Skip to content

SimpleSamlPHP auth plugin

Overview

Hi, as I discussed on Matrix, as part of my bachelor thesis, I needed to develop a SimpleSamlPHP auth plugin because it was easier to set up and configure than the existing Shibboleth. I thought I would share what I have created. The plugin is functional, though there may be some mistakes since I created it by reverse-engineering other plugins. As I was told on Matrix, there is no documentation available for creating these kinds plugins.

Plugin description

The plugin works similarly to the Shibboleth plugin. It requires SimpleSamlPHP to be installed and configured in its default directory (this can be changed in the plugin's code). To support SingleLogout, modifications were needed for the public\logout.php file. These changes were made by copying same logic from the CAS auth plugin. Additionally if username_attribute configuration varriable is not set it will use SAML NameID.

prerequisites

  • SimpleSamlPHP installed on the machine in its default dirrectory (can be changed in plugin code)
    • use other session than php_session as this would interfere with Stud.IP session

Files

  • StudipAuthSimpleSamlPHP.class.php - contains the plugin
  • logout.php - modified public/logout.php for support of SingleLogout
  • config_defaults.inc.php - configuration examples (same as for other auth plugins)

Configuration

Here is additional configuration that is different from other plugins.

  • reverse_proxy_url - url under which is stud.ip serverd (optional)
  • sp_name - name of the service provider in SimpleSamlPHP configuration
  • username_attribute - in which attribute is username located (if left empty it will use NameID instead)
  • getUserData - user_data_mappings

MockSAML config

Example configuration for MockSAML idp (https://mocksaml.com/).

$STUDIP_AUTH_CONFIG_SIMPLESAMLPHP = array(
            "reverse_proxy_url" => '',
            "sp_name" => 'default-sp',
            "user_data_mapping" =>      array(
                                                "auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email"),
                                                "auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "firstName"),
                                                "auth_user_md5.Vorname" => array("callback" => "getUserData", "map_args" => "lastName")));
     }
Edited by René Češka