This tutorial will show you how to configure Single-Sign-On (SSO) in Apache using Active Directory Federation Service (AD FS) as an identity provider and SimpleSAMLphp as a service provider on CentOS, RHEL Linux.

Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system.

Apache is the most widely-used web server in the world. It provides many powerful features including dynamically loadable modules, robust media support, and extensive integration with other popular software.

SimpleSAMLphp is an award-winning application written in native PHP that deals with authentication. It authenticates the user against a SAML 2.0 IdP, and grants access to resources depending on attributes received from the identity provider (IdP).

Active Directory Federation Services (AD FS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.

The following information will be used throughout this tutorial:

FQDN			IP Address	Purpose		        OS
idp.techsupportpk.com	192.168.105.70	AD FS			Windows 2019
sp.techsupportpk.com	192.168.105.69	Apache, SimpleSAMLphp	CentOS 7

These instructions can also be applied if you are running RHEL, or Oracle Linux on your system.

Prerequisites

To follow this tutorial along, you will need one (physical or virtual) machine installed with CentOS, or RHEL Linux. This guide assume that you already have Active Directory Federation Service (AD FS) in place.

Make sure you have proper DNS entries for your Linux and AD FS FQDN:

Make sure you have proper FQDN entries in /etc/hosts file on your Linux system:

Make sure your Linux and AD FS machines are reachable to each-other using their FQDN:

Ping your AD FS FQDN from your Linux machine like below:

When you have all prerequisites in place, you can proceed with below steps.

Install Required Packages

sudo yum install -y epel-release
sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum install -y httpd mod_ssl openssl php71 php71-php php71-php-fpm php71-php-gd php71-php-mysqlnd php71-php-mcrypt php71-php-mbstring php71-php-common php71-php-curl php71-php-pecl-redis php71-php-pecl-memcache php71-php-xml php71-php-ldap php71-php-cli php71-php-json php71-php-pdo git wget nano ntpdate mariadb-server

Secure MariaDB

Start MariaDB with below command:

sudo systemctl start mariadb
sudo systemctl enable mariadb
sudo systemctl status mariadb

Execute below script, and follow on screen instruction to secure you MariaDB installation:

sudo /usr/bin/mysql_secure_installation

Configure PHP

sudo nano /etc/opt/remi/php71/php.ini

Update following parameter with your correct timezone:

date.timezone = Asia/Karachi

Start PHP to make changes effect:

sudo systemctl start php71-php-fpm
sudo systemctl enable php71-php-fpm

Download SimpleSAMLphp

At the time of writing this article, the latest stable release of SimpleSAMLphp is ( 1.18.8). You can check latest stable release at https://github.com/simplesamlphp/simplesamlphp/releases

You can download stable release on your Linux system from GitHub repository like below:

cd ~
wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.18.8/simplesamlphp-1.18.8.tar.gz
sudo tar -xf simplesamlphp-1.18.8.tar.gz -C /var/
sudo mv /var/simplesamlphp-1.18.8/ /var/simplesamlphp

Create Self-signed SSL Certificate

Type below command to generate a self-signed SSL certificate for your Apache:

sudo openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out /var/simplesamlphp/cert/sp.crt -keyout /var/simplesamlphp/cert/sp.pem

Enter the following information accordingly:

Generating a 3072 bit RSA private key
.....................................++
........++
writing new private key to '/var/simplesamlphp/cert/sp.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Tech Support
Organizational Unit Name (eg, section) []:IT Support
Common Name (eg, your name or your server's hostname) []:sp.techsupportpk.com
Email Address []:support@techsupportpk.com

Type below command to generate a self-signed SSL certificate for your identity provider:

sudo openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out /var/simplesamlphp/cert/idp.crt -keyout /var/simplesamlphp/cert/idp.pem

Enter the following information accordingly:

Generating a 3072 bit RSA private key
.....................................++
........++
writing new private key to '/var/simplesamlphp/cert/idp.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Tech Support
Organizational Unit Name (eg, section) []:IT Support
Common Name (eg, your name or your server's hostname) []:idp.techsupportpk.com
Email Address []:support@techsupportpk.com

Combine sp.crt, and sp.pem into sp.pfx format with below command:

sudo openssl pkcs12 -inkey /var/simplesamlphp/cert/sp.pem -in /var/simplesamlphp/cert/sp.crt -export -out /var/simplesamlphp/cert/sp.pfx

Configure SimpleSAMLphp

Type below command to generated a random string to be used as secret salt:

sudo tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz'</dev/urandom | dd bs=32 count=1 2>/dev/null;echo

Copy the generated string, save it in a text file, we will use it in a while:

Type below command to generate hashed password for SimpleSAMLphp administrator account:

php71 /var/simplesamlphp/bin/pwgen.php

You will need to log in with administrator account of SimpleSAMLphp to access some of the secure pages from web interface. Copy the generated hashed password, save it in a text file, we will use it in a while:

Edit config.php with any of your preferred text editor:

sudo nano /var/simplesamlphp/config/config.php

Locate the following parameters, and replace their values with yours:

'technicalcontact_name' => 'Support',
'technicalcontact_email' => 'support@techsupportpk.com',

Replace timezone value with yours:

'timezone' => 'Asia/Karachi',

Replace secretsalt value with the one your generated earlier:

'secretsalt' => 'defaultsecretsalt',

Replace auth.adminpassword with the one you generated earlier:

'auth.adminpassword' => '123',

Save and close the editor when you are finished.

Configure Apache

Create a simplesamlphp.conf file like below:

sudo nano /etc/httpd/conf.d/simplesamlphp.conf

Add following parameters in it:

Alias /simplesaml /var/simplesamlphp/www

<Directory /var/simplesamlphp/www>
<IfModule mod_authz_core.c>
       Require all granted
</IfModule>
</Directory>

Save and close the editor when you are finished.

Create a directory for your web content like an example below:

sudo mkdir -p /var/www/sp.techsupportpk.com

Create a VirtualHost configuration file like an example below:

sudo nano /etc/httpd/conf.d/sp.techsupportpk.conf

Add following parameters in it, replace highlighted text with yours:

<VirtualHost *:80>
   ServerName sp.techsupportpk.com
   Redirect / https://sp.techsupportpk.com/
</VirtualHost>

<VirtualHost _default_:443>
   ServerName sp.techsupportpk.com
   DocumentRoot /var/www/sp.techsupportpk.com
   SSLEngine On
   SSLCertificateFile /var/simplesamlphp/cert/sp.crt
   SSLCertificateKeyFile /var/simplesamlphp/cert/sp.pem
</VirtualHost>

Test Apache configuration with below command:

sudo apachectl configtest

If everything configured correctly, you will see the output like below:

Syntax OK

If you see any configuration error, fix them first, then proceed to next.

Type below command to start Apache:

sudo systemctl start httpd
sudo systemctl enable httpd
sudo systemctl status httpd

Synchronize your Linux system clock with your AD FS like below:

sudo ntpdate -u idp.techsupportpk.com

You will see output like below:

1 Mar 11:55:14 ntpdate[14847]: adjust time server 192.168.105.70 offset -0.321102 sec

Open up web browser, type https://sp.techsupportpk.com/simplesaml in the address bar, Click Advanced to ignore browser SSL warning:

You will see SimpleSAMLphp dashboard like below.

Click Login as administrator

If you remember, this administrator password you generated with pwgen.php command, and configured it in config.php file.

Enter your password, and click Login:

Once logged in, click Configuration tab to verify your PHP installation, you can safely ignore optional predis warning as we don't need it.

Navigate to Federation tab, click XML to SimpleSAMLphp metadata converter sd

Click Choose File to upload your AD FS metadata file, click Parse

The will return two sets of data. The first: saml20-sp-remote can be ignored since we are not using SimpleSAMLphp as an identity provider.

Scroll to saml20-idp-remote and copy the contents of this field to the clipboard.

Go back to your Linux terminal, edit saml20-idp-remote.php file like below:

sudo nano /var/simplesamlphp/metadata/saml20-idp-remote.php

Paste copied contents in it:

Save and close the editor when you are finished.

Edit authsources.php with any of your preferred text editor:

sudo nano /var/simplesamlphp/config/authsources.php

Add your AD FS as an identity provider in authsource.php like below:

'techsupportpk-sp' => array(
'saml:SP',
'entityID' => null,
'idp' => 'http://idp.techsupportpk.com/adfs/services/trust',
'discoURL' => null,
'sign.logout' => TRUE,
'SignLogoutRequest' => TRUE,
'SignLogoutResponse' => TRUE,
'redirect.sign' => TRUE,
'assertion.encryption' => TRUE,
'privatekey' => 'idp.pem',
'certificate' => 'idp.crt',
'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
),

Save and close the editor when you are finished.

After modification, authsources.php will look similar to like below:

Go back to your browser, refresh https://sp.techsupportpk.com/simplesaml page, navigate to Federation tab, and you will see your recently added SP metadata like below:

You will need this metadata url to configure your AD FS Relying Party Trust in the next step.

At this stage, you need to transfer /var/simplesamlphp/cert/sp.pfx SSL certificate file from your Linux system to your AD FS machine using WinSCP or whatever tool you would like to use.

When you have your sp.pfx file on your AD FS machine, install it like below:

Click Local Machine, click Next

Click Next

We did not set any password, so we will leave it blank, click Next

Click Place all certificate in the following store, click Browse

Select Trusted Root Certification Authorities, click OK

Click Next

Click Finish

Configure AD FS Relying Party Trust

Log in to your AD FS machine, open up AD FS Management console, Right-click Relying Party Trust, Click Add Relying Party Trust

Keep default Claims aware, click Start

Enter your SP metadata url like below, click Next

You can safely ignore this warning, Click OK

Click Next

Click Next

Click Close

Right-click on your Relying Party Trust entity, click Edit Claim Issuance Policy

Click Add Rule

Select Send LDAP Attributes as Claim, click Next

Configure claim rule like below:

Click Finish when you are done.

Add another rule, select Transform an Incoming Claim, click Next

Configure rule like below:

Click Finish when you are done.

Click Apply, OK

At this stage, your AD FS Relying Party Trust configuration is ready to serve the purpose.

Verify SimpleSAMLphp AD FS Integration

From a web browser, access your https://sp.techsupportpk.com/simplesaml and navigate to Authentication tab, click Test configured authentication sources

Click on a authentication source your added for AD FS.

If everything configured correctly, you will be taken to your AD FS login page:

Enter your valid usernameand password like below to sign-in:

Once signed in, you’ll be bounced back to SimpleSAMLphp and shown your claims as you can see in screenshot below:

If you face any issue, double-check everything your configured and then check the logs for hints as to what could have gone wrong.

Verify Apache SSO

We will create a simple index.php page in /var/www/sp.techsupportpk.com/ to test Apache SSO functionality.

cd /var/www/sp.techsupportpk.com
sudo nano index.php

Add following code in it, replace highlighted text with yours:

<?php
require_once ('/var/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('techsupportpk-sp');
$as->requireAuth();

$attributes = $as->getAttributes();

?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Index Page</title>
</head>
<body>
<h3>Welcome <strong>Authenticated User</strong>!</h3>
<h4>Claim list:</h4>
<?php
echo '<pre>';
print_r($attributes);
echo '</pre>';

echo '<a href="logout.php">Logout</a>';

?>
</body>
</html>

Create a simple logout.php page like below:

<?php
require_once ('/var/simplesamlphp/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('techsupportpk-sp');

$as->logout(array(
'ReturnTo' => '/logged_out.php',
'ReturnStateParam' => 'LogoutState',
'ReturnStateStage' => 'MyLogoutState',
));
?>

Create a simple logged_out.php page like below:

<?php
require_once ('/var/simplesamlphp/lib/_autoload.php');

try {
        if ($_REQUEST['LogoutState']) {
                $state = SimpleSAML_Auth_State::loadState((string)$_REQUEST['LogoutState'], 'MyLogoutState');
        }
        else {
                echo "Were you logged in?";
                exit;
        }
}
catch (Exception $e) {
        echo 'Caught exception: ',  $e->getMessage(), "\n";
        exit;
}
$ls = $state['saml:sp:LogoutStatus']; // Only works for SAML SP
if ($ls['Code'] === 'urn:oasis:names:tc:SAML:2.0:status:Success'&& !isset($ls['SubCode'])) {
    // Successful logout.
    echo("You have been logged out.");
    echo "<script>window.close();</script>";
} else {
    // Logout failed. Tell the user to close the browser.
   // echo("We were unable to log you out of all your sessions. To be completely sure that you are logged out, you need to
 close your web browser.");
}
?>

Open up web browser, enter https://sp.techsupportpk.com in the address bar, you will be taken to your AD FS login page.

Once signed-in with valid credentials, you will be redirected to your simple index.php page as shown in screenshot below:

Click logout to test your logout functionality.

Conclusion

Now that you have successfully configured SSO in Apache using SimpleSAMLphp and Active Directory Federation Service, you can start testing your applications SSO functionality.

Configure SSO in Apache using SimpleSAMLphp and ADFS on CentOS, RHEL Linux

Prerequisites

Install Required Packages

Secure MariaDB

Configure PHP

Download SimpleSAMLphp

Create Self-signed SSL Certificate

Configure SimpleSAMLphp

Configure Apache

Configure AD FS Relying Party Trust

Verify SimpleSAMLphp AD FS Integration

Verify Apache SSO

Conclusion

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112