Integrating your application with Moople Shibboleth IdP using SimpleSAMLphp is
simple. First follow SimpleSAMLphp installation steps from
SimpleSAMLphp Service Provider QuickStart
Default Service Provider configuration is set in config/authsources.php and should
look like this:
$config = array( 'default-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => 'your-learning.net', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => 'https://shib.moople.net/idp/shibboleth', // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, 'NameIDPolicy' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', ), );
One more change is required in config/config.php file for SimpleSAMLphp:
'authproc.sp' => array(
1 => array(
'class' => 'saml:NameIDAttribute',
'attribute' => 'moopleuser',
'format' => '%V',
),
This adds filter to SP configuration, which create new attribute “moopleuser” and
set its value to whaterever is in NameIDAttribute.
Moople IdP currently don’t require SSL certificate so you don’t need to reference it.
To complete the connection between your SP and Moople IdP you will
need also to modify/generate metadata file in metadata/ directory of SimpleSAMLphp installation root. The easiest way to do
it, is to download IdP generated XML file from https://shib.moople.net/idp/profile//Metadata/SAML
and paste the contents into SimpleSAMLphp Metadata parser avaiable under “Federation”
tab in “Tools” section. This page will output code which you save as saml20-idp-remote.php in metadata directory of SimpleSAMLphp root.
We, on the other end, need to add your SP metadata to our IdP – just contact us at admin@your-learning.net for details.
After metadata exchange you should be able to test SimpleSAMLphp by going to “Authentication” tab and clicking on “Test authentication sources” link. Choose “default-sp” provider and Moople IdP login box should appear asking for login and password. Use your Moople credentials to go through. Upon successful authentication you will be redirected back to SimpleSAMLphp page with your attributes displayed as in screenshot below.
“moopleuser” attribute is now avaiable for your application in $_SERVER['REMOTE_USER']
as a webserver variable so you can use it to identify user. In Limesurvey this done in this way:
Config variable $useWebserverAuth is checked first and, if set,
$_SERVER['PHP_AUTH_USER'] gets value from whatever is in $_SERVER['REMOTE_USER']
returned by server
if ($useWebserverAuth === true &&
!isset($_SERVER['PHP_AUTH_USER']) &&
isset($_SERVER['REMOTE_USER']) )
{
$_SERVER['PHP_AUTH_USER'] = $_SERVER['REMOTE_USER'];
}
In next step LimeSurvey checks if a given username is registered in its database.
If not, and $WebserverAuth_autocreateUser is set to true, then it adds a new user
with required fields such as email and username, filled by what it is returned by
autocreate user profile function:
if (isset($WebserverAuth_autocreateUser)
&& $WebserverAuth_autocreateUser === true
&& isset($WebserverAuth_autouserprofile) {
$uquery = "INSERT INTO {$dbprefix}users "
."(users_name, ... ) "
."VALUES ("");
$uresult = $connect->Execute($uquery); //Checked
if ($uresult)
{
$isAuthenticated=true;
}
}
Summarizing, to allow Moople users to authenticate with your application you need to:
- install correctly SimpleSAMLphp,
- trust webserver authentication by implementing login hook,
- deal with auto creation of new users from Moople database,
- offer your old users choice of a standard authentication method so they will
still be able to login.