Handling user authentication across multiple systems, networks, and applications is one of the most time-consuming IT tasks. Hybrid cloud environments make this more challenging as the complexity of cross-network security increases. Single sign-on (SSO) technologies provide a variety of solutions that aim to make user management and authentication simpler across all systems.

Deploying SAML SSO on Linux

Many SSO solutions have been developed over the years, from MIT Kerberos to Microsoft Active Directory. With web applications becoming more and more common, additional SSO solutions have become popular. For instance, any website that allows you to log-in using your Facebook or Twitter account is using an SSO-based protocol solution, such as OAuth.

For enterprise applications, the industry has developed an XML-based open standard called Security Assertion Markup Language (SAML) to distribute authentication and authorization information to facilitate SSO. In this article, we will look at Shibboleth and SimpleSAMLphp, two SAML options available for adding SSO to your cloud-hosted web applications.

SAML and SSO Terms

There are a number of terms that need to be understood in order to get a firm grasp of SAML and SSO systems. The following terms are used by SAML specification and are needed to talk about deploying SSO solutions.

An Identity Provider (IdP) is a service that authenticates users and provides them with security tokens. The IdP stores a database of users and provides a secure authentication mechanism. This allows the IdP to check user credentials and assert its knowledge of successful authentication.

is a service that authenticates users and provides them with security tokens. The IdP stores a database of users and provides a secure authentication mechanism. This allows the IdP to check user credentials and assert its knowledge of successful authentication. A Service Provider (SP) is a system providing a service to a user, such as email or a web server. The SP checks with the IdP to verify a user's security token.

is a system providing a service to a user, such as email or a web server. The SP checks with the IdP to verify a user's security token. A Principal is the thing that has been authenticated. Typically, the principal is a user.

How SAML Works

Before knowing what elements of SAML-based SSO you will need to deploy, you need to know what a typical SAML session looks like. The process below outlines what a typical web application looks like when using SAML SSO.

The user attempts to reach a web application at a service provider. The service provider generates a SAML request and redirects the user to the IdP's SSO URL with the generated request. The IdP authenticates the user and generates a SAML response. The user is redirected back to the SP with the SAML response. The SP verifies the SAML response. The user is successfully logged-in to the SP's web application.

Remember that the IdP can use any sort of backend as long as it provides a SAML response. This means that authentication information can be stored in LDAP, Active Directory, or an arbitrary database. This extensibility means that SAML SSO can be built on top of your existing enterprise authentication system.

Before We Start

If you don’t have a CenturyLink Cloud account yet, just head over to our website and activate an account. You’ll need it to access CenturyLink Cloud Compute servers.

Are You Deploying an IdP or an SP?

In a typical hybrid cloud configuration, the IdP resides on a private network in a secure segment, usually inside the enterprise. In this configuration, web applications in the cloud are service providers. However, there are times when you may want to deploy an IdP. For instance, if you are providing an SSO solution used by external clients or services outside your enterprise, it makes sense to deploy an IdP to a secure cloud host.

Shibboleth Service Provider

Shibboleth has both SP and IdP packages. The Shibboleth Service Provider integrates seamlessly with Apache HTTPD and works with all SAML implementations. A Shibboleth SP on a virtual server can integrate with a wide variety of applications and can be used to authenticate against a secure enterprise IdP.

Deploy a Shibboleth Service Provider

Our first step is to deploy a new CenturyLink Cloud virtual server. Follow the steps below:

Log-in to the CenturyLink Cloud Control Portal. On the Navigation Menu, click Infrastructure > Servers. Select a region for your new server, then click create and then server. Fill out the form for your new server. Make sure to select CentOS 7 | 64-bit for the operating system. After your new server is provisioned, return to the server list from Step 2 and find your new server in the list. Click the more menu and then click add public ip. Check the boxes to open ports HTTP (8080) and SSH/SFTP (22). Click add public ip address.

Installing the Service Provider Software

Navigate to your server in the Control Portal as in the previous section. Your server's public IP address will be noted on the screen. From a shell on your local machine, connect to your new server with the following command. Replace "YOUR.VPS.IP" with your server's public IP address. ssh root@YOUR.VPS.IP Configure Yum to know about the Shibboleth software repository. With a text editor, create /etc/yum.repos.d/shibo.repo and edit it to look like this: [security_shibboleth] name=Shibboleth (CentOS_CentOS-7) type=rpm-md baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/ gpgcheck=1 gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/repodata/repomd.xml.key enabled=1 Now that yum has been configured, run the following commands to install and run the Shibboleth SP. yum install -y httpd shibboleth systemctl start shibd.service systemctl enable shibd.service

In order to make your SP ready for production, you have to configure Apache HTTPD with additional information about your enterprise. These items are specific to your application configuration. So, while we can't give you additional steps, note the following:

Make sure that in your configuration you enable the UseCanonicalName option and set ServerName to the value given to you by your enterprise configuration.

option and set to the value given to you by your enterprise configuration. It is important that your SP run over a secure connection. So, make sure that SSL is enabled, you have security certificates, and a configuration that matches your enterprise's requirements.

Check out the Shibboleth SP Apache configuration guide for more information.

Configuring Shibboleth SP

The Shibboleth SP configuration is located in /etc/shibboleth/shibboleth2.xml. Your enterprise provides you with configuration parameters for its IdP. Most of the changes you need to make will be located in the section labeled "ApplicationDefaults" of the configuration file.

Read more about adding a new Identity Provider in the Shibboleth Configuration Guide. Finally, when you are ready to add Shibboleth SP authentication, read about how to "Shibbolize" your application.

SimpleSAMLphp Service Provider

The SimpleSAMLphp library is a well-maintained, scalable SAML authentication platform that can be deployed quickly. Compared to Shibboleth, it might seem fairly simple and feature-light. It is a powerful and effective solution for integrating federated, enterprise-grade authentication into a PHP application.

Deploying SimpleSAMLphp as a Service Provider

Our first step is to deploy a new CenturyLink Cloud virtual server. Follow the steps below:

Log-in to the Control Portal as above. From the Navigation Menu, click Infrastructure > Servers. Select a region for your new server, then click create and then server. Fill out the form for your new server. Make sure to select CentOS 7 | 64-bit for the operating system. After your new server is provisioned, return to the server list from Step 2 and find your new server in the list. Click the more menu and then click add public ip. Check the boxes to open ports HTTP (80) and SSH/SFTP (22). Click add public ip address.

Installing the Service Provider Software

Navigate to your server in the Control Portal as in the previous section. Your server's public IP address will be noted on the screen. From a shell on your local machine, connect to your new server with the following command. Replace "YOUR.VPS.IP" with your server's public IP address. ssh root@YOUR.VPS.IP Install the prerequisite software by running the following commands. yum install -y php openssl pcre php-mcrypt Download the latest stable version of SimpleSAMLphp from the download page and unpack the tarball. $ wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v1.14.8/simplesamlphp-1.14.8.tar.gz $ tar xfz simplesamlphp-1.14.8.tar.gz Move the extracted directory to your installation location. We will use the /var directory. $ mv simplesamlphp-1.14.8 /var/simplesamlphp

Configuring Apache for SimpleSAMLphp

As with the Shibboleth SP configuration, this will vary widely based on your particular needs and environment. For details on particulars of Apache configuration, check the SimpleSAMLphp configuration guide. The following covers a very basic configuration.

With a text editor, create a file called: /etc/httpd/conf.d/simplesamlphp.conf and edit it to look like this: Alias /simplesaml /var/simplesamlphp/www <Directory /var/simplesamlphp/www> <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory> With a text editor, open /var/simplesamlphp/config/config.php. Look through this file and configure it to match your SAML SSO and enterprise requirements. Start the webserver with the following command: $ service httpd start Test your SimpleSAMLphp configuration by going to the following URL in your web browser: http://YOUR.VPS.IP/simplesaml

As with the Shibboleth SP configuration, you have to make sure that you deploy SSL support for Apache HTTPD and double-check your configuration against your enterprise requirements. Read more about the specifics of SP configuration at the SimpleSAMLphp Service Provider QuickStart guide.

Next Steps

SAML SSO requires a lot of configuration to get running, but it is the most robust way to securely extend your enterprise into the cloud. In addition, deploying an SP allows you to integrate with third-party SSO providers, such as OneLogin. Understanding the way that SAML SSO integrates with applications gives you the ability to deploy services that use external enterprise IdPs to authenticate users and clients. For an example of how one Software-as-a-Service product is offering SASL SSO integration successfully, read about Slack's SAML support.

Sign-up for our Developer-focused newsletter CODE. Designed hands-on by developers, for developers. Keep up to date on topics of interest: tutorials, tips and tricks, and community building events.

We’re a different kind of cloud provider – let us show you why.