SAML integration as a SSO (Single Sign On) when login in LIBSAFE

More and more companies are turning to SAML, a complete solution for federated identity management, to integrate Single Sign-On (SSO), a unified authentication process for any application at the same time. The individual components of SAML, such as a central user database and six different protocols, provide all relevant functions for describing and transferring security features.

SAML (Security Assertion Markup Language) is an open source standard based on XML, which allows the exchange of authentication or authorisation data between different parties: an “idP” identity provider and an “sp” service provider.

LIBSAFE supports user authentication through this if the environment in which it is operating has access to the idP since it is capable of being configured as an SP. This configuration is conditional on the user configuring LIBSAFE having sufficient information and credentials to be able to carry out this relationship between entities.

For the end user of the system, authentication via SAML is very practical, since having this functionality available only involves pressing a button so that the application proceeds to make a query of identity data and give access to the user with the defined profile and permissions associated in LIBSAFE.

The sp or Service Provider functionality in LIBSAFE must be configured manually from the simpleSAML application that supports it. This configuration involves defining the relationship via URL and the characteristics to be validated for the exchange of information between platforms.

For the configuration of simpleSAML in LIBSAFE as sp, it is necessary to know the parameters that each company defines in its idP, as each configuration is completely different from another and may require modifying one or more sites that will not be described in this manual. For this reason, it is recommended that the user who configures this functionality visits the simpleSAML website [https://simplesamlphp.org/] to consult the features that best suit his infrastructure.

After correctly configuring the sp, a trust relationship is created between LIBSAFE and the idP that will allow a user, if not previously logged in to the idP, to do so:

To establish the trust relationship between the platforms it is necessary to have some technical concepts that are described below:

Configuration characteristics of the service provider

Each idP server has its specific configuration defined by the customer, who builds the infrastructure to be operational in his organization in his own way. From this peculiarity each configuration process can become completely different from another; what is common to all cases is that to interact with the identity server you must know its access URL and you must have the security certificate that ensures the privacy of the communication channel between IdP and SP.

IIS structure to put SAML into service

Within IIS it must be possible to configure the SAML project as: application and virtual directory. In addition, you must have a PHP version 7 or higher for specific use of the SAML project, which must be previously installed on the server.

In addition to the configuration of simpleSAML, it is necessary to indicate to LIBSAFE some parameters that are stored in the configuration variables:

Configuring SAML project on IIS

For the SAML project to work properly, the following conditions must be met:

1. To be configured as Application

2. To have PHP version 7 or higher defined as interpreter language

3. To have the SAML folder configured as a virtual directory

The SAML project has been installed by default in the tools folder of the LIBSAFE project; the following image shows the location of the folder:

As shown in the previous image, the www subfolder of the SAML project must be configured as an application, this is done by right clicking on the folder and choosing that option. Within the application configuration it is necessary to define the credentials with which the system will access, which for the purposes of this guide are the credentials of the administrator:

In addition to being an application, this new one must have associated PHP version 7 or higher, this configuration is done from the icon as the following image:

If the server does not have PHP version 7 or higher installed, use the Web Platform Installer or perform a manual installation of a compatible version. Once installed on the server, use the link “Register new PHP version” and select it.

After being configured as an application, it must also be defined as a virtual directory to be accessible from the server and to fulfil the routing rules, so the IIS window when selecting the web interface site, displays the link in the auxiliary panel view Virtual Directories:

SAML configuring

The SAML standard and the simpleSAML project used to carry out this implementation must be previously configured to ensure that the interaction between Service Provider and Identity Provider is successful. For this purpose, it is necessary to configure the information stored in some configuration files.

The path to the folder where the SAML project configuration files are stored is: tools/saml/config. In this path there is the following list of files:

In order to configure a test framework against an idP, it is necessary to modify the file:

• authsources.php: file in which the IP of the server that acts as idP is defined. Replace the text IPSERVER by the corresponding IP

In the same way, it is necessary to configure another folder where the IP of the server that works as idP is indicated. The path where the file is located is:

tools/saml/metadata/saml20-idp-remote.php

In this file, simply replace the IPSERVER tag by the server IP that works as an idP

The purpose of this pre-configuration is to ensure the normal functioning of the SAML project as SP to configure it against the real idP, adjusting the necessary information according to the technical requirements that have been established.

Technical configuration aspects from the SP in LIBSAFE

Specific values of the simpleSAML SP must be modified so that the initial configuration does not give basic configuration failures, which are:

These changes must be made in the file config.php of the SP configuration within webinterface folder structure tools/saml/config

• Set the system base URL - 'baseurlpath'

• Change the technical data of contact in the system: name and e-mail

  • technicalcontact_name

  • technicalcontact_email

• The timezone of the SP - 'timezone'

• A password to encrypt data and connections - 'secretsalt'

• The system administrator password to access - 'auth.adminpassword'

With all these changes, the SP system will not fail and is ready to make requests to the idP. It is recommended that the SP has a URL that can be directly accessed to ensure that the system authentication process is working correctly and to verify that LIBSAFE behaves as expected based on the user's authentication status at the time of access.

Technical important aspects in configuration of simpleSAML (Configuration needs on the idP)

Since the configuration between the SP and the idP must have a pre-established trust relationship for data exchange, it is necessary to obtain the SP metadata to insert it in the respective section within the idP so that the latter can supply data to the SP. Therefore, it is necessary to obtain the SP metadata from the exchange account 'default-sp' within the Federation section and copy it into the saml20-sp-remote.php file that is hosted in the idP metadata directory. This instruction applies in case the idP works under SimpleSAML, which shares the same file infrastructure for SP as for idP; in case another idP is used, the metadata storage path of the trusted or federated SP must be known. The testing idP file contains an example of the data array structure.