Updates

Dockerfile

@@ -1,9 +1,8 @@
 FROM php:7.1-apache
-MAINTAINER Kristoph Junge <[email protected]>
 
 # Utilities
 RUN apt-get update && \
-    apt-get -y install apt-transport-https git curl vim --no-install-recommends && \
+    apt-get -y install apt-transport-https git curl vim libldap2-dev --no-install-recommends && \
     rm -r /var/lib/apt/lists/*
 
 # SimpleSAMLphp
@@ -16,21 +15,19 @@ RUN curl -s -L -o /tmp/simplesamlphp.tar.gz https://github.com/simplesamlphp/sim
 COPY config/simplesamlphp/config.php /var/www/simplesamlphp/config
 COPY config/simplesamlphp/authsources.php /var/www/simplesamlphp/config
 COPY config/simplesamlphp/saml20-sp-remote.php /var/www/simplesamlphp/metadata
+COPY config/simplesamlphp/saml20-idp-hosted.php /var/www/simplesamlphp/metadata
 COPY config/simplesamlphp/server.crt /var/www/simplesamlphp/cert/
 COPY config/simplesamlphp/server.pem /var/www/simplesamlphp/cert/
 
 # Apache
 COPY config/apache/ports.conf /etc/apache2
 COPY config/apache/simplesamlphp.conf /etc/apache2/sites-available
-COPY config/apache/cert.crt /etc/ssl/cert/cert.crt
-COPY config/apache/private.key /etc/ssl/private/private.key
 RUN echo "ServerName localhost" >> /etc/apache2/apache2.conf && \
-    a2enmod ssl && \
-    a2dissite 000-default.conf default-ssl.conf && \
+    a2dissite 000-default.conf && \
     a2ensite simplesamlphp.conf
 
 # Set work dir
 WORKDIR /var/www/simplesamlphp
 
 # General setup
-EXPOSE 8080 8443
+EXPOSE 8080

README.md

@@ -1,104 +1,8 @@
 # Docker Test SAML 2.0 Identity Provider (IdP)
 
-[![DockerHub Pulls](https://img.shields.io/docker/pulls/kristophjunge/test-saml-idp.svg)](https://hub.docker.com/r/kristophjunge/test-saml-idp/) [![DockerHub Stars](https://img.shields.io/docker/stars/kristophjunge/test-saml-idp.svg)](https://hub.docker.com/r/kristophjunge/test-saml-idp/) [![GitHub Stars](https://img.shields.io/github/stars/kristophjunge/docker-test-saml-idp.svg?label=github%20stars)](https://github.com/kristophjunge/docker-test-saml-idp) [![GitHub Forks](https://img.shields.io/github/forks/kristophjunge/docker-test-saml-idp.svg?label=github%20forks)](https://github.com/kristophjunge/docker-test-saml-idp) [![GitHub License](https://img.shields.io/github/license/kristophjunge/docker-test-saml-idp.svg)](https://github.com/kristophjunge/docker-test-saml-idp)
-
-![Seal of Approval](https://raw.githubusercontent.com/kristophjunge/docker-test-saml-idp/master/seal.jpg)
-
-Docker container with a plug and play SAML 2.0 Identity Provider (IdP) for development and testing.
-
-Built with [SimpleSAMLphp](https://simplesamlphp.org). Based on official PHP7 Apache [images](https://hub.docker.com/_/php/).
-
-**Warning!**: Do not use this container in production! The container is not configured for security and contains static user credentials and SSL keys.
-
-SimpleSAMLphp is logging to stdout on debug log level. Apache is logging error and access log to stdout.
-
-The contained version of SimpleSAMLphp is 1.15.2.
-
-
-## Supported Tags
-
-- `1.15` [(Dockerfile)](https://github.com/kristophjunge/docker-test-saml-idp/blob/1.15/Dockerfile)
-- `1.14` [(Dockerfile)](https://github.com/kristophjunge/docker-test-saml-idp/blob/1.14/Dockerfile)
-
-
-## Changelog
-
-See [CHANGELOG.md](https://github.com/kristophjunge/docker-test-saml-idp/blob/master/docs/CHANGELOG.md) for information about the latest changes.
-
-
-## Usage
-
-```
-docker run --name=testsamlidp_idp \
--p 8080:8080 \
--p 8443:8443 \
--e SIMPLESAMLPHP_SP_ENTITY_ID=http://app.example.com \
--e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-acs.php/test-sp \
--e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost/simplesaml/module.php/saml/sp/saml2-logout.php/test-sp \
--d kristophjunge/test-saml-idp
-```
-
-There are two static users configured in the IdP with the following data:
-
-| UID | Username | Password | Group | Email |
-|---|---|---|---|---|
-| 1 | user1 | user1pass | group1 | [email protected] |
-| 2 | user2 | user2pass | group2 | [email protected] |
-
-However you can define your own users by mounting a configuration file:
-
-```
--v /users.php:/var/www/simplesamlphp/config/authsources.php
-```
-
-You can access the SimpleSAMLphp web interface of the IdP under `http://localhost:8080/simplesaml`. The admin password is `secret`.
-
-
-## Test the Identity Provider (IdP)
-
-To ensure that the IdP works you can use SimpleSAMLphp as test SP.
-
-Download a fresh installation of [SimpleSAMLphp](https://simplesamlphp.org) and configure it for your favorite web server.
-
-For this test the following is assumed:
-- The entity id of the SP is `http://app.example.com`.
-- The local development URL of the SP is `http://localhost`.
-- The local development URL of the IdP is `http://localhost:8080`.
-
-The entity id is only the name of SP and the contained URL wont be used as part of the auth mechanism.
-
-Add the following entry to the `config/authsources.php` file of SimpleSAMLphp.
-```
-    'test-sp' => array(
-        'saml:SP',
-        'entityID' => 'http://app.example.com',
-        'idp' => 'http://localhost:8080/simplesaml/saml2/idp/metadata.php',
-    ),
-```
-
-Add the following entry to the `metadata/saml20-idp-remote.php` file of SimpleSAMLphp.
-```
-$metadata['http://localhost:8080/simplesaml/saml2/idp/metadata.php'] = array(
-    'name' => array(
-        'en' => 'Test IdP',
-    ),
-    'description' => 'Test IdP',
-    'SingleSignOnService' => 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php',
-    'SingleLogoutService' => 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php',
-    'certFingerprint' => '119b9e027959cdb7c662cfd075d9e2ef384e445f',
-);
-```
-
-Start the development IdP with the command above (usage) and initiate the login from the development SP under `http://localhost/simplesaml`.
-
-Click under `Authentication` > `Test configured authentication sources` > `test-sp` and login with one of the test credentials.
-
-
-## Contributing
-
-See [CONTRIBUTING.md](https://github.com/kristophjunge/docker-test-saml-idp/blob/master/docs/CONTRIBUTING.md) for information on how to contribute to the project.
-
-See [CONTRIBUTORS.md](https://github.com/kristophjunge/docker-test-saml-idp/blob/master/docs/CONTRIBUTORS.md) for the list of contributors.
+This is a dockerized mock SAML IdP. It's a fork of
+[docker-test-saml-idp](https://github.com/kristophjunge/docker-test-saml-idp)
+with some customizations.
 
 
 ## License

config/apache/ports.conf

@@ -1,9 +1,2 @@
 Listen 8080
 
-<IfModule ssl_module>
-	Listen 8443
-</IfModule>
-
-<IfModule mod_gnutls.c>
-	Listen 8443
-</IfModule>

config/apache/simplesamlphp.conf

@@ -8,16 +8,3 @@
         </IfModule>
     </Directory>
 </VirtualHost>
-<VirtualHost *:8443>
-    ServerName localhost
-    DocumentRoot /var/www/simplesamlphp
-    SSLEngine on
-    SSLCertificateFile /etc/ssl/cert/cert.crt
-    SSLCertificateKeyFile /etc/ssl/private/private.key
-    Alias /simplesaml /var/www/simplesamlphp/www
-    <Directory /var/www/simplesamlphp/www>
-        <IfModule !mod_authz_core.c>
-        Require all granted
-        </IfModule>
-    </Directory>
-</VirtualHost>

config/simplesamlphp/authsources.php

@@ -6,18 +6,12 @@
         'core:AdminPassword',
     ),
 
-    'example-userpass' => array(
-        'exampleauth:UserPass',
-        'user1:user1pass' => array(
-            'uid' => array('1'),
-            'eduPersonAffiliation' => array('group1'),
-            'email' => '[email protected]',
-        ),
-        'user2:user2pass' => array(
-            'uid' => array('2'),
-            'eduPersonAffiliation' => array('group2'),
-            'email' => '[email protected]',
-        ),
-    ),
+    'example-ldap' => [
+        'ldap:LDAP',
+        'hostname' => 'ldap://host.docker.internal:389',
+        'enable_tls' => false,
+        'attributes' => NULL,
+        'dnpattern' => 'uid=%username%,ou=users,dc=vagrant,dc=local'
+    ]
 
 );

config/simplesamlphp/config.php

@@ -260,7 +260,7 @@
      * In example when you are setting up a federation bridge.
      */
     'enable.saml20-idp' => true,
-    'enable.shib13-idp' => true,
+    'enable.shib13-idp' => false,
     'enable.adfs-idp' => false,
     'enable.wsfed-sp' => false,
     'enable.authmemcookie' => false,
@@ -289,7 +289,7 @@
      * This value is the duration of the session in seconds. Make sure that the time duration of
      * cookies both at the SP and the IdP exceeds this duration.
      */
-    'session.duration' => 8 * (60 * 60), // 8 hours.
+    'session.duration' => 5, // 5 seconds.
 
     /*
      * Sets the duration, in seconds, data should be stored in the datastore. As the datastore is used for

config/simplesamlphp/saml20-idp-hosted.php

@@ -0,0 +1,71 @@
+<?php
+/**
+ * SAML 2.0 IdP configuration for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
+ */
+
+$metadata['__DYNAMIC:1__'] = array(
+	/*
+	 * The hostname of the server (VHOST) that will use this SAML entity.
+	 *
+	 * Can be '__DEFAULT__', to use this entry by default.
+	 */
+	'host' => '__DEFAULT__',
+
+	// X.509 key and certificate. Relative to the cert directory.
+	'privatekey' => 'server.pem',
+	'certificate' => 'server.crt',
+
+	/*
+	 * Authentication source to use. Must be one that is configured in
+	 * 'config/authsources.php'.
+	 */
+	'auth' => 'example-ldap',
+
+	/*
+	 * WARNING: SHA-1 is disallowed starting January the 1st, 2014.
+	 *
+	 * Uncomment the following option to start using SHA-256 for your signatures.
+	 * Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since
+	 * 2011, and will be disallowed by NIST as of 2014. Please refer to the following
+	 * document for more information:
+	 * 
+	 * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
+	 *
+	 * If you are uncertain about service providers supporting SHA-256 or other
+	 * algorithms of the SHA-2 family, you can configure it individually in the
+	 * SP-remote metadata set for those that support it. Once you are certain that
+	 * all your configured SPs support SHA-2, you can safely remove the configuration
+	 * options in the SP-remote metadata set and uncomment the following option.
+	 *
+	 * Please refer to the IdP hosted reference for more information.
+	 */
+	//'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+
+	/* Uncomment the following to use the uri NameFormat on attributes. */
+	/*
+	'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+	'authproc' => array(
+		// Convert LDAP names to oids.
+		100 => array('class' => 'core:AttributeMap', 'name2oid'),
+	),
+	*/
+
+	/*
+	 * Uncomment the following to specify the registration information in the
+	 * exported metadata. Refer to:
+     * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
+	 * for more information.
+	 */
+	/*
+	'RegistrationInfo' => array(
+		'authority' => 'urn:mace:example.org',
+		'instant' => '2008-01-17T11:28:03Z',
+		'policies' => array(
+			'en' => 'http://example.org/policy',
+			'es' => 'http://example.org/politica',
+		),
+	),
+	*/
+);

config/simplesamlphp/saml20-sp-remote.php

@@ -5,7 +5,9 @@
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
  */
 
-$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
-    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
-    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+$metadata['http://localhost:1511'] = array(
+    'AssertionConsumerService' => 'http://localhost:1511/authentication/check_login',
+    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+    'simplesaml.nameidattribute' => 'uid',
+    'simplesaml.attributes'      => true
 );