This repository contains the simplified code of samlidp.io. It is focused on what NRENs need, so now it is easy to host a SAML Identity Provider as a Service for the institutes of your NREN.
Using this service is free, but donations are welcome and will go towards further development of this project. Use the wallet addresses below to donate.
Thank you for your support and generosity!
- VM with docker hosting environment
- relational database service
- logging service
- smtp service
- some persistent storage
- a dedicated domain for your service
- a wildcard certificate for your choosen domain (
$SAMLIDP_HOSTNAME) for this service (the main domain will host your service, the third level domains will host the IdPs)
- open 80/443 ports for incoming traffic and open for outgoing traffic on your firewall
- Clone this repository
- Grab your wildcard certificate from your CA, use
wildcard_certificate.key/wildcard_certificate.crtnames for them.
- Encrypt the key:
openssl aes256 -md sha256 -a -salt -k $VAULT_PASS -in wildcard_certificate.key -out wildcard_certificate.key.encthen put the certificate and the encrypted key into
conf/credentialsfolder. You will need this
$VAULT_PASSfor starting the app, so save it. Depending your CA but you may have to merge the certificatechain into
- Configure storage service in
app/app/config/config.ymland logging service in
app/app/config/config_prod.yml. There are lots of Monolog handlers you can use directly.
- Generate a self-signed certificate for the attribute release checking service, which will be deployed to
cd conf/credentials && openssl req -new -newkey rsa:2048 -x509 -days 3652 -nodes -out attributes.$SAMLIDP_HOSTNAME.crt -keyout attributes.$SAMLIDP_HOSTNAME.key. Important: value of
$SAMLIDP_HOSTNAME. In case the attribute release checking service page fails to open and you get an error
Unable to load private key from file "/app/vendor/simplesamlphp/simplesamlphp/cert/attributes.$SAMLIDP_HOSTNAMEmake sure the key file has appropriate read permissions and build the image again.
- Build the image:
docker build -t samli/nren .
docker-compose.yml, fill the values environment variables. (See details below)
- Start the service:
- Connect to your samlidp service on your choosen domain via your browser
- Register an
adminuser, then run in the container:
app/bin/console fos:user:promote admin ROLE_SUPER_ADMIN. After logout and login this user can be able to edit all the registered IdPs and users.
- Test the app, register an IdP, add users, test against an SP...etc
- You can find the templates at
app/app/src/AppBundle/Resources/views/default, the used english texts at
app/app/Resources/AppBundle/translations. You can make other translations easily without modifying original templates.
- Additionally you should customize text of mails (
app/app/src/AppBundle/Resources/views/IdPUser/*.txt) and login theme of IdP (
- While you are doing this customization, you should attach these folders as volumes to your container, so you can see the changes on-the-fly. If you are ready, rebuild then restart the image.
||FQDN for your samlidp instance. Required|
||Encryption key for samlidp secret variables. At the moment used for encrypt/decrypt key of the wildcard certificate. Required|
||The database server IP address. Required|
||The database server port. (3306 for mysql, 5432 for postgresql) Required|
||The database type. Tested with:
||The database version. Required|
||The database database name. Required|
||The database database user. Required|
||The database database password. Required|
||SMTP server host Required|
||SMTP server port Required|
||SMTP encryption (tls, ssl) Required|
||SMTP username Required|
||SMTP password Required|
||From address for mails sent by the app Required|
||Access token for rollbar.com. If you like to examine the potential exceptions. Optional|
||S3 access key. Needed if you use S3 backend for storing logos. Optional|
||S3 secret key Optional|
||S3 regio Optional|
||S3 bucket Optional|