# SAML integration as a SSO (Single Sign On) when login in LIBSAFE
More and more companies are turning to SAML, a complete solution for federated identity management, to integrate Single Sign-On (SSO), a unified authentication process for any application at the same time. The individual components of SAML, such as a central user database and six different protocols, provide all relevant functions for describing and transferring security features.
SAML (Security Assertion Markup Language) is an open source standard based on XML, which allows the exchange of authentication or authorisation data between different parties: an “idP” identity provider and an “sp” service provider.
LIBSAFE supports user authentication through this if the environment in which it is operating has access to the **idP** since it is capable of being configured as an **SP**. This configuration is conditional on the user configuring LIBSAFE having sufficient information and credentials to be able to carry out this relationship between entities.
For the end user of the system, authentication via SAML is very practical, since having this functionality available only involves pressing a button so that the application proceeds to make a query of identity data and give access to the user with the defined profile and permissions associated in LIBSAFE.
The **sp** or Service Provider functionality in LIBSAFE must be configured manually from the simpleSAML application that supports it. This configuration involves defining the relationship via URL and the characteristics to be validated for the exchange of information between platforms.
For the configuration of simpleSAML in LIBSAFE as **sp**, it is necessary to know the parameters that each company defines in its **idP**, as each configuration is completely different from another and may require modifying one or more sites that will not be described in this manual. For this reason, it is recommended that the user who configures this functionality visits the simpleSAML website \[] to consult the features that best suit his infrastructure.
After correctly configuring the **sp**, a trust relationship is created between LIBSAFE and the **idP** that will allow a user, if not previously logged in to the **idP**, to do so:
To establish the trust relationship between the platforms it is necessary to have some technical concepts that are described below:
**Configuration characteristics of the service provider**
Each **idP** server has its specific configuration defined by the customer, who builds the infrastructure to be operational in his organization in his own way. From this peculiarity each configuration process can become completely different from another; what is common to all cases is that to interact with the identity server you must know its access URL and you must have the security certificate that ensures the privacy of the communication channel between **IdP** and **SP**.
**IIS structure to put SAML into service**
Within IIS it must be possible to configure the SAML project as: application and virtual directory. In addition, you must have a PHP version 7 or higher for specific use of the SAML project, which must be previously installed on the server.
In addition to the configuration of simpleSAML, it is necessary to indicate to LIBSAFE some parameters that are stored in the configuration variables:
**Configuring SAML project on IIS**
For the SAML project to work properly, the following conditions must be met:
1. To be configured as Application
2. To have PHP version 7 or higher defined as interpreter language
3. To have the SAML folder configured as a virtual directory
The SAML project has been installed by default in the **tools** folder of the LIBSAFE project; the following image shows the location of the folder:
As shown in the previous image, the **www** subfolder of the SAML project must be configured as an application, this is done by right clicking on the folder and choosing that option. Within the application configuration it is necessary to define the credentials with which the system will access, which for the purposes of this guide are the credentials of the administrator:
In addition to being an application, this new one must have associated PHP version 7 or higher, this configuration is done from the icon as the following image:
If the server does not have *PHP version 7 or higher* installed, use the **Web Platform Installer** or perform a manual installation of a compatible version. Once installed on the server, use the link “Register new PHP version” and select it.
After being configured as an application, it must also be defined as a virtual directory to be accessible from the server and to fulfil the routing rules, so the IIS window when selecting the web interface site, displays the link in the auxiliary panel **view Virtual Directories**:
**SAML configuring**
The SAML standard and the simpleSAML project used to carry out this implementation must be previously configured to ensure that the interaction between **Service Provider** and **Identity Provider** is successful. For this purpose, it is necessary to configure the information stored in some configuration files.
The path to the folder where the SAML project configuration files are stored is: tools/saml/config. In this path there is the following list of files:
In order to configure a test framework against an **idP**, it is necessary to modify the file:
* *authsources.php*: file in which the IP of the server that acts as **idP** is defined. Replace the text IPSERVER by the corresponding IP
In the same way, it is necessary to configure another folder where the IP of the server that works as idP is indicated. The path where the file is located is:
*tools/saml/metadata/saml20-idp-remote.php*
In this file, simply replace the IPSERVER tag by the server IP that works as an **idP**
The purpose of this pre-configuration is to ensure the normal functioning of the SAML project as **SP** to configure it against the real **idP**, adjusting the necessary information according to the technical requirements that have been established.
**Technical configuration aspects from the SP in LIBSAFE**
Specific values of the *simpleSAML* SP must be modified so that the initial configuration does not give basic configuration failures, which are:
These changes must be made in the file *config.php* of the **SP** configuration within webinterface folder structure *tools/saml/config*
* Set the system base URL - 'baseurlpath'
* Change the technical data of contact in the system: name and e-mail
* technicalcontact\_name
* technicalcontact\_email
* The timezone of the **SP** - 'timezone'
* A password to encrypt data and connections - 'secretsalt'
* The system administrator password to access - 'auth.adminpassword'
With all these changes, the **SP** system will not fail and is ready to make requests to the **idP**. It is recommended that the **SP** has a URL that can be directly accessed to ensure that the system authentication process is working correctly and to verify that LIBSAFE behaves as expected based on the user's authentication status at the time of access.
**Technical important aspects in configuration of simpleSAML (Configuration needs on the idP)**
Since the configuration between the **SP** and the **idP** must have a pre-established trust relationship for data exchange, it is necessary to obtain the **SP** metadata to insert it in the respective section within the **idP** so that the latter can supply data to the **SP**. Therefore, it is necessary to obtain the **SP** metadata from the exchange account 'default-sp' within the Federation section and copy it into the saml20-sp-remote.php file that is hosted in the **idP** metadata directory. This instruction applies in case the **idP** works under SimpleSAML, which shares the same file infrastructure for **SP** as for **idP**; in case another **idP** is used, the metadata storage path of the trusted or federated **SP** must be known. The testing **idP** file contains an example of the data array structure.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.libnova.com/libsafe-advanced-system-administrator-manual/system-configuration/extras-and-tools/saml-integration-as-a-sso-single-sign-on-when-login-in-libsafe.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.