simpleSAMLphp on IIS from scratch (with AD FS)

Articles Generic PHP Windows Generic Windows Server

simpleSAMLphp on IIS from scratch (with AD FS)

By simone.corbisiero 0

Creating the Service Provider that we will use with our web app (which we haven't created yet)

Creating the Service Provider that we will use with our web app (which we haven’t created yet)

In order for our web application (which we will build in a little bit) to use AD FS as authentication mechanism, we need to create a Service Provider (SP).

  1. Edit authsources.php under C:\inetpub\wwwroot\simpleSAMLphp\config. This is where all service providers will be stored. You can see a default-sp in there already. You can get rid of it.
  2. Thanks to lewisroberts.com‘s post, we have all we need to build the SP to correctly interface with AD FS. 
    • 'MyPHPTest01-sp' => array(
        'saml:SP',

        // The entity ID of this SP.
        // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
        'entityID' => null,

        // The entity ID of the IdP this SP should contact.
        // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
	'idp' => 'http://myadfs.com/adfs/services/trust',

        // The URL to the discovery service.
        // Can be NULL/unset, in which case a builtin discovery service will be used.
        'discoURL' => null,
	
	// ADFS 2012R2 requires signing of the logout
	'sign.logout' => TRUE,
	'redirect.sign' => TRUE,
	'assertion.encryption' => TRUE,
	// Cert and Key
	'privatekey' => 'simpleSAMLphp.key',
	'certificate' => 'simpleSAMLphp.pem',
	// Enforce the use of SHA-256 by default.
	'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
       
       //Change the landing page if the user log ins directly from the ADFS portal.
       'RelayState' => 'https://itdroplets.com/simpleTest',
    ),
    • Note: RelayState is something I’ve added. That’s useful when you have RelayState enabled on the AD FS side and the user tries to login directly from the AD FS page, selecting your application (which we didn’t add yet to AD FS). The RelayState will forward the session to your web app, which in the above, will be located under https://itdroplets.com/simpleTest.
    • The SP is called MyPHPTest01-sp.
    • Idp >> This is the AD FS IdP which you can find in the Federation Metadata XML you downloaded earlier. It most likely will be http:// and not https. Remember, that’s just the Entity ID of the IdP and not a URL.
    • privatekey and certificate, are the names of the key and the cert that we moved into the \Cert folder, the ones we created with OpenSSL.

Contents

IT Droplets

IT Droplets