Using SimpleSAMLphp with Shibboleth SSO

Using SimpleSAMLphp to configure a single sign-on system for your Drupal or WordPress site.


Start by following the SimpleSAMLphp's service provider quickstart instructions. This documentation contains only the necessary extra steps to get it working on Pantheon with Drupal or WordPress.

Install SimpleSAMLphp

  1. Download SimpleSAMLphp version 1.16.x and add it to your git repository as /private/simplesamlphp-1.16.x.

    wget https://simplesamlphp.org/download?latest -O simplesamlphp-latest.tar.gz
    mkdir private
    tar -zxvf simplesamlphp-latest.tar.gz -C private
    git add private
    git commit -am "Adding SimpleSAML"
    
  2. Add a symlink to your repository from /simplesaml to /private/simplesamlphp-1.16.x/www:

    ln -s ./private/simplesamlphp-1.16.x/www ./simplesaml
    git add simplesaml
    git commit -am "Adding SimpleSAML symlink"
    
  3. Generate or install certs as needed, and add them to the repository in private/simplesamlphp-1.16.x/cert.

When using Composer to manage the SimpleSAMLphp library, you'll need to store your config files outside of the vendor directory in order to prevent those from being overwritten when you apply updates. We can use a symlink to allow SimpleSAMLphp to utilize the config files stored in the non-standard location.

Commands below require a nested docroot structure and should all be run from the site root (not the nested docroot web directory).

  1. Add the SimpleSAMLphp library:

    composer require simplesamlphp/simplesamlphp
    
  2. Add a symlink from web/simplesaml to vendor/simplesamlphp/simplesamlphp/www:

    ln -s ../vendor/simplesamlphp/simplesamlphp/www ./web/simplesaml
    
  3. Create your site-specific config file:

    mkdir private
    cp vendor/simplesamlphp/simplesamlphp/config-templates/config.php private/simplesaml-config.php
    
  4. Follow the directions above to set up your config file (private/simplesaml-config.php).

  5. Add a symlink from SimpleSAMLphp's default config file over to your customized config, stored outside the vendor directory:

    ln -s ../../../../private/simplesaml-config.php ./vendor/simplesamlphp/simplesamlphp/config/config.php
    
  6. Add this symlink as a post-update script to composer.json. This allows the symlink to be recreated if we update or re-install SimpleSAMLphp using Composer:

    "scripts": {
       "post-install-cmd": [
           "ln -s ../../../../private/simplesaml-config.php ./vendor/simplesamlphp/simplesamlphp/config/config.php"
       ]
    },
    
  7. Commit and push these changes back to your Pantheon dev or multidev environment, where you should now be able to access the SimpleSAMLphp installation page at dev-yoursite.pantheonsite.io/simplesaml.

  8. Generate or install certs as needed, and add them to the project in vendor/simplesamlphp/simplesamlphp/cert.

Configure SimpleSAMLphp

Set up your SimpleSAMLphp config.php as follows:

  1. Enable local sessions to ensure that SimpleSAMLphp can keep a session when used in standalone mode:

    if (!ini_get('session.save_handler')) {
      ini_set('session.save_handler', 'file');
    }
    
  2. Load necessary environmental data. For a Drupal site, you can access $_SERVER['PRESSFLOW_SETTINGS']:

    $ps = json_decode($_SERVER['PRESSFLOW_SETTINGS'], TRUE);
    $host = $_SERVER['HTTP_HOST'];
    $db = $ps['databases']['default']['default'];
    

    For a WordPress site, you can access the Pantheon environment variables:

    $host = $_SERVER['HTTP_HOST'];
    $db = array(
      'host'      => $_ENV['DB_HOST'],
      'database'  => $_ENV['DB_NAME'],
      'username'  => $_ENV['DB_USER'],
      'password'  => $_ENV['DB_PASSWORD'],
      'port'      => $_ENV['DB_PORT'],
    );
    
  3. With the basic variables defined, set up base config:

    $config = array (
       'baseurlpath' => 'https://'. $host .':443/simplesaml/', // SAML should always connect via 443
       'certdir' => 'cert/',
       'loggingdir' => $_ENV['HOME'] . '/files/private/log/',
       'datadir' => 'data/',
       'tempdir' => $_ENV['HOME'] . '/tmp/simplesaml',
       Your $config array continues for a while...
       until we get to the "store.type" value, where we put in DB config...
       'store.type' => 'sql',
       'store.sql.dsn' => 'mysql:host='. $db['host'] .';port='. $db['port'] .';dbname='. $db['database'],
       'store.sql.username' => $db['username'],
       'store.sql.password' => $db['password'],
    
  4. With configuration completed, commit the changes to your SimpleSAMLphp files:

    git add private/simplesamlphp-1.15.x
    git commit -am "Adding SimpleSaml config files."
    

You can now visit the subdirectory /simplesaml on your development site and complete your metadata configuration.

Drupal Configuration

Add the following lines to settings.php so that the Drupal module can locate SimpleSAMLphp:

For Drupal 7 sites:

# Provide universal absolute path to the installation.
$conf['simplesamlphp_auth_installdir'] = $_ENV['HOME'] .'/code/private/simplesamlphp-1.15.x';

For Drupal 8 sites:

# Provide universal absolute path to the installation.
$settings['simplesamlphp_dir'] = $_ENV['HOME'] .'/code/private/simplesamlphp-1.15.x';

You can now enable and configure the module. If SAML authentication fails because of a configuration error, look at the watchdog log to see why.

WordPress Configuration

To use SimpleSAMLphp with WordPress, first install and activate the WP SAML Auth plugin.

Then, to configure the WP SAML Auth plugin to work with SimpleSAMLphp, add the following filter to your theme's functions.php file:

add_filter( 'wp_saml_auth_option', function( $value, $option ){
  if ( 'simplesamlphp_autoload' === $option ) {
    // Note: Your path may differ, if you've installed a later SimpleSAMLphp version
    $value = ABSPATH . '/private/simplesamlphp-1.15.x/lib/_autoload.php';
  }
  return $value;
}, 10, 2 );

For more details, including additional plugin configuration options, please see the README.

Troubleshooting

Varnish Not Working/Cookie Being Set for Anonymous Users

The current version of the SimpleSAMLphp Authentication module attempts to load a session on every page, as reported in https://drupal.org/node/2020009 in the official issue queue. There are two patches; at this time, https://drupal.org/node/2020009#comment-7845537 looks to be the best solution until the fix is accepted into an official project release.

WordPress Site Networks (multisite)

SimpleSAMLphp does not work with WordPress multisite networks because the simpleSAMLphp redirects get intercepted and rerouted to 404s by the CMS. Site Network users can utilize the OneLogin SAML PHP library that comes bundled with Pantheon's WP SAML Auth plugin.