Monday, April 27, 2020

SAML 2.0 with Docker test-saml-idp & Microsoft Azure Active Directory

In this post we will use the following docker container: https://hub.docker.com/r/kristophjunge/test-saml-idp/
Also check Microsoft Document for SAML: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

First, create an Enterprise Application en Azure AD




Then, create our docker container
docker run --name=testsamlidp_idp \
-p 80:80 \
-p 443:443 \
-e SIMPLESAMLPHP_SP_ENTITY_ID=http://site123.com \
-e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE="COPY URL FROM App Federation Metadata Url"
-e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE="COPY URL FROM Logout URL" \
-d kristophjunge/test-saml-idp

Open ports in Linux
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent

After container is installed, check it
docker ps
...
56f6309b2e16        kristophjunge/test-saml-idp   "docker-php-entrypoi…"   7 days ago          Up 45 minutes       0.0.0.0:80->80/tcp, 80/tcp, 0.0.0.0:443->443/tcp   testsamlidp_idp
...

Open http://site123.com/simplesaml and go to Federation tab. Tools. XML to SimpleSAMLphp metadata converter
Copy from Azure Ad metadata xml. You can Download the file from Federation Metadata XML or open it in a browser App Federation Metadata Url and copy
Click parse

Copy parsed metadata ro file in  saml20-idp-remote.php

You will need to log into container

docker exec -it 56f6309b2e16 bash

Update your container and install vim

apt-get update
apt-get install vim

root@56f6309b2e16:/var/www/simplesamlphp/metadata# pwd
/var/www/simplesamlphp/metadata
root@56f6309b2e16:/var/www/simplesamlphp/metadata# ls -las
total 44
0 drwxr-xr-x. 1 root root   34 Feb  4  2018 .
0 drwxr-xr-x. 1 root root   18 Feb  4  2018 ..
4 -rw-r--r--. 1 root root  296 Jan 31  2018 adfs-idp-hosted.php
4 -rw-r--r--. 1 root root  268 Jan 31  2018 adfs-sp-remote.php
4 -rw-r--r--. 1 root root 2374 Jan 31  2018 saml20-idp-hosted.php
4 -rw-r--r--. 1 root root  216 Jan 31  2018 saml20-idp-remote.php
4 -rw-r--r--. 1 root root  376 Feb  4  2018 saml20-sp-remote.php
4 -rw-r--r--. 1 root root  620 Jan 31  2018 shib13-idp-hosted.php
4 -rw-r--r--. 1 root root  385 Jan 31  2018 shib13-idp-remote.php
4 -rw-r--r--. 1 root root  232 Jan 31  2018 shib13-sp-hosted.php
4 -rw-r--r--. 1 root root  418 Jan 31  2018 shib13-sp-remote.php
4 -rw-r--r--. 1 root root  225 Jan 31  2018 wsfed-idp-remote.php
4 -rw-r--r--. 1 root root  167 Jan 31  2018 wsfed-sp-hosted.php

root@56f6309b2e16:/var/www/simplesamlphp/metadata# cp saml20-idp-remote.php saml20-idp-remote.php.bak

vi saml20-idp-remote.php

Copy parsed metadata


Go to config

root@56f6309b2e16:/var/www/simplesamlphp/config# pwd
/var/www/simplesamlphp/config
root@56f6309b2e16:/var/www/simplesamlphp/config# ls -las
total 44
 0 drwxr-xr-x. 1 root root    29 Feb  4  2018 .
 0 drwxr-xr-x. 1 root root    22 Feb  4  2018 ..
 4 -rw-r--r--. 1 root root  1577 Jan 31  2018 acl.php
 4 -rw-r--r--. 1 root root  2143 Jan 31  2018 authmemcookie.php
 4 -rw-r--r--. 1 root root   519 Feb  4  2018 authsources.php
32 -rw-r--r--. 1 root root 30170 Feb  4  2018 config.php

Backup  authsources.php
root@56f6309b2e16:/var/www/simplesamlphp/config# cp authsources.php authsources.php.bak


Add the following

    'default-sp' => array(
        'saml:SP',
        'entityID' => 'https://site123.com',
        'idp' => '"COPY URL FROM Azure AD Identifier"/',
        'discoURl' => null,
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
        'simplesaml.nameidattribute' => 'eduPersonTargetedID',
    ),


In Azure AD go to App Registration and add redirect URI



Test your SSO going to https://site123.com/simplesaml 
Go to Authentication
default-sp

Microsoft Login Screen appears
Log In
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)