KNF:OneLogin configureren als Service Provider/en: verschil tussen versies

Uit Kennisnet Developers Documentatie
Naar navigatie springen Naar zoeken springen
(Nieuwe pagina aangemaakt met '{{Talen}} <br/> __TOC__ This manual provides a guide on how to implement OneLogin as a Service Provider. ==Step 1: Installation== # Download the PHP toolkit at ht...')
 
 
(19 tussenliggende versies door 2 gebruikers niet weergegeven)
Regel 1: Regel 1:
  +
{{PageTitleCustom|title=Implement OneLogin PHP as a Service Provider|name=Entree Federation|image=true|imageurl=KNF:Hoofdpagina/en}}
{{Talen}}
 
 
<br/>
 
<br/>
 
__TOC__
 
__TOC__
   
This manual provides a guide on how to implement OneLogin as a Service Provider.
+
This manual provides a guide on how to implement the OneLogin PHP library as a Service Provider.
   
 
==Step 1: Installation==
 
==Step 1: Installation==
Regel 15: Regel 15:
   
 
==Step 2: Generating a certificate==
 
==Step 2: Generating a certificate==
  +
The messages that are exchanged between the OneLogin application and Entree Federation during an authentication need to be signed. For this purpose a certificate has to be generated.
De berichten die met de Entree Federatie applicatie worden uitgewisseld tijdens een authenticatie worden ondertekend door middel van XML-signing. Hiervoor moet een certificaat gegenereerd worden.
 
# In de hoofd directory (''php-saml-master'') bevindt zich de sub directory ''certs''.
+
# In the main directory (''php-saml-master'') you will find the sub directory ''certs''.
 
# Go to the ''certs'' directory.
 
# Go to the ''certs'' directory.
 
# Execute the following command in order to generate the certificate: <syntaxhighlight lang="bash">openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key</syntaxhighlight>
 
# Execute the following command in order to generate the certificate: <syntaxhighlight lang="bash">openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key</syntaxhighlight>
Regel 22: Regel 22:
   
 
==Step 3: Edit settings.php==
 
==Step 3: Edit settings.php==
  +
The ''settings.php'' in the project directory needs to be edited in order to realise the connection with Entree Federation.<br/>
Voor het realiseren van een koppeling met Entree Federatie zijn een aantal aanpassingen in het bestand ''settings.php'' in de project directory nodig.<br/>
 
'''LET OP!''' De volgende configuratie aanpassingen zijn toevoegingen of wijzigingen. De php tags zijn niet meegenomen.<br/>
+
'''NOTE!''' The following example code exists of additions or changes. The php tags are not included.<br/>
  +
The changes are described in the comments.
De aanpassingen staan beschreven in commentaar in de onderstaande voorbeeld code.
 
 
<syntaxhighlight lang="php">
 
<syntaxhighlight lang="php">
 
$settings = array (
 
$settings = array (
 
'strict' => false,
 
'strict' => false,
 
'debug' => false,
 
'debug' => false,
// Vul hier de base URL van de applicatie in (voorbeeld: https://example.com)
+
// Provide the base URL of your application (for example: https://example.com)
 
'baseurl' => '',
 
'baseurl' => '',
// Informatie over de te implementeren Service Provider applicatie
+
// Information about the Service Provider application
 
'sp' => array (
 
'sp' => array (
// Het entityID is de unieke idenitfier van de applicatie (voorbeeld: https://example.com/projectnaam)
+
// The entityID is the unique idenitfier of the application (for example: https://example.com/projectname)
 
'entityId' => '',
 
'entityId' => '',
// Informatie over het endpoint waar Entree Federatie de responses naar toestuurt
+
// Information about the endpoint Entree Federatie will use to send its responses to
 
'assertionConsumerService' => array (
 
'assertionConsumerService' => array (
// De URL van het endpoint (voorbeeld: https://example.com/index.php?acs)
+
// The URL of the endpoint (for example: https://example.com/index.php?acs)
 
'url' => '',
 
'url' => '',
// SAML protocol binding dat gebruikt wordt om de response te versturen
+
// SAML protocol binding that will be used for sending the responses
 
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
 
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
 
),
 
),
// Format van de identifier van het onderwerp van authenticatie
+
// Format of the identifier van het onderwerp van authenticatie
// Voor Entree Federatie is het vereist dat dit 'unspecified' is
+
// Entree Federation requires this to be 'unspecified'
 
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
 
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
// Informatie van het certificaat dat gegenereerd is in stap 2
+
// Information about the certificate generated in step 2
 
'x509cert' => '...'
 
'x509cert' => '...'
 
'privateKey' => '...'
 
'privateKey' => '...'
 
),
 
),
// Informatie over de Entree Federatie applicatie
+
// Information about the Entree Federation application
// De informatie staat in de metadata van Entree Federatie
+
// This information can be found in the metadata of Entree Federation
// Metadata staging omgeving: https://hub-s.entree.kennisnet.nl/openaselect/profiles/saml2/
+
// Metadata staging environment: https://hub-s.entree.kennisnet.nl/openaselect/profiles/saml/
// Metadata productie omgeving: https://hub.entree.kennisnet.nl/openaselect/profiles/saml2/
+
// Metadata production environment: https://hub.entree.kennisnet.nl/openaselect/profiles/saml/
 
'idp' => array (
 
'idp' => array (
// De unieke identifier van Entree Federatie
+
// The unique identifier of Entree Federation
'entityId' => '',
+
'entityId' => 'https://engine.entree.kennisnet.nl/authentication/idp/metadata',
  +
//'entityId' => 'https://engine.entree-s.kennisnet.nl/authentication/idp/metadata',
// Endpoint van Entree Federatie waar de authenticatie requests naar toegestuurd worden
 
  +
// Information about the endpoint of the Entree Federation to which the authentication requests will be sent
 
'singleSignOnService' => array (
 
'singleSignOnService' => array (
// De URL van het endpoint
+
// The URL of the endpoint
'url' => '',
+
'url' => 'https://engine.entree.kennisnet.nl/authentication/idp/single-sign-on',
  +
//'url' => 'https://engine.entree-s.kennisnet.nl/authentication/idp/single-sign-on',
// SAML protocol binding dat gebruikt wordt om de requests naar Entree Federatie te versturen
+
// SAML protocol binding that will be used for sending the requests
 
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
 
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
 
),
 
),
// De public key in de metadata van Entree Federatie
+
// The public key in the metadata of Entree Federation, can be found in the metadata in the section IDPSSODescriptor.
 
'x509cert' => '...'
 
'x509cert' => '...'
 
),
 
),
Regel 70: Regel 72:
   
 
==Step 4: Edit advanced_settings.php==
 
==Step 4: Edit advanced_settings.php==
Aanpassing in het bestand ''advanced_settings.php'' in de hoofd directory.<br/>
+
Necessary changes in ''advanced_settings.php'' in the main directory.<br/>
'''LET OP!''' De volgende configuratie aanpassingen zijn toevoegingen of wijzigingen. De php tags zijn niet meegenomen.<br/>
+
'''NOTE!''' The following example code exists of additions or changes. The php tags are not included.<br/>
  +
The changes are described in the comments.
De aanpassingen staan beschreven in commentaar in de onderstaande voorbeeld code.
 
 
<syntaxhighlight lang="php">
 
<syntaxhighlight lang="php">
  +
// Every sent and received message needs to be signed
// Alle verzonden en ontvangen berichten moeten gesigned zijn
 
 
'authnRequestsSigned' => true,
 
'authnRequestsSigned' => true,
   

Huidige versie van 18 okt 2022 om 11:21

KNF-symbol.png Entree Federation: Implement OneLogin PHP as a Service Provider

Nl.gif Nederlands En.gif English


This manual provides a guide on how to implement the OneLogin PHP library as a Service Provider.

Step 1: Installation

  1. Download the PHP toolkit at https://github.com/onelogin/php-saml.
  2. Unpack the zip and copy the directory php-saml-master to the right location on your webserver.
  3. Rename the demo1 directory to the preferred projectname (for example entreefederation).
  4. Delete the file settings_example.php from the project directory.
  5. Copy the file settings_example.php from the main directory to the project directory.
  6. Rename this file to settings.php.
  7. Rename the file advanced_settings_example.php in the main directory to advanced_settings.php.

Step 2: Generating a certificate

The messages that are exchanged between the OneLogin application and Entree Federation during an authentication need to be signed. For this purpose a certificate has to be generated.

  1. In the main directory (php-saml-master) you will find the sub directory certs.
  2. Go to the certs directory.
  3. Execute the following command in order to generate the certificate:
    openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key
    
  4. Follow the instructions and provide the correct information.

Step 3: Edit settings.php

The settings.php in the project directory needs to be edited in order to realise the connection with Entree Federation.
NOTE! The following example code exists of additions or changes. The php tags are not included.
The changes are described in the comments.

$settings = array (
    'strict' => false,
    'debug' => false,
    // Provide the base URL of your application (for example: https://example.com)
    'baseurl' => '',
    // Information about the Service Provider application
    'sp' => array (
        // The entityID is the unique idenitfier of the application (for example: https://example.com/projectname)
        'entityId' => '',
        // Information about the endpoint Entree Federatie will use to send its responses to
        'assertionConsumerService' => array (
            // The URL of the endpoint (for example: https://example.com/index.php?acs)
            'url' => '',
             // SAML protocol binding that will be used for sending the responses
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ),
        // Format of the identifier van het onderwerp van authenticatie
        // Entree Federation requires this to be 'unspecified'
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
        // Information about the certificate generated in step 2
        'x509cert' => '...'
        'privateKey' => '...'
    ),
    // Information about the Entree Federation application
    // This information can be found in the metadata of Entree Federation
    // Metadata staging environment: https://hub-s.entree.kennisnet.nl/openaselect/profiles/saml/
    // Metadata production environment: https://hub.entree.kennisnet.nl/openaselect/profiles/saml/
    'idp' => array (
        // The unique identifier of Entree Federation
        'entityId' => 'https://engine.entree.kennisnet.nl/authentication/idp/metadata',
        //'entityId' => 'https://engine.entree-s.kennisnet.nl/authentication/idp/metadata',
        // Information about the endpoint of the Entree Federation to which the authentication requests will be sent
        'singleSignOnService' => array (
            // The URL of the endpoint
            'url' => 'https://engine.entree.kennisnet.nl/authentication/idp/single-sign-on',
            //'url' => 'https://engine.entree-s.kennisnet.nl/authentication/idp/single-sign-on',
            // SAML protocol binding that will be used for sending the requests
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ),
        // The public key in the metadata of Entree Federation, can be found in the metadata in the section IDPSSODescriptor.
        'x509cert' => '...'
    ),
);

Step 4: Edit advanced_settings.php

Necessary changes in advanced_settings.php in the main directory.
NOTE! The following example code exists of additions or changes. The php tags are not included.
The changes are described in the comments.

    // Every sent and received message needs to be signed
    'authnRequestsSigned' => true,

    // Contact information
    'contactPerson' => array (
        'technical' => array (
            'givenName' => '',
            'emailAddress' => ''
        ),
        'support' => array (
            'givenName' => '',
            'emailAddress' => ''
        ),
    ),
    // Organisational information
    'organization' => array (
        'nl-nl' => array(
            'name' => '',
            'displayname' => '',
            'url' => ''
        ),
    ),