Haifeng's Blog

Installing SimpleSAMLphp with Nginx

by · Published · Updated

Setting up Single Sign-On (SSO) can seem daunting, but with tools like SimpleSAMLphp and a robust web server like Nginx, it’s more accessible than you might think. This guide will walk you through the process of installing and configuring SimpleSAMLphp with Nginx, allowing you to establish secure and efficient SSO for your applications.

What You’ll Need

Before we dive in, make sure you have the following:

  • A server with Nginx installed: This guide assumes you have a basic Nginx setup.
  • PHP and PHP-FPM: SimpleSAMLphp requires PHP. Ensure PHP-FPM is configured and running with Nginx.
  • Basic command-line familiarity: We’ll be using the terminal quite a bit.

Step 1: Download and Extract SimpleSAMLphp

First, get the SimpleSAMLphp package.

  1. Download the latest stable release from the SimpleSAMLphp website.
  2. Extract the downloaded archive (e.g., simplesamlphp-x.y.z.tar.gz) to a suitable location in your web server’s document root, specifically into a directory named simplesamlphp. For instance, if your Nginx root is /www/wwwroot/yourdomain.com/, you’d place it like this:
sudo tar -xvzf simplesamlphp-x.y.z.tar.gz -C /www/wwwroot/yourdomain.com/
sudo mv /www/wwwroot/yourdomain.com/public/simplesamlphp-x.y.z /www/wwwroot/yourdomain.com/public/simplesamlphp

Step 2: Configure SimpleSAMLphp

Now, let’s configure SimpleSAMLphp. Most configurations are done within the config/ directory inside your SimpleSAMLphp installation.

  1. Go to the configuration directory: cd /www/wwwroot/yourdomain.com/public/simplesamlphp/config
  2. Copy the configuration templates: sudo cp config.php.dist config.php sudo cp authsources.php.dist authsources.php
  3. Edit config.php:
    • Open config.php with your preferred text editor (nano, vim, etc.):Bashsudo nano config.php Make sure to adjust at least the following:
      • 'baseurlpath': This is crucial. It defines the base URL for SimpleSAMLphp. If you want SimpleSAMLphp accessible via https://yourdomain.com/simplesaml/, then set it to 'https://yourdomain.com/simplesaml/'.
      • 'technicalcontact_name' and 'technicalcontact_email': Provide contact information.
      • 'secretsalt': This is critical for security. Change this to a long, random string.
      • 'auth.adminpassword': Set a strong password for the SimpleSAMLphp administration interface.
  4. Edit authsources.php:This file defines your authentication sources (e.g., your Identity Provider (IdP) or Service Provider (SP) configurations). For now, you might just keep the default 'example-userpass' for initial testing, but you’ll modify this extensively later when you integrate with your actual IdP or SP.

Step 3: Configure Nginx

This is where we tell Nginx how to serve SimpleSAMLphp. We’ll add specific location blocks within your existing Nginx server configuration for yourdomain.com.

  1. Edit your Nginx configuration file:Your Nginx configuration file is typically located at /www/server/panel/vhost/nginx/yourdomain.com.conf. Open it with your preferred text editor: sudo nano /www/server/panel/vhost/nginx/yourdomain.com.conf
  2. Add the SimpleSAMLphp location blocks:Insert the following location blocks inside your existing server block. A good place for them would be before your general location ~ \.php($|/) block, or just after the location ~ \.well-known block.
    • Important Notes on the Nginx configuration:
      • root vs. alias: Your existing root is /www/wwwroot/yourdomain.com/public. For SimpleSAMLphp, we use the alias directive within its specific location block. This tells Nginx to serve requests matching /simplesaml/ from the actual SimpleSAMLphp www directory at /www/wwwroot/yourdomain.com/public/simplesamlphp/www/.
      • fastcgi_pass unix:/tmp/php-cgi-82.sock;: This points to your PHP 8.2-FPM socket, as defined in your provided configuration.
      • fastcgi_param HTTPS on;: This is absolutely vital. SimpleSAMLphp must know if the request came over HTTPS, which it does from your listen 443 ssl http2 directive. This parameter ensures SimpleSAMLphp recognizes secure connections for proper SAML protocol behavior.
      • Security hardening: The deny all; blocks are essential to prevent direct web access to sensitive SimpleSAMLphp configuration and internal files, safeguarding your SSO setup.
  3. Test Nginx configuration and restart:After saving your changes, always test the Nginx configuration for syntax errors and then reload it. sudo systemctl reload nginx

Here is my Nginx configuration file for your reference.

server
{
    listen 80;
    listen 443 ssl http2 ;
    server_name yourdomain.com;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/yourdomain.com/public;

    location ~ \.php($|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/tmp/php-cgi-82.sock; 
    fastcgi_index index.php;
    include fastcgi_params;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME     $fastcgi_script_name;
    fastcgi_param PATH_INFO       $fastcgi_path_info;
    }

    access_log  /www/wwwlogs/yourdomain.com.log;
    error_log  /www/wwwlogs/yourdomain.com.error.log;
}

Step 4: Verify SimpleSAMLphp Installation

Open your web browser and navigate to the SimpleSAMLphp administration interface. Based on our Nginx configuration and the baseurlpath you set. You should see the SimpleSAMLphp installation page.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *