
Centos --> service ntpd start
chkconfig ntpd on
Debian -> /etc/init.d/ntp start
update-rc.d ntp defaults
More info at http://simplesamlphp.org/docs/stable/simplesamlphp-sp
This plugin requires a simpleSAMLphp instance configured as an SP
If your SP is ready, you will be able to enable your SAML plugin in order to add SAML support to your Limesurvey instance.
Copy the AuthSAML folder inside the folder plugins
Access to the Limesurvey platform, enable the SAML plugin and configure the following parameters:
-
simplesamlphp_path: Path to the SimpleSAMLphp folder (Ex. /var/www/simplesamlphp )
-
saml_authsource: SAML authentication source. (Review what value you set in your simpleSAMLphp SP instance (config/authsource.php)
-
saml_uid_mapping: SAML attributed used as username
-
saml_mail_mapping: SAML attributed used as email
-
saml_name_mapping: SAML attributed used as name
-
authtype_base: Authtype base. Use 'Authdb' if you do not know what value use.
-
storage_base: Storage base, Use 'DbStorage' if you do not know what value use.
-
auto_create_users: Let the SAML auth plugin create new users on limesurvey.
-
auto_update_users: Let the SAML auth plugin update users on limesurvey.
-
force_saml_login: Enable it when you want to only allow SAML authentication on limesurvey (no login form will be showed)