From 4d7edc50b4faaad3890543bb166a6e17ee32a119 Mon Sep 17 00:00:00 2001 From: Tom Chapman Date: Thu, 18 Dec 2014 09:24:49 +0000 Subject: [PATCH] Initial Commit --- README.md | 123 ++++++++ composer.json | 6 + composer.lock | 272 ++++++++++++++++++ frog-federation/config/authsources.php | 19 ++ .../metadata/saml20-idp-remote.php | 27 ++ setup.sh | 23 ++ www/index.php | 21 ++ 7 files changed, 491 insertions(+) create mode 100644 README.md create mode 100644 composer.json create mode 100644 composer.lock create mode 100644 frog-federation/config/authsources.php create mode 100644 frog-federation/metadata/saml20-idp-remote.php create mode 100755 setup.sh create mode 100644 www/index.php diff --git a/README.md b/README.md new file mode 100644 index 0000000..c295d86 --- /dev/null +++ b/README.md @@ -0,0 +1,123 @@ +Example 3rd Party App Authentication +------------------------------------ + +This is an example PHP application authenticated using a FrogLearn user. + +You can obtain the latest version of this code either using: +a) git: `git clone https://github.com/frogeducation/example-3rd-party-app-authentication.git` +b) download the code from here: [https://github.com/frogeducation/example-3rd-party-app-authentication/archive/master.zip][1] and extract + +[1]: https://github.com/frogeducation/example-3rd-party-app-authentication/archive/master.zip + +Reqirements +=========== +PHP >= 5.3.3 + +PHP Extensions: +\- curl +\- dom +\- gmp +\- mcrypt +\- openssl + +Automatic Setup +=============== +Run the provided setup.sh: +`./setup.sh` +This is a shell script intended to be run on a Unix Box, which will automatically run all steps in the "Composer Setup" section. + +Composer Setup +============== +To install using composer you need to do the following: + +1. [Install Composer][2] by following the instructions [here][2] +2. Run `composer install` to download SimpleSAMLPHP and it's dependencies +3. Run the following commands: + `cd vendor/simplesamlphp/simplesamlphp/` + `mkdir {config,metadata}` + `cp config-templates/{config,authsources}.php config/` + `cp metadata-templates/saml20-idp-remote.php metadata/` + `cd ../../../www` + `ln -s ../vendor/simplesamlphp/simplesamlphp/www .` + +[2]: https://getcomposer.org/ + +Manual Setup +============ +1. Download SimpleSAMLPHP from [here][3] and extract at the root directory. + Arrange these packages so you have the following directory structure: + `/frog-federation` + `/simplesamlphp` + `/www` +2. Create a symbolic link from simplesamlphp/www to www/saml e.g. + `cd www && ln -s ../simplesamlphp/www saml` +3. Update index.php to use the following: + `require_once '../simplesaml/lib/_autoload.php';` + rather than: + `require_once '../vendor/autoload.php';` + +[3]: https://simplesamlphp.org/download + +Getting Up & Running +==================== +After the above, you need to create a virtual host in your webserver to point to `/www`. + +The next step is to configure SimpleSAMLPHP. We have provided example configuration files in the `frog-federation/config` and `frog-federation/metadata` folders. The least you should do is to secure your deployment by altering the following properties in `simplesamlphp/config/config.php`: +\- `'baseurlpath'`: should be set to `'saml/'` in-line with the symbolic link created during the setup stage +\- `'auth.adminpassword'`: should be changed as this is your admin authentication password +\- `'admin.protectindexpage'`: should be set to true +\- `'admin.protectmetadata'`: should be set to true +\- `'secretsalt'`: should be changed from the default value +\- `'technicalcontact_name'`: The name of the individual to contact upon issues +\- `'technicalcontact_email'`: The e-mail address of the individual to contact upon issues +Further documentation on the SimpleSAMLPHP config file can be found [here][4] + +The two other files you need are `simplesamlphp/config/authsources.php` and `simplesamlphp/metadata/saml20-idp-remote.php`. +The examples provided under `frog-federation/config/authsources.php` and `frog-federation/metadata/saml20-sp-remote.php` will work with the development federation provided by frog (mentioned later). +To use these simply run the following: +`cp frog-federation/config/authsources.php simplesamlphp/config/authsources.php` +`cp frog-federation/metadata/saml20-sp-remote.php simplesamlphp/metadata/saml20-idp-remote.php` + +***Please Note***: The authsources.php and saml20-idp-remote.php provided are for development against the frog **development** federation. When configuring your application against the production federation these will require changes. Please contact the Partners support team at FrogEducation to acquire these and setup your application against the production federation. + +So that your app will work with the Frog Development Federation you will need to provided us with your metadata. To do this you need to do the following: + +1. Go to the saml instance via your browser and login with the `'auth.adminpassword'` you setup earlier. This should be under https://your-domain.com/saml/ +2. Go to https://your-domain.com/saml/module.php/saml/sp/metadata.php/FrogFederation?output=xhtml +3. Copy the code in the entry corresponding to “In simpleSAMLphp flat file format” +4. Send this code to the Partners support team at FrogEducation. + +[4]: https://simplesamlphp.org/docs/1.13/simplesamlphp-install + +Testing The App +=============== +We have three boxes setup for you to develop against: + +Development Frog Federation: [https://federation-misc.frogosdev.co.uk/][5] +Example Secondary School: [https://secondaryexternal-misc.frogosdev.co.uk/][6] +Example Primary School: [https://primaryexternal-misc.frogosdev.co.uk/][7] + +In your browser go to: https://your-domain.com/ +Provided a correct server software setup this should run the provided index.php and re-direct you to a selection page on [https://federation-misc.frogosdev.co.uk/][5] which will look like the following: + +![](https://openmerchantaccount.com/img/frogeducation-simplesaml-development-discovery.png) + +Select the type of FrogLearn instance you'd like to test login with, and you'll be transferred to the correct instance for authentication: + +![](https://openmerchantaccount.com/img/frogeducation-simplesaml-development-froglearn.png) + +We have provided 10 users for authentication with these boxes: +These follow the pattern of: + +usernames: other1, other2, etc. +password: other1pass, other2pass, etc. + +With the users other1 to other 10 being enabled for your testing purposes. + +If you authenticate correctly you'll be redirected back to your test application with the user attributes provided: + +![](https://openmerchantaccount.com/img/frogeducation-simplesaml-development-user-attributes.png) + +[5]: https://federation-misc.frogosdev.co.uk/ +[6]: https://secondaryexternal-misc.frogosdev.co.uk/ +[7]: https://primaryexternal-misc.frogosdev.co.uk/ diff --git a/composer.json b/composer.json new file mode 100644 index 0000000..358e2c8 --- /dev/null +++ b/composer.json @@ -0,0 +1,6 @@ +{ + "require": { + "simplesamlphp/simplesamlphp": "1.*", + "openid/php-openid": "dev-master#ee669c6a9d4d95b58ecd9b6945627276807694fb as 2.2.2" + } +} diff --git a/composer.lock b/composer.lock new file mode 100644 index 0000000..5cf8c7f --- /dev/null +++ b/composer.lock @@ -0,0 +1,272 @@ +{ + "_readme": [ + "This file locks the dependencies of your project to a known state", + "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", + "This file is @generated automatically" + ], + "hash": "78507b9b62d38ea500b856e1f63332a2", + "packages": [ + { + "name": "openid/php-openid", + "version": "dev-master", + "source": { + "type": "git", + "url": "https://github.com/openid/php-openid.git", + "reference": "ee669c6a9d4d95b58ecd9b6945627276807694fb" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/openid/php-openid/zipball/fff9217fb1acda132702730b66b10981ea9d4cac", + "reference": "ee669c6a9d4d95b58ecd9b6945627276807694fb", + "shasum": "" + }, + "require": { + "ext-curl": "*", + "ext-dom": "*", + "ext-gmp": "*", + "php": ">=4.3" + }, + "type": "library", + "autoload": { + "classmap": [ + "Auth" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "." + ], + "license": [ + "Apache-2.0" + ], + "authors": [ + { + "name": "JanRain Inc.", + "homepage": "http://www.openidenabled.com" + } + ], + "description": "OpenID library for PHP5", + "homepage": "http://github.com/openid/php-openid", + "keywords": [ + "Authentication", + "OpenId", + "auth", + "yadis" + ], + "time": "2013-10-03 21:21:20" + }, + { + "name": "psr/log", + "version": "1.0.0", + "source": { + "type": "git", + "url": "https://github.com/php-fig/log.git", + "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b", + "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b", + "shasum": "" + }, + "type": "library", + "autoload": { + "psr-0": { + "Psr\\Log\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "http://www.php-fig.org/" + } + ], + "description": "Common interface for logging libraries", + "keywords": [ + "log", + "psr", + "psr-3" + ], + "time": "2012-12-21 11:40:51" + }, + { + "name": "simplesamlphp/saml2", + "version": "v0.6.1", + "source": { + "type": "git", + "url": "https://github.com/simplesamlphp/saml2.git", + "reference": "64826f28255dcc065e638b172e157da3e88640d9" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/simplesamlphp/saml2/zipball/64826f28255dcc065e638b172e157da3e88640d9", + "reference": "64826f28255dcc065e638b172e157da3e88640d9", + "shasum": "" + }, + "require": { + "ext-dom": "*", + "ext-mcrypt": "*", + "ext-openssl": "*", + "php": ">=5.3.3", + "psr/log": "~1.0", + "simplesamlphp/xmlseclibs": "~1.3.1" + }, + "require-dev": { + "mockery/mockery": "~0.9", + "phpmd/phpmd": "~1.5", + "phpunit/phpunit": "~3.7", + "satooshi/php-coveralls": "~0.6.1", + "sebastian/phpcpd": "~1.4", + "sensiolabs/security-checker": "~1.1", + "squizlabs/php_codesniffer": "~1.4" + }, + "type": "library", + "autoload": { + "psr-0": { + "SAML2_": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-2.1" + ], + "authors": [ + { + "name": "Andreas Åkre Solberg", + "email": "andreas.solberg@uninett.no" + } + ], + "description": "SAML2 PHP library from SimpleSAMLphp", + "time": "2014-12-04 13:30:27" + }, + { + "name": "simplesamlphp/simplesamlphp", + "version": "v1.13.2", + "source": { + "type": "git", + "url": "https://github.com/simplesamlphp/simplesamlphp.git", + "reference": "d7867692130c052f8c73f531f5e8ad17f925da0a" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/simplesamlphp/simplesamlphp/zipball/d7867692130c052f8c73f531f5e8ad17f925da0a", + "reference": "d7867692130c052f8c73f531f5e8ad17f925da0a", + "shasum": "" + }, + "require": { + "openid/php-openid": "dev-master#ee669c6a9d4d95b58ecd9b6945627276807694fb as 2.2.2", + "php": "~5.3", + "simplesamlphp/saml2": "~0.3", + "simplesamlphp/xmlseclibs": "~1.3.2" + }, + "type": "project", + "autoload": { + "psr-0": { + "SimpleSAML_": "lib/" + }, + "files": [ + "lib/_autoload_modules.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-2.1" + ], + "authors": [ + { + "name": "Olav Morken", + "email": "olav.morken@uninett.no" + }, + { + "name": "Andreas Åkre Solberg", + "email": "andreas.solberg@uninett.no" + } + ], + "description": "A PHP implementation of SAML 2.0 service provider and identity provider functionality. And is also compatible with Shibboleth 1.3 and 2.0.", + "homepage": "http://simplesamlphp.org", + "keywords": [ + "OpenId", + "SAML2", + "aselect", + "idp", + "oauth", + "shibboleth", + "sp", + "ws-federation" + ], + "time": "2014-11-05 16:45:18" + }, + { + "name": "simplesamlphp/xmlseclibs", + "version": "v1.3.2", + "source": { + "type": "git", + "url": "https://github.com/simplesamlphp/xmlseclibs.git", + "reference": "734e80899ade295b979de08553161cad63c2dd98" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/simplesamlphp/xmlseclibs/zipball/734e80899ade295b979de08553161cad63c2dd98", + "reference": "734e80899ade295b979de08553161cad63c2dd98", + "shasum": "" + }, + "replace": { + "cdatazone/xmlseclibs": "self.version", + "fr3d/xmlseclibs": "self.version", + "robrichards/xmlseclibs": "self.version" + }, + "suggest": { + "ext/mcrypt": "", + "ext/openssl": "" + }, + "type": "library", + "autoload": { + "files": [ + "xmlseclibs.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Rob Richards" + } + ], + "description": "A PHP library for XML Security", + "homepage": "http://code.google.com/p/xmlseclibs/", + "keywords": [ + "certificate", + "security", + "signature", + "signing", + "x.509", + "xml", + "xmlsec" + ], + "time": "2013-06-19 00:00:00" + } + ], + "packages-dev": [], + "aliases": [ + { + "alias": "2.2.2", + "alias_normalized": "2.2.2.0", + "version": "9999999-dev", + "package": "openid/php-openid" + } + ], + "minimum-stability": "stable", + "stability-flags": { + "openid/php-openid": 20 + }, + "prefer-stable": false, + "prefer-lowest": false, + "platform": [], + "platform-dev": [] +} diff --git a/frog-federation/config/authsources.php b/frog-federation/config/authsources.php new file mode 100644 index 0000000..03a9b37 --- /dev/null +++ b/frog-federation/config/authsources.php @@ -0,0 +1,19 @@ + array( + 'saml:SP', + + // The entity ID of this SP. + // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. + 'entityID' => null, + + // The entity ID of the IdP this should SP should contact. + // Can be NULL/unset, in which case the user will be shown a list of available IdPs. + 'idp' => 'https://federation-misc.frogosdev.co.uk/saml2/idp/metadata.php', + + // The URL to the discovery service. + // Can be NULL/unset, in which case a builtin discovery service will be used. + 'discoURL' => null, + ), +); diff --git a/frog-federation/metadata/saml20-idp-remote.php b/frog-federation/metadata/saml20-idp-remote.php new file mode 100644 index 0000000..121538a --- /dev/null +++ b/frog-federation/metadata/saml20-idp-remote.php @@ -0,0 +1,27 @@ + 'saml20-idp-remote', + 'entityid' => 'https://federation-misc.frogosdev.co.uk/saml2/idp/metadata.php', + 'SingleSignOnService' => array( + 0 => array( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://federation-misc.frogosdev.co.uk/saml2/idp/SSOService.php', + ), + ), + 'SingleLogoutService' => array( + 0 => array( + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => 'https://federation-misc.frogosdev.co.uk/saml2/idp/SingleLogoutService.php', + ), + ), + 'certData' => 'MIIDfzCCAmegAwIBAgIJAKnl9D1Rgap3MA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAlVLMRAwDgYDVQQHDAdIYWxpZmF4MRYwFAYDVQQKDA1Gcm9ndHJhZGUgTHRkMR0wGwYDVQQDDBRzYW1sc3AuZnJvZ3RyYWRlLmNvbTAeFw0xMjA5MjgxMDQ0MzdaFw0yMjA5MjgxMDQ0MzdaMFYxCzAJBgNVBAYTAlVLMRAwDgYDVQQHDAdIYWxpZmF4MRYwFAYDVQQKDA1Gcm9ndHJhZGUgTHRkMR0wGwYDVQQDDBRzYW1sc3AuZnJvZ3RyYWRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOK9U0iYHhsRxrH1Q7Auz8kMR+oLN7HzLiyLiqSJK6RpPj5VZ83nO5EE6Jaws2uzeuRSQ5lNTk2PtlWqv2r0oXkMmVvFXozY/sPRWNH04XwMXiyv7cjjwBBhvj4vcrZ9ysQEg2I9iZ88QCj6n9SUpwyfsWmeEppgmPwoXCTP6w4IhOV5XOjTL87NB609lT1sLANy9uSr/RK3Wzqb+WKGemF8itEmmnbkU9p6yLmsSxVyQK2l35DU6JpFiLTkzuy1FLB6/M7HBrzaxsXzhzys+WiznH+DqQFMgLi2VcPzqZxMVtfMxKl/AOlTIt+XQ5XHshl6mrbCZUqUYToDEBG23vcCAwEAAaNQME4wHQYDVR0OBBYEFJWPPbP4N3wMT8PuLD9q6Z6eaFzNMB8GA1UdIwQYMBaAFJWPPbP4N3wMT8PuLD9q6Z6eaFzNMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAGuN+ABo0bi22aC9AXEoKKKXFsp9P85plgcyvlkWKXrRu7iC7C3d6TfP36OmflxaibFuBTf6KfzkgOXTj2A/z1uP9lKvIDZ3FzjYNHi68rz1N2SVuXcUxDPvsGzeSBy1SaUzlAyYBtBKqntZBfxlH5EZ1T9yNfnbmhCMlr/e45ILf8BGdkaNz/TdYhepkhQ77DU2D6bNyq345B4zGb6wOg1fQEMv8bC8Ylt0wIBgJYSrOkCipWKNqCLL+GbYD1+sNn8e+W2h3o9J482BzxVRw9V2DFR6/9I54rzI4bvZKcXk6imGhO+577qzZgffQnaI/SgjPVJIBuWxL3JJ+86COAc=', + 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', +); diff --git a/setup.sh b/setup.sh new file mode 100755 index 0000000..3a79473 --- /dev/null +++ b/setup.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +test_error() +{ + if [[ $? != "0" ]]; then + echo $1 + exit 1 + fi +} + +curl -sS https://getcomposer.org/installer | php +test_error "Couldn't Download Composer" +php composer.phar install +test_error "Composer Install Failed" +rm -f composer.phar + +cd vendor/simplesamlphp/simplesamlphp/ +mkdir {config,metadata} +cp config-templates/{config,authsources}.php config/ +cp metadata-templates/saml20-idp-remote.php metadata/ +cd ../../../www +ln -s ../vendor/simplesamlphp/simplesamlphp/www . + diff --git a/www/index.php b/www/index.php new file mode 100644 index 0000000..5d83b22 --- /dev/null +++ b/www/index.php @@ -0,0 +1,21 @@ +requireAuth(); + +$attributes = $as->getAttributes(); + +?> + + + + Probably the simplest Service Provider in PHP + + +

Example Web App

+

Your attributes:

+
+ logout + +