- Requirements Hardware
- Requirements Software
- Software that will be installed
- Installation
- Configuration
- Configure SSL on Apache2
- Configure SimpleSAMLphp
- Configure the Identity Provider
- Configure Metadata
- Configure Attribute Release Policies
- Configure SAML Metadata Credentials
- Configure the authentication source
- Configure automatic download of Federation Metadata
- Add translations of the new 'schacHomeOrganizationType' attribute
- Enable UTF-8 on IdP metadata (to avoid encoding problems with accents)
- Download IdP Metadata
- Register IdP on IDEM Entity Registry
- Appendix A - How to manage sessions with Memcache
- Appendix B - How to collect useful statistics
- Utility
- Authors
- CPU: 2 Core
- RAM: 4 GB
- HDD: 20 GB
- PHP >= 7.2.5
- OS: Debian 11 (Buster)
- ca-certificates
- ntp
- vim
- apache2 (>= 2.4)
- php zip unzip
- composer
- memcached (optional)
- openssl
- cron
- curl
- build-essential
- fail2ban
- logrotate
The software installation provided by this guide is intended to run by ROOT user:
sudo su -
-
Change the default mirror with the GARR ones:
sed -i 's/deb.debian.org/debian.mirror.garr.it/g' /etc/apt/sources.listapt update && apt upgrade
-
Install the required packages:
apt install ca-certificates vim openssl
-
Modify your
/etc/hosts:-
vim /etc/hosts127.0.1.1 ssp-idp.example.org ssp-idp
(Replace
ssp-idp.example.orgwith your IDP Full Qualified Domain Name) -
-
Be sure that your firewall doesn't block traffic on port 443 (or you can't access to your IdP)
-
Import SSL credentials:
- Import SSL Certificate into:
/etc/ssl/certs/ssp-idp.example.org.crt - Import SSL Key into:
/etc/ssl/private/ssp-idp.example.org.key - Import SSL CA:
/usr/local/share/ca-certificates/ssl-ca.crt - Run the command:
update-ca-certificates
- Import SSL Certificate into:
NOTE
To update Composer use: composer self-update
-
Become ROOT:
sudo su
-
Prepare the environment:
-
apt install apache2 ntp php curl cron build-essential zip unzip fail2ban rsyslog logrotate --no-install-recommends
-
-
Download Composer setup:
wget "https://getcomposer.org/installer" -O /usr/local/src/composer-setup.php
-
Install Composer:
php /usr/local/src/composer-setup.php --install-dir=/usr/local/bin --filename=composer
-
Become ROOT:
sudo su
-
Create the required directories:
mkdir -p /var/simplesamlphp/cert /var/simplesamlphp/log /var/simplesamlphp/data
-
Install SimpleSAMLphp:
cd /var/simplesamlphpcomposer require --prefer-stable simplesamlphp/simplesamlphp- To the question "Do you trust "simplesamlphp/composer-module-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]" answer
y
-
Create
configandmetadatadirectories into/var/simplesamlphpby:cp -r /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/config-templates /var/simplesamlphp/configcp -r /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/metadata-templates /var/simplesamlphp/metadata
-
Create a new directory for IdP:
mkdir /var/www/html/ssp-idp.example.orgsudo chown -R www-data: /var/www/html/ssp-idp.example.org
-
Create a new Virtualhost file as follows:
-
vim /etc/apache2/sites-available/ssp-idp.example.org-ssl.conf# Configure Apache2 to redirect all HTTP traffic to HTTPS <VirtualHost *:80> ServerName "ssp-idp.example.org" Redirect permanent "/" "https://ssp-idp.example.org/" </VirtualHost> <IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) <VirtualHost _default_:443> ServerName ssp-idp.example.org ServerAdmin admin@example.org DocumentRoot /var/www/html/ssp-idp.example.org #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" SSLHonorCipherOrder on # Disable SSL Compression SSLCompression Off # OCSP Stapling, only in httpd/apache >= 2.3.3 SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # Enable HTTP Strict Transport Security with a 2 year duration Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;preload" SSLCertificateFile /etc/ssl/certs/ssp-idp.example.org.crt SSLCertificateKeyFile /etc/ssl/private/ssp-idp.example.org.key SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt # Enable and Redirect to SimpleSamlPhp - Apache 2.4 configuration SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config Alias /simplesaml /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/www RedirectMatch ^/$ /simplesaml <Directory /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/www> <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory> </VirtualHost> </IfModule>
-
-
Enable the following Apache2 modules:
a2enmod ssl- To support SSL protocola2enmod headers- To control of HTTP request and response headers.a2enmod alias- To manipulation and control of URLs as requests arrive at the server.a2enmod include- To process files before they are sent to the client.a2enmod negotiation- Essential Apache modulea2ensite ssp-idp.example.org-ssl.conf- Enable SSP IdP Sitea2dissite 000-default.conf- Disable HTTP default sitesystemctl restart apache2.service
-
Verify the strength of your IdP's machine on:
-
OPTIONAL STEPS: If you want to host your IdP's Information/Privacy pages on the IdP itself, follow the next steps:
-
Create all needed files with:
-
vim /var/www/html/ssp-idp.example.org/info_page.html<html> <head><title>Information Page</title></head> <body> <h1>Put here IdP Information page content</h1> </body> </html>
-
vim /var/www/html/ssp-idp.example.org/privacy_page.html<html> <head><title>Privacy Page</title></head> <body> <h1>Put here IdP Privacy page content</h1> </body> </html>
-
touch /var/www/html/ssp-idp.example.org/logo.png(80x60 px or bigger with the same aspect-ratio) -
touch /var/www/html/ssp-idp.example.org/favicon.png(16x16 px or bigger with the same aspect-ratio)
-
-
Replace them with the correct content.
-
-
Assign the ownership of the SimpleSAMLphp logs to Apache user:
chown www-data /var/simplesamlphp/log
-
Generate some useful opaque strings:
-
User Admin Password (
auth.adminpassword):php /var/simplesamlphp/bin/pwgen.php
-
Secret Salt (
secretsalt):tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null ; echo
-
-
Change SimpleSAMLphp configuration:
-
vim /var/simplesamlphp/config/config.php'baseurlpath' => 'simplesaml/', /* ...other things... */ 'certdir' => '/var/simplesamlphp/cert/', 'loggingdir' => '/var/simplesamlphp/log/', 'datadir' => '/var/simplesamlphp/data/', 'tempdir' => '/tmp/simplesaml', /* ...other things... */ 'technicalcontact_name' => 'Technical Contact', 'technicalcontact_email' => 'service.support@example.com', /* ...other things... */ 'secretsalt' => '#_YOUR_SECRET_SALT_HERE_#', /* ...other things... */ 'auth.adminpassword' => '#_YOUR_USER_ADMIN_PASSWORD_#', /* ...other things... */ 'admin.protectindexpage' => true, /* ...other things... */ 'logging.level' => 'SimpleSAML\Logger::NOTICE', 'logging.handler' => 'syslog', /* ...other things... */ 'enable.saml20-idp' => true, /* ...other things... */ 'metadatadir' => '/var/simplesamlphp/metadata', /* ...other things ... */ 'theme.header' = '#_YOUR_ORGANIZATION_NAME_#', /* ...other things... */ // Comment out line "50 => 'core:AttributeLimit'," into "authproc.idp" section // because we will use core:AttributeLimit into the "authproc" section on "metadata/saml20-idp-hosted.php" /* ...other things... */ 'store.type' => 'phpsession',
-
vim /etc/rsyslog.d/22-ssp-log.conf# SimpleSAMLphp logging local5.* /var/log/simplesamlphp.log # Notice level is reserved for statistics only... local5.=notice /var/log/simplesamlphp.stat
-
sudo systemctl restart rsyslog.service
-
-
Enable Log rotation for Statistics logs:
-
sudo vim /etc/logrotate.d/simplesamlphp/var/log/simplesamlphp.stat { monthly missingok rotate 12 compress dateext dateformat .%Y-%m postrotate systemctl reload rsyslog endscript } -
sudo systemctl restart logrotate.service
-
-
Check Login on the SSP appliance and retrieve the IdP "Entity ID" from "Fedearation" tab:
https://ssp-idp.example.org/
-
Configure a SMTP server to send mail only (Example):
-
apt install mailutils postfix --no-install-recommends(Internet Site => Insert your IdP FQDN) -
vim /etc/postfix/main.cf/* ...other things... */ inet_interfaces = localhost /* ...other things... */
-
systemctl restart postfix.service
-
-
if MDX IDEM is not used, set PHP
memory_limitto '1024M' or more to allow the download of huge metadata files (like eduGAIN):-
vim /etc/php/7.4/mods-available/ssp.ini; configuration for SSP ; priority=20 memory_limit = 1024M
-
sudo phpenmod ssp -
systemctl restart apache2.service
-
-
vim /var/simplesamlphp/metadata/saml20-idp-hosted.php$metadata['__DYNAMIC:1__'] = [ 'host' => '__DEFAULT__', 'privatekey' => 'ssp-idp.key', 'certificate' => 'ssp-idp.crt', 'scope' => ['<INSERT-HERE-IDP-SCOPE>'], // Usually the scope is the domain name 'userid.attribute' => 'uid', //deprecated, but needed by Consent module. It takes the same value of the persistent NameID source attribute 'UIInfo' => [ 'DisplayName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-IDP-DISPLAY-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-IDP-DISPLAY-NAME>', ], 'Description' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-IDP-DESCRIPTION>', 'it' => '<INSERT-HERE-THE-ITALIAN-IDP-DESCRIPTION>', ], 'InformationURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-INFORMATION-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ITALIAN-INFORMATION-PAGE-URL>', ], 'PrivacyStatementURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-PRIVACY-POLICY-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ITALIAN-PRIVACY-POLICY-PAGE-URL>', ], 'Logo' => [ [ 'url' => '<INSERT-HERE-THE-80X60-LOGO-URL>', 'height' => 60, 'width' => 80, ], [ 'url' => '<INSERT-HERE-THE-16X16-LOGO-URL>', 'height' => 16, 'width' => 16, ], ], ], 'OrganizationName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-ORGANIZATION-NAME>', ], 'OrganizationDisplayName' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-DISPLAY-NAME>', 'it' => '<INSERT-HERE-THE-ITALIAN-ORGANIZATION-DISPLAY-NAME>', ], 'OrganizationURL' => [ 'en' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-PAGE-URL>', 'it' => '<INSERT-HERE-THE-ENGLISH-ORGANIZATION-PAGE-URL>', ], /*Uncomment the following to use the uri NameFormat on attributes.*/ 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', /* eduPersonTargetedID with oid NameFormat is a raw XML value */ 'attributeencodings' => ['urn:oid:1.3.6.1.4.1.5923.1.1.1.10' => 'raw'], /* The <LogoutResponse> message MUST be signed if the HTTP POST or Redirect binding is used */ 'sign.logout' => true, 'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' ], 'authproc' => [ // Generate the transient NameID. 1 => [ 'class' => 'saml:TransientNameID', ], // Generate the persistent NameID 2 => [ 'class' => 'saml:PersistentNameID', 'attribute' => 'uid', //the source attribute needed by the NameID generation ], // Add schacHomeOrganization for domain of entity 10 => [ 'class' => 'core:AttributeAdd', 'schacHomeOrganization' => '<INSERT-HERE-YOUR-DOMAIN-NAME>', 'schacHomeOrganizationType' => 'urn:schac:homeOrganizationType:eu:higherEducationalInstitution', ], // Add eduPersonPrincipalName 11 => [ 'class' => 'core:ScopeAttribute', 'scopeAttribute' => 'schacHomeOrganization', 'sourceAttribute' => 'uid', 'targetAttribute' => 'eduPersonPrincipalName', ], // Add eduPersonScopedAffiliation 12 => [ 'class' => 'core:ScopeAttribute', 'scopeAttribute' => 'eduPersonPrincipalName', 'sourceAttribute' => 'eduPersonAffiliation', 'targetAttribute' => 'eduPersonScopedAffiliation', ], // Enable this authproc filter to automatically generated eduPersonTargetedID/persistent nameID 20 => [ 'class' => 'saml:PersistentNameID2TargetedID', 'attribute' => 'eduPersonTargetedID', 'nameId' => true, ], // Adopts language from attribute to use in UI 30 => 'core:LanguageAdaptor', // The Attribute Limit will be use to release all possibile values supported by IdP to SPs // Remember to comment out the line "50 => 'core:AttributeLimit'," into the "config/config.php" file // or no attribute will be released. 50 => [ 'class' => 'core:AttributeLimit', 'uid','givenName','sn','cn','mail','displayName','mobile', 'title','preferredLanguage','telephoneNumber', 'schacMotherTongue','schacPersonalTitle','schacHomeOrganization', 'schacHomeOrganizationType','schacUserPresenceID','schacPersonalPosition', 'schacPersonalUniqueCode','schacPersonalUniqueID', 'eduPersonPrincipalName','eduPersonEntitlement', 'eduPersonTargetedID','eduPersonOrcid','eduPersonOrgDN','eduPersonOrgUnitDN', 'eduPersonScopedAffiliation', 'regex' => true, '/^student@.*/', '/^staff@.*/', '/^library-walk-in@.*/', '/^affiliate@.*/', '/^member@.*/', '/^alum@.*/', '/^employee@.*/', // NO IDEM '/^faculty@.*/', // NO IDEM 'eduPersonAffiliation' => [ 'student', 'staff', 'member', 'alum', 'affiliate', 'library-walk-in', 'faculty', // NO IDEM 'employee', // NO IDEM ], ], // IDEM Attribute Filter: // IDEM SPs + Entity Category SPs + Custom SPs 60 =>[ 'class' => 'core:PHP', 'code' => ' $config_dir = apache_getenv("SIMPLESAMLPHP_CONFIG_DIR"); include($config_dir."/idem-attribute-filter.php"); ' ], // Consent module is enabled(with no permanent storage, using cookies) 90 => [ 'class' => 'consent:Consent', 'store' => 'consent:Cookie', 'focus' => 'yes', 'checked' => false 'attributes.exclude' => ['uid'], ], 91 => [ 'class' => 'core:PHP', 'code' => 'unset($attributes["uid"]);' ], // If language is set in Consent module it will be added as 'preferredLanguage' attribute 99 => 'core:LanguageAdaptor', // Convert LDAP names to oids needed to send attributes to the SP 100 => ['class' => 'core:AttributeMap', 'name2oid'], ], ];
NOTE: Remember to Comment out the line "50 => 'core:AttributeLimit'," into "authproc.idp" section because we will use
core:AttributeLimitinto the "authproc" section onmetadata/saml20-idp-hosted.phpto limit the attributes released. If you keep the line no attributes will be released.
⚠️ These rules have been tested on a Test Federation: Be careful to use without having understood them before!
The following rules are set with the
idem-attribute-filter.phpfile used by thesaml20-idp-hosted.phpfile.IDEM + Entity Category + Custom SPs Attribute Release Policies:
- Release "
eduPersonTargetedID" ONLY IF the preferred "<md:NameIDFormat>" of the SP IS NOT the "persistent" ones.- Release the "
eduPersonScopedAffiliation" to all IDEM SPs- Release all required (
isRequired="true") attributes to all IDEM SPs- Release all required (
isRequired="true") attributes to all CoCo SP (if the EC is supported)- Release all R&S subset attributes:
givenName,sn,displayName,eduPersonScopedAffiliation,eduPersonPrincipalName,eduPersonTargetedID- Release attributes to those SPs that do not requrest attributes by their metadata, or that has needed to receive a specific value for one or more attributes
-
Download IDEM ARP into SimpleSAMLphp
configdirectory:cd /var/simplesamlphp/configsudo wget https://registry.idem.garr.it/idem-conf/simplesamlphp/SSP1/idem-attribute-filter.php
-
Change the
requireline intoidem-attribute-filter.phpby setting the correct path of theattributemap.phpfile
-
vim /var/simplesamlphp/cert/ssp-idp-credentials.cnf:(Replace
ssp-idp.example.orgwith your IDP Full Qualified Domain Name)[req] default_bits=4096 default_md=sha256 encrypt_key=no distinguished_name=dn # PrintableStrings only string_mask=MASK:0002 prompt=no x509_extensions=ext # customize the "default_keyfile,", "CN" and "subjectAltName" lines below default_keyfile=ssp-idp.key [dn] CN=ssp-idp.example.org [ext] subjectAltName=DNS:ssp-idp.example.org, \ URI:https://ssp-idp.example.org/idp/simplesaml/saml2/idp/metadata.php subjectKeyIdentifier=hash
-
cd /var/simplesamlphp/cert -
openssl req -new -x509 -config ssp-idp-credentials.cnf -text -out ssp-idp.crt -days 3650 -
chown -R www-data: /var/simplesamlphp/cert -
chmod 400 /var/simplesamlphp/cert/ssp-idp.key
-
Enable LDAP PHP module:
apt install php-ldapsystemctl restart apache2.service
-
Enable
ldap:LDAPAuthentication Source:-
vim /var/simplesamlphp/config/authsources.php<?php $config = [ // This is a authentication source which handles admin authentication. 'admin' => [ 'core:AdminPassword', ], // LDAP authentication source. 'ldap' => [ 'ldap:LDAP', 'hostname' => 'ldap.example.org', 'enable_tls' => true, 'debug' => false, 'timeout' => 0, 'port' => 389, 'referrals' => true, 'attributes' => null, 'dnpattern' => 'uid=%username%,ou=people,dc=example,dc=org', 'search.base' => 'ou=people,dc=example,dc=org', 'search.attributes' => ['uid'], 'search.username' => '<LDAP_USER_DN_USED_FOR_QUERIES>', 'search.password' => '<LDAP_USER_PASSWORD>', ], ];
-
-
Connect LDAP to the IdP:
-
vim /var/simplesamlphp/metadata/saml20-idp-hosted.php/* ...other things before end of file...*/ 'auth' => 'ldap', ];
-
-
Try the LDAP Authentication Source on:
-
https://ssp-idp.example.org/simplesaml/module.php/core/authenticate.php(Replace
ssp-idp.example.orgwith your IDP Full Qualified Domain Name)
-
-
IDEM MDX (recommended): https://mdx.idem.garr.it/
-
IDEM MDS (legacy):
-
Load CRON module:
cd /var/simplesamlphpcp vendor/simplesamlphp/simplesamlphp/modules/cron/config-templates/module_cron.php config/
-
Load METAREFRESH module:
cd /var/simplesamlphpcp vendor/simplesamlphp/simplesamlphp/modules/metarefresh/config-templates/config-metarefresh.php config/
-
Enable CRON & METAREFRESH modules:
-
vim /var/simplesamlphp/config/config.php/* ...other things... */ 'module.enable' => [ 'cron' => true, 'metarefresh' => true, 'consent' => true, ], /* ...other things... */
-
-
Test it:
cd /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/modules/metarefresh/bin./metarefresh.php -s http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml > metarefresh-test.txt
-
Generate the CRON
<SECRET>:tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null ; echo
-
Change the CRON configuration file:
-
vim /var/simplesamlphp/config/module_cron.php<?php /* * Configuration for the Cron module. */ $config = [ 'key' => '<SECRET>', 'allowed_tags' => ['hourly'], 'debug_message' => TRUE, 'sendemail' => TRUE, ]; ?>
-
-
Insert the following Cron job to the crontab file (
crontab -e):(Replace
ssp-idp.example.orgwith your IDP Full Qualified Domain Name)# Run cron: [hourly] 01 * * * * root curl --silent "https://ssp-idp.example.org/simplesaml/module.php/cron/cron.php?key=<SECRET>&tag=hourly" > /dev/null 2>&1
-
Configure METAREFRESH:
-
vim /var/simplesamlphp/config/config-metarefresh.php<?php $config = [ /* * Global blacklist: entityIDs that should be excluded from ALL sets. */ #'blacklist' = array( # 'http://my.own.uni/idp' #), /* * Conditional GET requests * Efficient downloading so polling can be done more frequently. * Works for sources that send 'Last-Modified' or 'Etag' headers. * Note that the 'data' directory needs to be writable for this to work. */ #'conditionalGET' => TRUE, 'sets' => [ 'idem' => [ 'cron' => ['hourly'], 'sources' => [ [ 'src' => 'http://md.idem.garr.it/metadata/idem-test-metadata-sha256.xml', 'certificates' => [ '/var/simplesamlphp/cert/federation-cert.pem', ], 'template' => [ 'tags' => ['idem'], 'authproc' => [ 51 => ['class' => 'core:AttributeMap', 'oid2name'], ], ], /* * The sets of entities to load, any combination of: * - 'saml20-idp-remote' * - 'saml20-sp-remote' * - 'shib13-idp-remote' * - 'shib13-sp-remote' * - 'attributeauthority-remote' * * All of them will be used by default. */ 'types' => ['saml20-sp-remote'], // Load only SAML v2.0 SP from metadata ], ], 'expireAfter' => 864000, // Maximum 10 days cache time (3600*24*10) 'outputDir' => '/var/simplesamlphp/metadata/', /* * Which output format the metadata should be saved as. * Can be 'flatfile' or 'serialize'. 'flatfile' is the default. */ 'outputFormat' => 'flatfile', ], ], ];
-
-
Remove not needed files from:
cd /var/simplesamlphp/metadata ; rm !(saml20-idp-hosted.php)
-
Download the Federation signing certificate:
-
wget https://md.idem.garr.it/certs/idem-signer-20241118.pem -O /var/simplesamlphp/cert/federation-cert.pem
-
-
Check the validity of the signing certificate:
-
cd /var/simplesamlphp/cert -
openssl x509 -in federation-cert.pem -fingerprint -sha1 -noout(sha1: 0E:21:81:8E:06:02:D1:D9:D1:CF:3D:4C:41:ED:5F:F3:43:70:16:79)
-
openssl x509 -in federation-cert.pem -fingerprint -md5 -noout(md5: 73:B7:29:FA:7C:AE:5C:E7:58:1F:10:0B:FC:EE:DA:A9)
-
-
Go to
https://ssp-idp.example.org/simplesaml/module.php/core/frontpage_federation.phpand forcing download of the Federation metadata by pressing onMetarefresh: fetch metadataor wait 1 day(Replace
ssp-idp.example.orgwith your IDP Full Qualified Domain Name)
-
-
vim /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/dictionaries/attributes.definition.json/* ...other things... */ "attribute_schachomeorganization":{ "en": "Home organization domain name" }, "attribute_schachomeorganizationtype":{ "en": "Home organization type" }, /* ...other things... */
(Pay attention also to "commas"!)
-
vim /var/simplesamlphp/vendor/simplesamlphp/simplesamlphp/dictionaries/attributes.translation.json/* ...other things before the end of file... */ "attribute_schachomeorganizationtype":{ "it": "Tipo di Organizzazione" } }
(Pay attention also to "commas"!)
-
vim /var/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/DOMDocumentFactory.php/* ...other things... */ public static function create() : DOMDocument { return new DOMDocument('1.0','utf-8'); } }
-
https://ssp-idp.example.org/simplesaml/saml2/idp/metadata.php(Replace
ssp-idp.example.orgwith your IDP Full Qualified Domain Name)
Go to https://registry.idem.garr.it and follow "Insert a New Identity Provider into the IDEM Test Federation" (your entity has to be approved by an IDEM Federation Operator before become part of IDEM Test Federation)
-
Install needed packages:
sudo apt install memcached php-memcached
-
Enable PHP memcached module:
sudo phpenmod memcached
-
Restart Apache:
sudo systemctl restart apache2.service
-
Enable memcache on simplesamlphp:
-
vim /var/simplesamlphp/config/config.php/* ...other things... */ 'store.type' => 'memcache', /* ...other things... */
-
Follow SimpleSAMLphp statistics module documentation
- The Mozilla Observatory: The Mozilla Observatory has helped over 240,000 websites by teaching developers, system administrators, and security professionals how to configure their sites safely and securely.
- Marco Malavolti (marco.malavolti@garr.it)