.net saml_如何在Ubuntu 18.04上安装和配置用于SAML身份验证的SimpleSAMLphp

.net saml

介绍 (Introduction)

SimpleSAMLphp is an open-source PHP authentication application that provides support for SAML 2.0 as a Service Provider (SP) or Identity Provider (IdP).

SimpleSAMLphp是一个开源PHP身份验证应用程序，它为SAML 2.0作为服务提供者(SP)或身份提供者(IdP)提供支持。

SAML (Security Assertion Markup Language) is a secure XML-based communication mechanism for exchanging authentication and authorization data between organizations and applications. It’s often used to implement Web SSO (Single Sign On). This eliminates the need to maintain multiple authentication credentials across multiple organizations. Simply put, you can use one identity, like a username and password, to access multiple applications.

SAML(安全性声明标记语言)是一种基于XML的安全通信机制，用于在组织和应用程序之间交换身份验证和授权数据。 它通常用于实现Web SSO(单一登录)。 这样就无需在多个组织中维护多个身份验证凭据。 简而言之，您可以使用一个标识(例如用户名和密码)来访问多个应用程序。

An instance of SimpleSAMLphp connects to an authentication source, which is an identity provider like LDAP or a database of users. It authenticates users against this authentication source before granting access to resources made available from linked Service Providers.

SimpleSAMLphp的实例连接到身份验证源 ，该身份验证源是诸如LDAP或用户数据库之类的身份提供程序。 在授予对链接服务提供商提供的资源的访问权限之前，它将根据此身份验证源对用户进行身份验证。

In this tutorial you’ll install SimpleSamlPHP and configure it to use a MySQL database as an authentication source. You’ll store users and encrypted passwords in the MySQL database and test that you can use those users to log in.

在本教程中，您将安装SimpleSamlPHP并将其配置为使用MySQL数据库作为身份验证源。 您将用户和加密的密码存储在MySQL数据库中，并测试是否可以使用这些用户登录。

先决条件 (Prerequisites)

• One Ubuntu 18.04 server set up by following the Ubuntu 18.04 initial server setup guide, including a sudo non-root user and a firewall.

  按照Ubuntu 18.04初始服务器设置指南设置一台Ubuntu 18.04服务器，包括sudo非root用户和防火墙。

• Apache, MySQL, and PHP installed on the server by following How To Install Linux, Apache, MySQL, PHP (LAMP stack) on Ubuntu 18.04.

  遵循如何在Ubuntu 18.04上安装Linux，Apache，MySQL，PHP(LAMP堆栈)的方法在服务器上安装Apache，MySQL和PHP 。

• A domain name configured to point to your server. You can learn how to point domains to DigitalOcean Droplets by following the How To Point to DigitalOcean Nameservers From Common Domain Registrars tutorial.

  配置为指向您的服务器的域名。 您可以按照“ 如何从Common Domain Registrars指向DigitalOcean域名服务器”教程学习如何将域名指向DigitalOcean Droplet。

• A Virtual Host configured for the domain using the ServerName directive. Follow How To Set Up Apache Virtual Hosts on Ubuntu 18.04 to set one up for your domain name.

  使用ServerName指令为域配置的虚拟主机。 遵循如何在Ubuntu 18.04上设置Apache虚拟主机来为您的域名设置一个。

• A Let’s Encrypt certificate set up for the domain you’ve configured by following the How To Secure Apache with Let’s Encrypt on Ubuntu 18.04 guide.

  遵循《 如何在Ubuntu 18.04上使用Let's Encrypt来保护Apache安全》指南为已配置的域设置Let's Encrypt证书。

第1步-下载并安装SimpleSAMLphp (Step 1 — Downloading and Installing SimpleSAMLphp)

Installing SimpleSAMLphp involves a couple of steps. We have to download the software itself as well as a few additional components and prerequisites. We’ll also need to make some changes to our Virtual Host configuration.

安装SimpleSAMLphp涉及几个步骤。 我们必须下载软件本身以及一些其他组件和先决条件。 我们还需要对虚拟主机配置进行一些更改。

Log in to your server if you’re not logged in already.

如果尚未登录，请登录服务器。

Download SimpleSAMLphp from the project’s website. SimpleSAMLphp always links the latest stable version of their software to the same URL. This means we can get the latest version by typing this:

从项目的网站下载SimpleSAMLphp。 SimpleSAMLphp始终将其软件的最新稳定版本链接到同一URL。 这意味着我们可以通过输入以下命令获取最新版本：

This will download a compressed file called download?latest which contains SimpleSAMLphp. Extract the contents with the tar command:

这将下载一个名为download?latest的压缩文件，其中包含SimpleSAMLphp。 使用tar命令提取内容：

The files will be extracted to a new directory labeled simplesamlphp-1.x.y, where x.y is the current version number. Use the ls command to identify the file:

这些文件将解压缩到标记为simplesamlphp-1. xy的新目录中simplesamlphp-1. xy simplesamlphp-1. xy ，其中xy是当前版本号。 使用ls命令来识别文件：

You’ll see the filename displayed:

您会看到显示的文件名：

   
   

    
    Ouptut
   
   
simplesamlphp-1.18.5

Now, copy the contents of the directory to /var/simplesamlphp using the cp command. Be sure to replace the version number with the version you have:

现在，使用cp命令将目录的内容复制到/var/simplesamlphp 。 确保将版本号替换为您拥有的版本：

The -a switch ensures that the file permissions are copied along with the files and folders. The dot at the end of the source file ensures everything in the source directory including hidden files gets copied to the destination directory.

-a开关可确保将文件权限与文件和文件夹一起复制。 源文件末尾的点确保源目录中的所有内容(包括隐藏文件)都被复制到目标目录中。

Note: If you need to install the files in a different location, you’ll need to update several files. Refer to SimpleSAMLphp’s official installation documentation for specifics.

注意：如果需要将文件安装在其他位置，则需要更新多个文件。 有关详细信息，请参阅SimpleSAMLphp的官方安装文档 。

There are a few additional software packages SimpleSAMLphp needs, including PHP extensions to work with XML, multi-byte strings, curl, and LDAP. It also requires memcached. Install these using your package manager.

SimpleSAMLphp还需要一些其他软件包，包括PHP扩展以使用XML，多字节字符串， curl和LDAP。 它还需要memcached 。 使用软件包管理器安装这些。

First, update your package list:

首先，更新您的包裹清单：

Then install the packages:

然后安装软件包：

Once the installation completes, restart Apache to activate the new PHP extensions:

安装完成后，重新启动Apache以激活新PHP扩展：

Now that SimpleSAMLphp is installed, let’s configure Apache to serve the files.

现在已经安装了SimpleSAMLphp，让我们配置Apache来提供文件。

第2步-配置Apache服务SimpleSAMLphp (Step 2 — Configuring Apache to Serve SimpleSAMLphp)

You’ve already configured a domain and pointed at this server, and you’ve set up a Virtual Host to work with HTTPS by securing Apache with Let’s Encrypt. Let’s use that to serve SimpleSAMLphp.

您已经配置了一个域并指向该服务器，并且已经通过使用Let's Encrypt保护Apache来设置虚拟主机以与HTTPS一起使用。 让我们使用它来提供SimpleSAMLphp。

The only SimpleSAMLphp directory that needs to be visible to the web is /var/simplesamlphp/www. To expose it to the web, edit the Virtual Host SSL Apache configuration file for your domain.

唯一需要Web可见的SimpleSAMLphp目录是/var/simplesamlphp/www 。 要将其公开，请编辑您域的Virtual Host SSL Apache配置文件。

If your Virtual Host config file is named your_domain.conf, Let’s Encrypt created a new config file called your_domain-le-ssl.conf that handles HTTPS requests for your domain. Open the SSL config file with the following command to edit the file. Be sure to replace your_domain with the actual name of the file:

如果您的虚拟主机配置文件名为your_domain .conf ，那么我们加密创建一个名为your_domain -le-ssl.conf的新配置文件，该文件处理您的域的HTTPS请求。 使用以下命令打开SSL配置文件以编辑该文件。 确保用文件的实际名称替换your_domain ：

The file should look like the following, although the actual file may have more descriptive comments:

该文件应如下所示，尽管实际文件可能具有更多描述性注释：

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName your_domain

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLCertificateFile /etc/letsencrypt/live/your_domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your_domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

The ServerName directive here defines the base domain that should match for this virtual host definition. This should be the domain name you set up an SSL certificate for in the Prerequisites section. Let’s add an Alias directive that gives control to SimpleSAMLphp for all URLs matching https://your_domain/simplesaml/*. Do that by adding the following line to the config file:

ServerName指令在此定义了应与此虚拟主机定义匹配的基本域。 这应该是您在“ 先决条件”部分中为其设置SSL证书的域名。 让我们添加一个Alias指令，该指令为与https:// your_domain /simplesaml/*匹配的所有URL提供对SimpleSAMLphp的控制。 为此，请将以下行添加到配置文件中：

...
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html

  Alias /simplesaml /var/simplesamlphp/www

...

This means all URLs matching domain_name/simplesaml/* will be directed to the /var/simplesamlphp/www directory giving SimpleSAMLphp control.

这意味着所有与domain_name /simplesaml/*匹配的URL都将被定向到/var/simplesamlphp/www目录，从而提供SimpleSAMLphp控制。

Next, we’ll grant access to the /var/simplesamlphp/www directory by specifying a Require all granted access control for it. This will make the SimpleSAMLphp service accessible over the Web. Do that by adding the following to the config file:

接下来，我们将为/var/simplesamlphp/www目录授予访问权限，方法是/var/simplesamlphp/www指定“ Require all granted访问权限的控件”。 这将使SimpleSAMLphp服务可以通过Web访问。 为此，请将以下内容添加到配置文件中：

...
  Alias /simplesaml /var/simplesamlphp/www
  <Directory /var/simplesamlphp/www/>
      Require all granted
  </Directory>
...

Save and close the file. Restart Apache for the changes to take effect:

保存并关闭文件。 重新启动Apache以使更改生效：

Now that Apache is configured to serve the application files, let’s configure SimpleSAMLphp.

现在已经将Apache配置为提供应用程序文件，让我们配置SimpleSAMLphp。

第3步-配置SimpleSAMLphp (Step 3 — Configuring SimpleSAMLphp)

Next, we need to make several changes to the core SimpleSAMLphp configuration located at /var/simplesamlphp/config/config.php. Open the file in your editor:

接下来，我们需要对位于/var/simplesamlphp/config/config.php的核心SimpleSAMLphp配置进行一些更改。 在编辑器中打开文件：

Set the administrator password by locating the 'auth.adminpassword' line and replacing the default value of 123 with a more secure password. This password lets you access some of the pages in your SimpleSAMLphp installation web interface:

通过找到'auth.adminpassword'行并用更安全的密码替换默认值123来设置管理员密码。 使用此密码可以访问SimpleSAMLphp安装Web界面中的某些页面：

. . .
'auth.adminpassword'        => 'your_admin_password',
. . .

Next, set a secret salt, which should be a randomly-generated string of characters. Some parts of SimpleSAMLphp use this salt to create cryptographically secure hashes. You’ll get errors if the salt isn’t changed from the default value.

接下来，设置一个秘密盐，它应该是随机生成的字符串。 SimpleSAMLphp的某些部分使用此盐来创建加密安全的哈希。 如果盐未更改为默认值，则会出现错误。

You can use the OpenSSL rand function to generate a random string to use as your secret salt string. Open a new terminal, connect to your server again, and run the following command to generate this string:

您可以使用OpenSSL rand函数生成一个随机字符串，用作您的秘密盐字符串。 打开一个新终端，再次连接到服务器，然后运行以下命令来生成此字符串：

The -base64 32 option ensures a Base64 encoded string that is 32 characters long.

-base64 32选项可确保使用32位字符的Base64编码字符串。

Then, in the configuration file, locate the 'secretsalt' entry and replace defaultsecretsalt with the string you generated:

然后，在配置文件中，找到'secretsalt'条目，并将defaultsecretsalt替换为您生成的字符串：

. . .
'secretsalt' => 'your_generated_salt',
. . .

Then set the technical contact information. This information will be available in the generated metadata, and SimpleSAMLphp will send automatically-generated error reports to the email address you specify. Locate the following section:

然后设置技术联系信息。 此信息将在生成的元数据中提供，并且SimpleSAMLphp将自动生成的错误报告发送到您指定的电子邮件地址。 找到以下部分：

. . .
'technicalcontact_name'     => 'Administrator',
'technicalcontact_email'    => 'na@example.org',
. . .

Replace Administrator and na@example.org with appropriate values.

用适当的值替换Administrator和na@example.org 。

Then set the timezone you would like to use. Locate this section:

然后设置您要使用的时区。 找到此部分：

. . .
'timezone' => null,
. . .

Replace null with a preferred time zone from this list of timezones for PHP. Be sure to enclose the value in quotes:

从PHP的时区列表中将null替换为首选时区。 确保将值用引号引起来：

. . .
'timezone' => 'America/New_York',
. . .

Save and close the file. You should now be able to access the site in your browser by visiting https://your_domain/simplesaml. You’ll see the following screen in your browser:

保存并关闭文件。 现在，您应该能够通过访问https:// your_domain /simplesaml在浏览器中访问该站点。 您将在浏览器中看到以下屏幕：

To make sure your PHP installation meets all requirements for SimpleSAMLphp to run smoothly, select the Configuration tab and click on the Login as administrator link. Then use the administrator password you set in the configuration file in Step 3.

为确保您PHP安装符合SimpleSAMLphp顺利运行的所有要求，请选择“ 配置”选项卡，然后单击“ 以管理员身份登录”链接。 然后使用在步骤3中在配置文件中设置的管理员密码。

Once logged in, you’ll see a list of required and optional PHP extensions used by SimpleSAMLphp. Check that you have installed every extension except predis/predis:

登录后，您将看到SimpleSAMLphp使用的必需和可选PHP扩展的列表。 检查是否已安装除predis/predis之外的所有扩展：

If there are any required components missing, review this tutorial and install the missing components before you move on.

如果缺少任何必需的组件，请继续阅读本教程并安装缺少的组件。

You’ll also see a link that says Sanity check of your SimpleSAMLphp setup. Click this link to get a list of checks applied to your setup to see whether they are successful.

您还将看到一个链接，其中显示您的SimpleSAMLphp设置的健全性检查 。 单击此链接以获取应用于设置的检查列表，以查看检查是否成功。

Let’s move on to configure an authentication source for for SimpleSAMLphp.

让我们继续为SimpleSAMLphp配置身份验证源。

步骤4 —配置身份验证源 (Step 4 — Configuring the Authentication Source)

Now that we have SimpleSAMLphp installed and set up, let’s configure an authentication source so we can authenticate users. We will use a MySQL database to store a list of usernames and passwords to authenticate against.

现在我们已经安装并设置了SimpleSAMLphp，让我们配置一个身份验证源，以便可以对用户进行身份验证。 我们将使用MySQL数据库存储要进行身份验证的用户名和密码的列表。

To get started, log in to the MySQL root account:

首先，登录到MySQL 根帐户：

You will be prompted for the MySQL root account password. Provide it to proceed.

系统将提示您输入MySQL根帐户密码。 提供它以继续。

Next, create a database that will act as the authentication source. We’ll call it auth. Feel free to name yours differently:

接下来，创建一个将用作身份验证源的数据库。 我们将其称为auth 。 随意命名您的名字：

Now let’s create a separate MySQL user to exclusively operate on our auth database. From a management and security standpoint, it is a good practice to create one-function databases and accounts. We will name our user authuser. Execute the following command to create the user, set a password, and grant it access to our auth database. Remember to provide a strong password here for your new database user.

现在，让我们创建一个单独MySQL用户，使其专门在我们的auth数据库上运行。 从管理和安全的角度来看，创建单功能数据库和帐户是一个好习惯。 我们将用户命名为authuser 。 执行以下命令创建用户，设置密码，并授予其对我们的auth数据库的访问权限。 请记住在此处为您的新数据库用户提供一个强密码。

Now create a users table, which will be made up of two fields: username and password. For some additional security, we are going to use the MySQL AES_ENCRYPT() function to encrypt the password string so we don’t store the passwords in plain text. This function encrypts a string and returns a binary string.

现在创建一个users表，该表将由两个字段组成： username和password 。 为了提高安全性，我们将使用MySQL AES_ENCRYPT()函数对密码字符串进行加密，因此我们不会以纯文本形式存储密码。 此函数加密字符串并返回二进制字符串。

Then insert three users into the newly created table. This is where we’ll use the AES_ENCRYPT() function to encrypt the values for the password field. You need to provide a string that’s used as an encryption key. Make sure to replace this with your own string, which can be any string you’d like, as long as it’s complex.

然后将三个用户插入到新创建的表中。 在这里，我们将使用AES_ENCRYPT()函数来加密密码字段的值。 您需要提供一个用作加密密钥的字符串。 确保使用您自己的字符串替换它，该字符串可以是您想要的任何字符串，只要它很复杂即可。

Use the same key for each user, and be sure to remember the key so you can use it again to create additional users in the future. You’ll also use this secret key in the SimpleSAMLphp configuration so you can decrypt the passwords and compare them with the ones users enter.

为每个用户使用相同的密钥，并确保记住该密钥，以便将来可以再次使用它来创建其他用户。 您还将在SimpleSAMLphp配置中使用此密钥，以便您可以解密密码并将其与用户输入的密码进行比较。

We need to flush the privileges so that the current instance of MySQL knows about the recent privilege changes we’ve made:

我们需要刷新特权，以便MySQL的当前实例知道我们最近进行的特权更改：

Exit out of the MySQL prompt by typing:

通过键入以下命令退出MySQL提示符：

To enable the identity provider functionality in SimpleSAMLphp, we need to edit the /var/simplesamlphp/config/config.php file. There are several options available but since this guide focuses on SAML 2.0 support, we want to enable the enable.saml20-idp option. To do that, open the /var/simplesamlphp/config/config.phpand enable SAML 2.0 support:

要在SimpleSAMLphp中启用身份提供者功能，我们需要编辑/var/simplesamlphp/config/config.php文件。 有几个选项可用，但是由于本指南重点介绍SAML 2.0支持，因此我们希望启用enable.saml20-idp选项。 为此，请打开/var/simplesamlphp/config/config.php并启用SAML 2.0支持：

Locate this section of the file and replace false with true. :

找到文件的此部分，然后将false替换为true 。 ：

...
'enable.saml20-idp' => true,
...

Then save the file and exit the editor.

然后保存文件并退出编辑器。

Now that we have the identity provider functionality enabled, we need to indicate the authentication module to be used. Since we have a users table on a MySQL database, we are going to use the SQL Authentication Module. Open the authsources configuration file:

现在我们启用了身份提供者功能，我们需要指示要使用的身份验证模块。 由于我们在MySQL数据库上有一个用户表，因此我们将使用SQL身份验证模块。 打开authsources配置文件：

Locate the following block, which is commented out:

找到以下被注释掉的块：

...
    /*
    'example-sql' => array(
        'sqlauth:SQL',
        'dsn' => 'pgsql:host=sql.example.org;port=5432;dbname=simplesaml',
        'username' => 'simplesaml',
        'password' => 'secretpassword',
        'query' => 'SELECT uid, givenName, email, eduPersonPrincipalName FROM users WHERE uid = :username AND password = SHA2(CONCAT((SELECT salt FROM users WHERE uid = :username), :password),256);',
    ),
    */
...

This code defines a database connection and a query that SimpleSAMLphp can use to look up a user in a database table called users. We need to uncomment it and change the query to look up a user from our table using MySQL’s AES_DECRYPT() function. We’ll need to provide the AES_DECRYPT() function the same key we used to encrypt the passwords in the query.

这段代码定义了一个数据库连接和一个查询，SimpleSAMLphp可以使用该查询在名为users的数据库表中查找users 。 我们需要取消注释，并更改查询以使用MySQL的AES_DECRYPT()函数从表中查找用户。 我们需要为AES_DECRYPT()函数提供与用于加密查询中的密码相同的密钥。

Modify the section of the file to specify the database connection details and the query:

修改文件的部分以指定数据库连接详细信息和查询：

...
    'example-sql' => array(
        'sqlauth:SQL',
        'dsn' => 'mysql:host=localhost;port=5432;dbname=auth',
        'username' => 'authuser',
        'password' => 'your_mysql_auth_user_password',
        'query' => 'SELECT username FROM users WHERE username = :username AND AES_DECRYPT(password,"your_secret_key") = :password',
    ),
...

Be sure to place the secret key you specified in place of your_secret_key.

确保将您指定的秘密密钥放在your_secret_key 。

Save and close the file. Let’s test our identity provider.

保存并关闭文件。 让我们测试身份提供者。

第5步–使用SAML 2.0 SP演示测试身份提供程序 (Step 5 — Testing the Identity Provider with the SAML 2.0 SP Demo)

You can test the MySQL authentication source you just set up by navigating to the Authentication tab and clicking on the Test configured authentication sources link. You will be presented with a list of authentication sources already configured.

您可以导航到“ 身份验证”选项卡，然后单击“ 测试配置的身份验证源”链接，以测试刚刚设置MySQL身份验证源 。 您将看到已经配置的身份验证源列表。

Click example-sql, as this is the provider you configured in the previous step. A prompt to enter a username and password will appear. Enter any of the three test user and password combinations you inserted in the MySQL users table. Try user1 with the password user1pass.

单击example-sql ，因为这是您在上一步中配置的提供程序。 出现输入用户名和密码的提示。 输入您插入MySQL用户表中的三个测试用户和密码组合中的任何一个。 尝试使用密码user1pass user1 。

With a successful attempt, you will be presented with the SAML 2.0 SP Demo Example page:

成功尝试后，您将看到“ SAML 2.0 SP演示示例”页面：

If you’re unable to log in and you know the password is correct, ensure that you used the same key with both the AES_ENCRYPT() function when you created the user, and the AES_DECRYPT() function when you looked up the user.

如果您无法登录并且知道密码正确，请确保在创建用户时使用了与AES_ENCRYPT()函数相同的密钥，并且在您查询用户时使用了AES_DECRYPT()函数。

You can now integrate SimpleSAMLphp with your own applications by following the SimpleSAMLphp API documentation.

现在，您可以按照SimpleSAMLphp API文档将SimpleSAMLphp与自己的应用程序集成。

结论 (Conclusion)

You now have the SimpleSAMLphp application appropriately installed and configured on your Ubuntu 18.04 VPS. SimpleSAMLphp also allows for extensive user interface customization through theming. You can refer to their theming docs for more on that.

现在，您已经在Ubuntu 18.04 VPS上正确安装和配置了SimpleSAMLphp应用程序。 SimpleSAMLphp还允许通过主题进行广泛的用户界面定制。 您可以参考他们的主题文档以获取更多信息。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-simplesamlphp-for-saml-authentication-on-ubuntu-18-04

.net saml