SAML SSO in cakephp application

4
votes

I have a cakephp application which needs users to be authenticated via SAML Sign Sign on. For this, I have followed the link "https://github.com/zl4bv/CakePHP-simpleSAMLphp-Plugin".

According to its documentation, I have downloaded fresh copies of cakephp and simpleSAMLphp. Now, I have a cakephp folder and simpleSAMLphp folder in my workspace. I have imstalled simpleSAMLphp as described in link "https://simplesamlphp.org/docs/stable/". I followed these steps: (1) I configured simpleSAML in apache congiguration as below: 

<VirtualHost *>
        ServerName service.local-saml.com
        DocumentRoot /var/www/simplesamlphp/www/

       <Directory "/var/www/simplesamlphp/www/">
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

(2) Now, in simplesamlphp application folder, I changed values for 'auth.adminpassword', 'secretsalt', 'technicalcontact_name', 'technicalcontact_email' in /config/config.php file.

(3) I used SAML:sp module which is by default enabled.

(4) First, I started with SAML as a Identity Provider.

(5) I enabled 'enable.saml20-idp' => true, in /config/config.php file.

(6) Created a ssl self-signed certificate by using command on terminal 

sudo openssl req -new -x509 -days 3652 -nodes -out /etc/ssl/certs/simplesamlphp.crt -keyout /etc/ssl/certs/simplesamlphp.pem

(7) Moved the above certificates to simplesamlphp/cert. (8) Added private key and certificate to config/authsources.php

'default-sp' => array(
        'saml:SP',
            'privatekey' => 'simplesamlphp.pem',
            'certificate' => 'simplesamlphp.crt',

    )

(9) Added private key and certicates to "metadata/saml20-idp-hosted.php" file also.

(10) Changed the metadata in "metadata/saml20-sp-remote.php"

$metadata['http://service.local-saml.com'] = array(
        'AssertionConsumerService' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
        'SingleLogoutService' => 'http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
    );

(11) I added the metadata on link "https://openidp.feide.no/simplesaml/module.php/core/loginuserpass.php?AuthState=_36266db92ac88d2d66ae8ede39dd1264a39243f08e%3Ahttps%3A%2F%2Fopenidp.feide.no%2Fsimplesaml%2Fmodule.php%2Fcore%2Fas_login.php%3FAuthId%3Dopenidp-ldap%26ReturnTo%3Dhttps%253A%252F%252Fopenidp.feide.no%252Fsimplesaml%252Fmodule.php%252Fmetaedit%252Findex.php".

(12) I typed the url "http://service.local-saml.com/simplesaml" on browser and it is working correctly. I tried to login with default-sp option and it is working correctly.

Now, I want to use this simplesamlphp with my cakephp application. (13) For this, as mentioned in "https://github.com/zl4bv/CakePHP-simpleSAMLphp-Plugin", I put the saml folder in /app/plugin folder of Cakephp

(14) I added lines on core.php and bootstrap.php files.

(15) I made a usersController and made same as given in example files of the link.

(16) I added folllowing 

'sp1' => array(
            'saml:SP',
            'privatekey' => 'simplesamlphp.pem',
            'certificate' => 'simplesamlphp.crt',
            'entityID' => 'http://localhost/cakephp1',
    ),

in config/authsources.php of simplesamlphp.

(17) I added metadata in metadata/saml20-sp-remote.php

$metadata['http://localhost/cakephp'] = array(
        'AssertionConsumerService' => 'http://localhost/cakephp',
        'SingleLogoutService' => 'http://localhost/cakephp',
);

When I typed localhost/cakephp on browser, the link redirected to "https://openidp.feide.no/simplesaml/module.php/core/loginuserpass.php", user, enters his username and password, but "State information lost" error is displaying at "http://service.local-saml.com/simplesaml/module.php/saml/sp/saml2-acs.php/sp1" and user is not returned to "localhost/cakephp". I want user to be returned to cakephp url when user enters login credentials.

Please help me where I am wrong and what something I have missed?

3
cakephpauthenticationsaml

3 Answers

2
votes

It seems that cakephp and simpleSAMLphp have sessions conflicts. One poasible solution is to install memcache and use memcache has session handler for simpleSAMLphp. https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_2_1

But there are more ways, check: https://simplesamlphp.org/docs/development/simplesamlphp-nostate

1
votes

Did you also set cookie domain in php.ini?

session.cookie_domain = ".feide.no"

NB! If you use PHP sessions, you will also have to make sure that your application uses the same domain when it sets the cookie. Read this source for more information. Good luck.

0
votes

there is an easy way to include simplesamlphp in cakephp without this plugin

1- add your configured and working simplesamlphp in app/Lib folder 2 - in your controller make your custom method in my case i made auth()

    function auth()
{
    $this->layout='ajax';
    $this->autoRender=false;
         require_once(APP . 'Lib/simplesamlphp/www/_include.php');

SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');

$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
sspmod_saml_IdP_SAML2::receiveAuthnRequest($idp);
assert('FALSE');

    }

instead of hitting url of simplesamlphp like this http://yoursimplesamlphpurl.com/saml2/idp/SSOService.php?spentityid=spname

Use this url of your cakephp application http://your-cakeappurl.com/CakeControllername/auth?spentityid=spname