Google Apps for Education and SimpleSAMLPHP with Active Directory

2011-04-09

A work in progress...

• Example domain: myschool.org
• Linux: Ubuntu Maverick
• SimpleSAMLPHP version: 1.8.0
• SimpleSAMLPHP documentation: http://simplesamlphp.org/docs/1.8/
  • More specifically: http://simplesamlphp.org/docs/1.8/simplesamlphp-googleapps

1. Create DNS record for your SSO server (e.g., sso.myschool.org)
2. TODO: Install some packages...
3. TODO: Set up nptdate
4. Download simplesamlphp
   • Linked from http://simplesamlphp.org/download
   • Direct link: http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.0.tar.gz
   • Or run this command on your server:
     wget http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.0.tar.gz
5. Un-tar and place in /var/simplesamlphp
   • tar xzvf simplesamlphp-1.8.0.tar.gz
   • sudo mv simplesamlphp-1.8.0 /var/simplesamlphp
6. Buy an SSL certificate for your server. (I use go-daddy.com.)
   • Summary: Buy the certificate credit at go-daddy, generate the Certificate Signing Request (CSR) on your server, paste the CSR into go-daddy's cert management page, wait for an email from go-daddy with a link to your signed certificate, then download that.
   • Go-daddy has good instructions on how to generate the CSR at http://community.godaddy.com/help/5269, but here's what I do:
     • sudo openssl genrsa -out /etc/apache2/ssl/sso.myschool.org.key 4096
     • sudo openssl req -new -key /etc/apache2/ssl/sso.myschool.org.key -out sso.myschool.org.csr

                                           You are about to be asked to enter information that will be incorporated
                                           into your certificate request.
                                           What you are about to enter is what is called a Distinguished Name or a DN.
                                           There are quite a few fields but you can leave some blank
                                           For some fields there will be a default value,
                                           If you enter '.', the field will be left blank.
                                           -----
                                           Country Name (2 letter code) [AU]:US
                                           State or Province Name (full name) [Some-State]:NH
                                           Locality Name (eg, city) []:My Town
                                           Organization Name (eg, company) [Internet Widgits Pty Ltd]:SAU123
                                           Organizational Unit Name (eg, section) []:
                                           Common Name (eg, YOUR name) []:sso.myschool.org
                                           Email Address []:admin@myschool.org
       
                                           Please enter the following 'extra' attributes
                                           to be sent with your certificate request
                                           A challenge password []:
                                           An optional company name []:
                                       

     • sudo openssl rsa -in /etc/apache2/ssl/sso.myschool.org.key -out sso.myschool.org.pem
     • sudo openssl x509 -req -days 9999 -in sso.myschool.org.csr -signkey /etc/apache2/ssl/sso.myschool.org.key -out selfsigned-for-google-sso.myschool.org.crt
7. TODO: copy key and cert into place for apache (the above commands may take care of this)
8. Add an Apache virtual host:
   • sudo nano /etc/apache2/sites-available/sso.myschool.org

                                 <VirtualHost *:80>
                                     # Send all http traffic to the https host
                                     ServerName sso.myschool.org
                                     RewriteEngine On
                                     RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}
                                 </VirtualHost>
     
                                 # Replace 192.168.0.1 with the IP address of YOUR server.
                                 <VirtualHost 192.168.0.1:443>
                                     SSLEngine on
                                     SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                                     SSLCertificateFile /etc/apache2/ssl/sso.myschool.org.crt
                                     SSLCertificateKeyFile /etc/apache2/ssl/sso.myschool.org.key
                                     SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
     
                                     ServerName sso.myschool.org
                                     DocumentRoot /var/simplesamlphp/www
                                     Alias /simplesaml /var/simplesamlphp/www
     
                                     # Optional:
                                     # Don't allow ANY connections other than to the scripts needed for the type of SSO we're doing here.
                                     RewriteEngine On
                                     # Uncomment these two lines for debugging:
                                     #RewriteLog "/tmp/debug.log"
                                     #RewriteLogLevel 9
                                     RewriteCond %{SCRIPT_FILENAME} !.*SSOService.php$
                                     RewriteCond %{SCRIPT_FILENAME} !.*logout.php$
                                     RewriteCond %{SCRIPT_FILENAME} !.*loginuserpass.php$
                                     RewriteCond %{SCRIPT_FILENAME} !.*initSLO.php$
                                     RewriteCond %{SCRIPT_FILENAME} !.*SingleLogoutService.php$
                                     # Let yourself into the SimpleSAMLPHP admin interface if you want, by putting your IP here:
                                     #RewriteCond %{REMOTE_ADDR} !173.13.101.253
                                     # This should name one of your Google Apps pages:
                                     #RewriteRule .* http://mail.google.com/a/myschool.org
                                     RewriteRule .* http://mail.myschool.org
                                 </VirtualHost>
                             

   • Enable your Apache virtual host:
     • sudo a2ensite sso.myschool.org
     • sudo /etc/init.d/apache2 reload
     • Test! Go to https://sso.myschool.org
9. Configure Google Apps to use your new SSO server:
   • Enable Single Sign-on
   • Sign-in page URL: https://sso.myschool.org/simplesaml/saml2/idp/SSOService.php
   • Sign-out page URL: https://sso.myschool.org/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php
   • Upload your selfsigned-for-google-sso.myschool.org.crt certificate to google.
10. Change SimpleSAMLPHP core config:
    sudo nano /var/simplesamlphp/config/config.php
    1. Set auth.adminpassword to something better than '123':
       'auth.adminpassword' => 'b1e18aaf91d9343226d331fa036f1e68',
    2. Set secretsalt to something yummy. They have good directions right there on how to generate a good salt by using /dev/urandom:
       tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
       After you do that, set secretsalt to the output. Here's an example:
       'secretsalt' => '69yx3hmvt2eijunoiqkz6f5se9jjyciz',
    3. Set technicalcontact_name and technicalcontact_email as you like.
    4. You're setting up SimpleSAMLPHP as an Identity Provider (IDP), so find 'enable.saml20-idp' and set it to true. The line should look like this when you're done:

        'enable.saml20-idp'             => true, 

11. Enable SimpleSAMLPHP's LDAP auth:
    • See http://simplesamlphp.org/docs/1.8/ldap:ldap
    • sudo nano /var/simplesamlphp/config/authsources.php
      CONFIGURE LDAP HERE
12. Move your simplesamlphp key and self-signed cert into palce, and tell SimpleSAMLPHP about the self-signed cert you'll upload to Google:
    • sudo mv sso.myschool.org.pem /var/simplesamlphp/cert/
    • sudo mv selfsigned-for-google-sso.myschool.org.crt /var/simplesamlphp/cert/
    • sudo nano /var/simplesamlphp/metadata/saml20-idp-hosted.php
      The following lines should look basically like this when you're done:
      • 'privatekey' => 'sso.myschool.org.pem',
      • 'certificate' => 'selfsigned-for-google-sso.myschool.org.crt',
      • 'auth' => 'myschool-ldap',
13. Tell SimpleSAMLPHP about which servers will be contacting it for SSO (i.e., google servers):
    • sudo nano /var/simplesamlphp/metadata/saml20-sp-remote.php
      These two lines should be changed to be as follows:
      • 'AssertionConsumerService' => 'https://www.google.com/a/myschool.org/acs',
      • 'simplesaml.nameidattribute' => 'sAMAccountName',
14. Update some strings and thematic elements as you like for your site. Here are some examples:
    • sudo nano /var/simplesamlphp/dictionaries/login.definition.json
      • "help_text": { "en": "Please contact your tech coordinator for assistance in resetting your password." },