simpleSAMLphp on IIS from scratch (with AD FS)

simpleSAMLphp on IIS from scratch (with AD FS)

simpleSAMLphp - Basic Configuration

simpleSAMLphp – Basic Configuration

In this section, we’ll only look at the configuration file that will get us up and running. Note: In all the info I gathered online on running simpleSAMLphp on IIS, I saw that there was a requirement to created a Virtual Directory. We’re not going to do that and it’ll work just fine.

  1. Edit config.php under C:\inetpub\wwwroot\simpleSAMLphp\config.
  2. Change the baseurlpath to simplesamlphp/www/ which basically is the location to the web application we’ve created before which will be reachable via https://itdroplets.com/simpleSAMLphp.
    • If you save the file now and try to reach that web url, you should be able to, you’ll get a few warnings though as we’re not done with the configuration.
  3. Change the technicalcontact_name and technicalcontact_email to whatever you prefer.
  4. Change the timezone to what you need. The format used for this can be found here http://php.net/manual/en/timezones.php.
    • For example: ‘timezone’ => ‘America/Los_Angeles’,
  5. Change the secretsalt, as per the documentation, it can be any valid string of any lenght. I used a 32 chars randomly generated.
  6. Change the password auth.adminpassword. This is the administrator’s password to log on to simpleSAMLphp under https://itdroplets.com/simpleSAMLphp.
  7. Set admin.protectindexpage to true. This is what enables the password (what we set in the step above) to be requested.
    • Note, I want AD FS to be able to reach the SP’s XML I’ll configure later on in this guide, via a URL, which makes it easier for changes to apply at the AD FS end as well. If you don’t want that though, you can set admin.protectmetadata to true. Remember that when configuring the Relying Party Trust in AD FS, you’ll need to follow a different step and import the XML manually.
  8. Logging: I prefer to set it to logs to a local file, so my config looks like this:
    • 'logging.level' => SimpleSAML\Logger::NOTICE,
      'logging.handler' => 'file',
      'logging.format' => '%date{%b %d %H:%M:%S} %process %level %stat[%trackid] %msg',
    • The log will be stored under C:\inetpub\wwwroot\simpleSAMLphp\log.
    • Remember that if you’re using a non admin account to run the pool, that account must have write permissions on the log folder.
  9. Save the file.
  10. Navigate to your [HTTPS] website’s address /www, for example https://itdroplets.com/simpleSAMLphp/www.
  11. You’ll be prompt for the password set before.
  12. When you login, you’ll be shown a welcome page and you can also check out the Configuration page to see if you’re missing any requirements. This is how mine looks.

IT Droplets

IT Droplets