SSO Integration via SAML with Developer Portal for Private Cloud

1 8 4,707

Hello all,

Here are the steps for setting up SSO on the OPDK version of the developer portal. These steps have been adapted from @gkoli@apigee.com.

  1. Download the latest version of the SimpleSAMLphp library from https://simplesamlphp.org/download.
  2. Extract the archive to /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp
  3. Create a symlink from /opt/apigee/apigee-drupal/wwwroot
    1. ln -s ./private/simplesamlphp/www ./simplesaml
  4. Download and extract the https://www.drupal.org/project/simplesamlphp_auth module to /opt/apigee/apigee-drupal/wwwroot/sites/all/modules/contrib/simplesamlphp_auth
  5. Download and extract the simplesaml_support custom module to /opt/apigee/apigee-drupal/wwwroot/sites/all/modules/custom/simplesaml_support
  6. Create an alias in Nginx for simplesaml by adding the following snippet inside the Nginix template for the developer portal. Located at /opt/apigee/apigee-drupal-devportal/source/conf/apigee-drupal-devportal-nginx.conf
    location ^~ /simplesaml {
      index index.php index.html index.htm;
      alias /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp/www;
        location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
        include /opt/nginx/conf/fastcgi_params;
        fastcgi_pass 127.0.0.1:8888;
        fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
        fastcgi_param PATH_INFO $pathinfo if_not_empty;
      }
    }
    	
  7. Indicate the installation directory for simplesaml by adding the following snippet inside the settings.php template for the developer portal. Located at /opt/apigee/apigee-drupal-devportal/source/conf/settings.php
    if (php_sapi_name() == 'cli') {
      // Avoid drush and simplesamlphp conflicts.
      $conf['simplesamlphp_auth_activate'] = FALSE;
    }
    $conf['simplesamlphp_auth_installdir'] = '/opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp';
    	
  8. Edit /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp/config/config.php.
    1. Add the following snippet to the top of the file.
    include '/opt/apigee/apigee-drupal/wwwroot/sites/default/settings.php';
    $host = $_SERVER['HTTP_HOST'];
    $db = $databases['default']['default'];
    	
  9. Change the 'auth.adminpassword' value to a different value.
  10. Change the 'baseurlpath':
    'baseurlpath' => 'https://' . $host . '/simplesaml/',
    	
  11. Set the value of 'tempdir' to a directory where the simplesamlphp library can write temporary files to.
  12. Set 'store.type' to sql.
  13. Set the value of 'store.sql.dsn'. NOTE: You'll want to set the port you've configured for PostgreSQL here:
    'store.sql.dsn' => 'pgsql:host=' . $db['host'] . ';port=5432;dbname=' . $db['database'],
    	
  14. Set the value of 'store.sql.username' and 'store.sql.password':
    'store.sql.username' => $db['username'],
    'store.sql.password' => $db['password'],
    	
  15. Edit /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp/config/authsources.php
    1. Set the value of the 'entityID' which is the unique ID of the SP under default-sp, say for example set 'entityID' => 'developer.client-portal.com', this should be something unique to your portal e.g. developer.apigee.com. This is the entity ID that you need to provide during SP definition in your SSO provider.
  16. Restart the developer portal.
    1. /opt/apigee/apigee-service/bin/apigee-service apigee-drupal-devportal restart
  17. Log into the developer portal with an administrative account and navigate to /admin/modules. Enable the simplesamlphp_auth and simplesamlphp_support modules.
  18. Navigate to /admin/config/development/performance in the developer portal and click "Clear all caches".
  19. Give the above entity ID and the metadata URL i.e. https://developer.client-portal.com/simplesaml/module.php/saml/sp/metadata.php/default-sp to the identity provider, ask for the identity provider metadata XML, the name of the attributes for email, first name, last name, user name and the unique identifier.
    1. Alternatively, navigate to /simplesaml in the developer portal and you will see the simplesamlphp library's UI.
    2. Click the "Federation" tab and click "Show metadata".
    3. Provide this to the identity provider.
  20. Once you receive the metadata from the identity provider navigate to /simplesaml in the developer portal and you will see the simplesamlphp library's UI.
  21. Click on the "Federation" tab and under the tools section click the "XML to simpleSAMLphp metadata converter" link and paste the XML metadata from the IDP in the form. Then click parse.
  22. This will convert the metadata from XML to a PHP array. It will also provide you the names of the files that need to be modified under /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp /metadata/ directory.
    1. If it says saml20-idp-remote on the top of the page, copy the metadata in PHP format and paste it in /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp/metadata/saml20-idp-remote.php
    2. There might be additional config files under the metadata folder that may need to be updated. Please confirm by scrolling through the metadata generator page.
    3. The key of the metadata array (e.g. $metadata['https://openidp.feide.no']) in this case , “https://openidp.feide.no" is the entity ID of the identity provider.
    4. Copy the key and paste it as the value of ‘idp’ key in /opt/apigee/apigee-drupal/wwwroot/private/simplesamlphp/config/authsources.php under default-sp eg: ‘idp’ => "https://openidp.feide.no"
  23. Navigate to /admin/config/people/simplesamlphp_auth in the developer portal and configure the settings as follows:
    1. Check off "Activate authentication via SimpleSAMLphp".
    2. Verify the "Installation Directory" is already correctly set to the simplesamlphp library directory.
    3. Set authentication source for this SP (default: default-sp) as default-sp.
    4. Select force https for login links if you have https enabled for your developer portal.
    5. Under User Info and Syncing enter the names of the respective attributes received from the identity provider.
    6. Under User provisioning Select “Register Users” if you would like the users to be registered in the developer portal if the account does not exists.
    7. Under Drupal Authentication select the roles for whom you would like to give login access using Drupal Credentials. It is always good to allow administrator role to login using Drupal credentials.
  24. The set up is complete and now you will have to test the setup.
  25. Ensure you are logged out of the developer portal, navigate to /saml_login and you will be immediately redirected to the SSO login page of the IDP if everything was setup correctly.
  26. Once you enter the login credentials and login you will be redirected back to the developer portal and will be logged in if everything worked fine.
Comments
karlscheirer
Participant V

A couple of notes after following this excellent doc:

  • You'll need the Drupal 7 version of simplesamlphp_auth module (currently 7.x-2.0-alpha2)
  • When adding files to the codebase, make sure they are owned by the `apigee` user and group, and that files permissions match (usually 644 or 755)
  • Watch your http vs https
  • And most important, do the steps in order!
Not applicable

Thanks for the share Karl, Appreciate it

pbhattiproluit
Participant I

Hi,

We are configuring simple saml with ngnix and followed the steps mentioned until 18. When trying to perform step#19.1, we are getting an error.

Error: SimpleSAML\Error\NotFound: The requested page 'http://ip:8079/simplesaml/module.php/core/frontpage_welcome.php' could not be found. The module 'le.php' was either not found, or wasn't enabled.

module.php,index.php location: /apps/apigee/apigee-drupal/wwwroot/private/simplesamlphp/www

frontpage_welcome.php location: /apps/apigee/apigee-drupal/wwwroot/private/simplesamlphp/modules/core/www

"<saml_root>/config/config.php" : 'baseurlpath' => 'http://<ip>:8079/simplesaml/'

Please let me know if you need any more details.

Thanks.

SunilMax
Participant I

@kengilbert, @Karl Scheirer, I have followed the document step-by-step. But got stuck at step no 20, where simplesamle ui page need to be accessed.

Whenever I am trying to access the page https://portalhost:port/simplesaml

It redirected to : https://portalhost:port/simplesaml/module.php/core/frontpage_welcome.php

and give below error:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: PDOException: SQLSTATE[42704]: Undefined object: 7 ERROR: type "simplesamlphp_kvstore_expire" does not exist
LINE 1: ALTER TABLE SimpleSAMLphp_kvstore ADD INDEX SimpleSAMLphp_kv...

And on refreshing the page, it keep on giving a constant but different error:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: PDOException: SQLSTATE[42P07]: Duplicate table: 7 ERROR: relation "simplesamlphp_kvstore" already exists
Backtrace:


when I check in backend postgres database (devportal), below tables exists related to simplesaml

public | simplesamlphp_kvstore | table | drupaladmin

public | simplesamlphp_tableversion | table | drupaladmin


simplesamlpage-error.png

karlscheirer
Participant V

Hi @Sunil Mewada

I haven't seen this error before, but it seems like a problem with creating tables/indexes in pgsql. Can you verify that the user specified by store.sql.username is able to add an index to a table?

SunilMax
Participant I

@Karl Scheirer, the issue get resolved, when I used the older version of SimpleSAMLphp i.e. SimpleSAMLphp 1.16.1

Also, i have to use version 7.x-2.0-alpha2 instead of latest version 7.x-3.x-dev for simplesamlphp_auth module for Drupal 7.

Now, user can authenticated with sso, but I am not bale to automate the role population.

Even though I am passing the correct details.

2:memberOf,~=,<My IDP Administrator Group>

SunilMax
Participant I

the above issue get fixed, when I used 2:memberOf,=,<My IDP Administrator Group> and in my IDP config i add SAML attribute memberOf mapped to AD/LDAP CN extraction (multi value output)

b2d5
Explorer

where is the certificate for saml signature verification stored?

Version history
Last update:
‎09-06-2018 11:09 AM
Updated by: