Skip to content

D
documentacion-saml
Commit c64b2c3d authored by Mario Hernandez's avatar Mario Hernandez 💬
Browse files
Options

Agregando Single_Sign-on_to_Azure_AD_using SimpleSAMLphp

parent f008de3a
Show whitespace changes
Inline Side-by-side
Showing with 700 additions and 0 deletions
Single_Sign-on_to_Azure_AD_using SimpleSAMLphp/Single_Sign_on_to_Azure_AD_using SimpleSAMLphp.html 0 → 100644
View file @ c64b2c3d
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<title></title>
<meta name="generator" content="LibreOffice 6.0.7.3 (Linux)"/>
<meta name="created" content="2020-10-29T19:24:19.179055936"/>
<meta name="changed" content="2020-10-29T19:27:17.005045978"/>
<style type="text/css">
@page { margin: 2cm }
p { margin-bottom: 0.25cm; line-height: 115% }
h1 { margin-bottom: 0.21cm }
h1.western { font-family: "Liberation Serif", serif }
h1.cjk { font-family: "Noto Sans CJK SC"; font-size: 24pt }
h1.ctl { font-family: "Lohit Devanagari"; font-size: 24pt }
td p { margin-bottom: 0cm }
h2.cjk { font-family: "Noto Sans CJK SC" }
h2.ctl { font-family: "Lohit Devanagari" }
a:link { so-language: zxx }
</style>
</head>
<body lang="es-MX" dir="ltr">
<h1 class="western">Single Sign-on to Azure AD using SimpleSAMLphp</h1>
<p>by <a href="https://www.lewisroberts.com/author/ljr/">Lewis</a> ·
Sat 5th September, 2015
</p>
<p>In my last mammoth post, I posted an update/re-write to an article
originally written on the Azure website that used some libraries
provided by Microsoft to enable custom PHP applications to sign-on to
Azure AD using WS-Federation. In that post I described a method for
installing and configuring SimpleSAMLphp to IIS that enables it to be
used by any number of sites on the same server, all that’s required
is to add a simple Virtual Directory to each site. If you want to
configure SimpleSAMLphp on IIS, check that post out.</p>
<p>The intention with this post is to do away with Microsoft’s
libraries altogether and use only SimpleSAMLphp in a more integrated
way. The purpose is to avoid having to re-write a lot of
functionality already provided by SimpleSAMLphp that’s likely to be
missing from Microsoft’s libraries, and of course open up access to
SimpleSAMLphp’s documented API.</p>
<p>I will assume you have configured SimpleSAMLphp already using the
method documented in the last post. In order to proceed in this post,
you also need to have configured an application within Azure Active
Directory. Again, you can find instructions for that included in the
previous post.</p>
<p>The largest difference with this post is, as I mentioned, better
integration with SimpleSAMLphp – as such, there’s more
configuration to complete within SimpleSAMLphp than there was in the
previous post.</p>
<ul>
<li/>
<p style="margin-bottom: 0cm">We’ll import federation data
from our Azure application in to SimpleSAMLphp.
</p>
<li/>
<p style="margin-bottom: 0cm">We’ll configure SimpleSAMLphp
as a Service Provider.
</p>
<li/>
<p>We’ll create a little code to get us authenticating.
</p>
</ul>
<h1 class="western"><a name="more-1489"></a>Pre-requisites</h1>
<ol>
<li/>
<p style="margin-bottom: 0cm">As mentioned, we need
SimpleSAMLphp set up on the server as per my previous post. In <em>this</em>
post, I’ve created a new website called <font face="Courier New"><font size="2" style="font-size: 10pt">sso.lewisroberts.com</font></font>
and configured the Virtual Directory. It’s all documented in the
previous post so you can use that to get to this stage.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_2ec9382c7123ddfc.png" name="Imagen1" align="bottom" width="171" height="43" border="0"/>
</p>
<li/>
<p>We need an application configured in Azure Active Directory
just as per my previous post. In this post, I’ve created a new
application I’ve called <font face="Courier New"><font size="2" style="font-size: 10pt">sso.lewisroberts.com</font></font>.
There’s no special configuration required for the application.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_ea03a6772a53a933.png" name="Imagen2" align="bottom" width="460" height="215" border="0"/>
</p>
</ol>
<h1 class="western">Import federation data from Azure application to
SimpleSAMLphp</h1>
<ol>
<li/>
<p style="margin-bottom: 0cm">Open the Windows Azure
Management portal and navigate to your application. Click <strong>View
Endpoints</strong> in the grey banner at the bottom.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_fa96c9f678cdd14c.png" name="Imagen3" align="bottom" width="319" height="424" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">In the <strong>App Endpoints</strong>
window. Copy the URL for the <strong>Federation Metadata Document</strong>.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_de84545dbb5234a0.png" name="Imagen4" align="bottom" width="484" height="291" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Using your favourite browser,
navigate to the location and save the metadata document. How you do
this doesn’t really matter, as long as it’s just the XML you
save.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_fa6c9253e99f2bd6.png" name="Imagen5" align="bottom" width="727" height="303" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Open the <font face="Courier New"><font size="2" style="font-size: 10pt">federationmetadata.xml</font></font>
file in a text editor, select the entire contents (Ctrl+A) and then
copy it to the clipboard.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_48b1a6b055690be9.png" name="Imagen6" align="bottom" width="957" height="160" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Open a browser and navigate to
<font face="Courier New"><font size="2" style="font-size: 10pt">https://sso.lewisroberts.com/simplesaml</font></font><font size="2" style="font-size: 10pt"><br/>
</font><em>(Actually,
you’ll obviously navigate to your own PHP application’s website,
not mine</em>.<em>) </em>Once there, click the <strong>Federation</strong>
tab.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_d0272e256ebbf6dd.png" name="Imagen7" align="bottom" width="569" height="289" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">On the <strong>Federation</strong>
tab, look for <strong>Tools</strong> and then click <strong>XML to
simpleSAMLphp metadata converter</strong>.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_714122b136f6ed85.png" name="Imagen8" align="bottom" width="398" height="112" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Paste the entire
<font face="Courier New"><font size="2" style="font-size: 10pt">federationmetadata.xml</font></font>
file’s contents in to the field and click the <strong>Parse</strong>
button.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_bcd944b85469b967.png" name="Imagen9" align="bottom" width="703" height="345" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">The page should return almost
immediately with some information similar to the following under the
Converted metadata section. Copy the contents of the
<strong>saml20-idp-remote</strong> field to your clipboard, or a
file, it’s your choice.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_8ee2fef516c83c65.png" name="Imagen10" align="bottom" width="512" height="439" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Navigate to your SimpleSAMLphp
installation folder and find the <font face="Courier New"><font size="2" style="font-size: 10pt">metadata</font></font>
folder.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_7b4ebeb3791e9c31.png" name="Imagen11" align="bottom" width="352" height="314" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Now open the
<font face="Courier New"><font size="2" style="font-size: 10pt">saml20-idp-remote.php</font></font>
file.<br/>
<em>Did you notice? The converted metadata returned from
SimpleSAMLphp had the field set to saml20-idp-remote – the same
name as the file we’re editing.</em><br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_257bca8b6855a500.png" name="Imagen12" align="bottom" width="395" height="178" border="0"/>
</p>
<li/>
<p>Now copy the converted metadata contents in to the file.
I’ve highlighted where this was pasted in to my own version of the
file. Do note however that obviously the converted metadata extends
beyond the bottom of the visible screen I show here. It should be a
simple matter of pasting in the converted metadata. Save the file.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_5fa2df932bd1db71.png" name="Imagen13" align="bottom" width="565" height="547" border="0"/>
</p>
</ol>
<h1 class="western">Configure SimpleSAMLphp as a service provider</h1>
<ol>
<li/>
<p style="margin-bottom: 0cm">Navigate to your SimpleSAMLphp
installation folder and open the <font face="Courier New"><font size="2" style="font-size: 10pt">config</font></font>
folder.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_77d8ddc14fc33d42.png" name="Imagen14" align="bottom" width="228" height="150" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Open <font face="Courier New"><font size="2" style="font-size: 10pt">authsources.php</font></font>
in your favourite text editor.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_342275eab60a61d9.png" name="Imagen15" align="bottom" width="279" height="120" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">There are a number of
authentication sources preconfigured (but commented out) however the
one we’re interested in (or rather, its general format) is
<font face="Courier New"><font size="2" style="font-size: 10pt">default-sp</font></font>.
I’ve shown this (actually, the interesting bits) in its default
state, below.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_4bf3deabaa316e6e.png" name="Imagen16" align="bottom" width="529" height="353" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">In order to achieve
compatibility with Azure AD, we need to make some small changes to
default-sp. We <em>could</em> just create another authsource called
something else but it’s easier to show what it looks like
initially and then edited if we change default-sp. The next few
steps will show where we make edits.
</p>
<li/>
<p style="margin-bottom: 0cm">Firstly, change the <font face="Courier New"><font size="2" style="font-size: 10pt">entityID</font></font>
value to reflect the name or URL of your Azure application.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_c9807be520d63cf4.png" name="Imagen17" align="bottom" width="680" height="269" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Next, enter the <font face="Courier New"><font size="2" style="font-size: 10pt">idp</font></font>
value. Where did I get this from? The very first line of the
converted metadata actually gives you the IdP (Identity Provider) –
in this case, Azure AD.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_e6ec21375e049871.png" name="Imagen18" align="bottom" width="668" height="263" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm"><font face="Courier New"><font size="2" style="font-size: 10pt">discoURL</font></font>
stays as null.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_29fba6ed476a169d.png" name="Imagen19" align="bottom" width="667" height="270" border="0"/>
</p>
<li/>
<p>Next we must add some additional information that is
required to communicate with Azure AD. Underneath discoURL, add the
following two lines.</p>
</ol>
<div id="crayon-5f9b6b2f0d3a1465768195" dir="ltr">
<ol start="8">
<p style="margin-top: 0.32cm; margin-bottom: 0.32cm; line-height: 0.48cm">
<font size="2" style="font-size: 9pt">PHP</font></p>
<p style="margin-top: 0.32cm; margin-bottom: 0.32cm; line-height: 0.4cm">
<font size="2" style="font-size: 9pt">'NameIDFormat' =&gt;
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' =&gt; 'eduPersonTargetedID',</font></p>
</ol>
<dl>
<dd>
<table cellpadding="2" cellspacing="2">
<tr>
<td style="border: none; padding: 0cm">
<p><font size="2" style="font-size: 9pt">1</font></p>
<p><font size="2" style="font-size: 9pt">2</font></p>
</td>
<td style="border: none; padding: 0cm">
<div id="crayon-5f9b6b2f0d3a1465768195-1" dir="ltr">
<p>'NameIDFormat' =&gt;
'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',</p>
</div>
<div id="crayon-5f9b6b2f0d3a1465768195-2" dir="ltr">
<p>'simplesaml.nameidattribute' =&gt; 'eduPersonTargetedID',</p>
</div>
</td>
</tr>
</table>
</dl>
</div>
<ol start="8">
<p style="margin-bottom: 0cm"><br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_3ac0656fd59443fa.png" name="Imagen20" align="bottom" width="657" height="292" border="0"/>
</p>
<li/>
<p>We’re complete editing <font face="Courier New"><font size="2" style="font-size: 10pt">authsources.php</font></font>
so save and close the file.
</p>
</ol>
<h1 class="western">Testing authentication</h1>
<p>Now that configuration of SimpleSAMLphp is complete, we can use
SimpleSAMLphp to test authentication works as expected, without
actually writing any code but we’ll get to that in a second.</p>
<ol>
<li/>
<p style="margin-bottom: 0cm">Navigate to
<font face="Courier New"><font size="2" style="font-size: 10pt">https://sso.lewisroberts.com/simplesaml</font></font>
(remember, your own app, not mine, this is an example.) and then
click the <strong>Authentication</strong> tab.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_f59c405fedf73d44.png" name="Imagen21" align="bottom" width="465" height="338" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Once there, click <strong>Test
configured authentication sources</strong><br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_4534164b7c38c60d.png" name="Imagen22" align="bottom" width="352" height="227" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">We should see only two options<font face="Courier New"><font size="2" style="font-size: 10pt">,
admin</font></font> and <font face="Courier New"><font size="2" style="font-size: 10pt">default-sp</font></font>.
These were the only two authentication sources defined in
<font face="Courier New"><font size="2" style="font-size: 10pt">authsources.php</font></font>.
Click <strong>default-sp</strong>.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_11041f933f74499f.png" name="Imagen23" align="bottom" width="312" height="266" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">You will likely receive an error
that looks as follows. This means that the <strong>Reply URL</strong>
sent by SimpleSAMLphp to Azure AD as part of the authentication
attempt isn’t one that is accepted by the application. So it’s
not very happy. To fix this, we need to quickly visit the Azure
Management portal and add this <strong>Reply URL</strong> to our
application.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_6f7db804cde7734c.png" name="Imagen24" align="bottom" width="592" height="351" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">First, copy the URL from the
error. In this case, the URL is:
<font face="Courier New"><font size="2" style="font-size: 10pt">https://sso.lewisroberts.com/simplesaml/module.php/saml/sp/metadata.php/default-sp<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_d2eccaa06c787161.png" name="Imagen25" align="bottom" width="432" height="134" border="0"/>
</font></font>
</p>
<li/>
<p style="margin-bottom: 0cm">In the Azure Management portal,
find the application, scroll to <strong>Single Sign-On</strong> and
add it to the list of <strong>Reply URLs</strong>. Save the
configuration change but leave the management portal open in case
you must make any more edits.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_acd4033a43ca7a47.png" name="Imagen26" align="bottom" width="731" height="211" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Close the other browser showing
the error, open another and repeat steps 1 to 3.<br/>
After clicking
on <strong>default-sp</strong> now that we have added the <strong>Reply
URL</strong> in to the Windows Azure portal, we should be shown the
<strong>Sign in</strong> page.<br/>
<em>Notice the URL we’re sent
to. This is the actually the </em><em><strong>SAML-P Sign On
Endpoint</strong></em><em> for the Azure application.</em><br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_6cc6dada0eb3540c.png" name="Imagen27" align="bottom" width="604" height="315" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Log in with a user account
that’s in your Azure Active Directory.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_de91827c6dd84fd.png" name="Imagen28" align="bottom" width="281" height="196" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">We should now be able to sign in
without error and get redirected back to SimpleSAMLphp and shown a
list of the claims that were sent along with the authentication.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_97381aa04f6183fb.png" name="Imagen29" align="bottom" width="735" height="614" border="0"/>
</p>
<li/>
<p>To test logging out, click <strong>Logout</strong>.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_33ea71832ef47d66.png" name="Imagen30" align="bottom" width="497" height="269" border="0"/>
</p>
</ol>
<h1 class="western">Custom PHP application code</h1>
<p>So, all this configuration was just to get us to the point where
we can create our own application code that allows us to authenticate
with Azure AD. The reality is that our PHP “application” can be a
single page.</p>
<h2 class="western">index.php</h2>
<p>Generally, the application will require an <font face="Courier New"><font size="2" style="font-size: 10pt">index.php</font></font>
file – the code for which is below. I’ll give a very brief
breakdown of the first few lines, the rest is obvious.</p>
<div id="crayon-5f9b6b2f0d3aa656342966" dir="ltr">
<p style="margin-top: 0.32cm; margin-bottom: 0.32cm; line-height: 0.48cm">
<font size="2" style="font-size: 9pt">PHP</font></p>
<p style="margin-top: 0.32cm; margin-bottom: 0.32cm; line-height: 0.4cm">
<font size="2" style="font-size: 9pt">&lt;?php require_once
(dirname(__FILE__) . '/../simplesamlphp/lib/_autoload.php'); $as =
new SimpleSAML_Auth_Simple('default-sp'); $as-&gt;requireAuth();
$attributes = $as-&gt;getAttributes(); ?&gt; &lt;!DOCTYPE html&gt;
&lt;html&gt; &lt;head&gt; &lt;meta http-equiv=&quot;Content-Type&quot;
content=&quot;text/html; charset=ISO-8859-1&quot;&gt; &lt;title&gt;Index
Page&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;h2&gt;Index
Page&lt;/h2&gt; &lt;h3&gt;Welcome &lt;strong&gt;Authenticated
User&lt;/strong&gt;!&lt;/h3&gt; &lt;h4&gt;Claim list:&lt;/h4&gt;
&lt;?php echo '&lt;pre&gt;'; print_r($attributes); echo '&lt;/pre&gt;';
// Get a logout URL $url = $as-&gt;getLogoutURL(); echo '&lt;a
href=&quot;' . htmlspecialchars($url) . '&quot;&gt;Logout&lt;/a&gt;';
?&gt; &lt;/body&gt; &lt;/html&gt;</font></p>
<table cellpadding="2" cellspacing="2">
<tr>
<td style="border: none; padding: 0cm">
<p><font size="2" style="font-size: 9pt">1</font></p>
<p><font size="2" style="font-size: 9pt">2</font></p>
<p><font size="2" style="font-size: 9pt">3</font></p>
<p><font size="2" style="font-size: 9pt">4</font></p>
<p><font size="2" style="font-size: 9pt">5</font></p>
<p><font size="2" style="font-size: 9pt">6</font></p>
<p><font size="2" style="font-size: 9pt">7</font></p>
<p><font size="2" style="font-size: 9pt">8</font></p>
<p><font size="2" style="font-size: 9pt">9</font></p>
<p><font size="2" style="font-size: 9pt">10</font></p>
<p><font size="2" style="font-size: 9pt">11</font></p>
<p><font size="2" style="font-size: 9pt">12</font></p>
<p><font size="2" style="font-size: 9pt">13</font></p>
<p><font size="2" style="font-size: 9pt">14</font></p>
<p><font size="2" style="font-size: 9pt">15</font></p>
<p><font size="2" style="font-size: 9pt">16</font></p>
<p><font size="2" style="font-size: 9pt">17</font></p>
<p><font size="2" style="font-size: 9pt">18</font></p>
<p><font size="2" style="font-size: 9pt">19</font></p>
<p><font size="2" style="font-size: 9pt">20</font></p>
<p><font size="2" style="font-size: 9pt">21</font></p>
<p><font size="2" style="font-size: 9pt">22</font></p>
<p><font size="2" style="font-size: 9pt">23</font></p>
<p><font size="2" style="font-size: 9pt">24</font></p>
<p><font size="2" style="font-size: 9pt">25</font></p>
<p><font size="2" style="font-size: 9pt">26</font></p>
<p><font size="2" style="font-size: 9pt">27</font></p>
<p><font size="2" style="font-size: 9pt">28</font></p>
<p><font size="2" style="font-size: 9pt">29</font></p>
<p><font size="2" style="font-size: 9pt">30</font></p>
</td>
<td style="border: none; padding: 0cm">
<div id="crayon-5f9b6b2f0d3aa656342966-1" dir="ltr">
<p>&lt;?php</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-2" dir="ltr">
<p>require_once (dirname(__FILE__) .
'/../simplesamlphp/lib/_autoload.php');</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-3" dir="ltr">
<p>$as = new SimpleSAML_Auth_Simple('default-sp');</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-4" dir="ltr">
<p>$as-&gt;requireAuth();</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-5" dir="ltr">
<p>&nbsp;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-6" dir="ltr">
<p>$attributes = $as-&gt;getAttributes();</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-7" dir="ltr">
<p>&nbsp;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-8" dir="ltr">
<p>?&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-9" dir="ltr">
<p>&lt;!DOCTYPE html&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-10" dir="ltr">
<p>&lt;html&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-11" dir="ltr">
<p>&lt;head&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-12" dir="ltr">
<p>&nbsp;&nbsp;&nbsp;&nbsp;&lt;meta http-equiv=&quot;Content-Type&quot;
content=&quot;text/html; charset=ISO-8859-1&quot;&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-13" dir="ltr">
<p>&nbsp;&nbsp;&nbsp;&nbsp;&lt;title&gt;Index Page&lt;/title&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-14" dir="ltr">
<p>&lt;/head&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-15" dir="ltr">
<p>&lt;body&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-16" dir="ltr">
<p>&nbsp;&nbsp;&nbsp;&nbsp;&lt;h2&gt;Index Page&lt;/h2&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-17" dir="ltr">
<p>&nbsp;&nbsp;&nbsp;&nbsp;&lt;h3&gt;Welcome
&lt;strong&gt;Authenticated User&lt;/strong&gt;!&lt;/h3&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-18" dir="ltr">
<p>&nbsp;&nbsp;&nbsp;&nbsp;&lt;h4&gt;Claim list:&lt;/h4&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-19" dir="ltr">
<p>&lt;?php</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-20" dir="ltr">
<p>echo '&lt;pre&gt;';</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-21" dir="ltr">
<p>print_r($attributes);</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-22" dir="ltr">
<p>echo '&lt;/pre&gt;';</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-23" dir="ltr">
<p>&nbsp;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-24" dir="ltr">
<p>// Get a logout URL</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-25" dir="ltr">
<p>$url = $as-&gt;getLogoutURL();</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-26" dir="ltr">
<p>echo '&lt;a href=&quot;' . htmlspecialchars($url) .
'&quot;&gt;Logout&lt;/a&gt;';</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-27" dir="ltr">
<p>&nbsp;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-28" dir="ltr">
<p>?&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-29" dir="ltr">
<p>&lt;/body&gt;</p>
</div>
<div id="crayon-5f9b6b2f0d3aa656342966-30" dir="ltr">
<p>&lt;/html&gt;</p>
</div>
</td>
</tr>
</table>
</div>
<p>This file will require authentication so, on line 2, it calls
SimpleSAMLphp’s autoloader from the main installation of
SimpleSAMLphp.</p>
<p>On line 3, we create a new object from the SimpleSAML_Auth_Simple
class but notice here we specify the authsource <font face="Courier New"><font size="2" style="font-size: 10pt">default-sp</font></font>
– that’s correct, we’re associating this application with the
<font face="Courier New"><font size="2" style="font-size: 10pt">default-sp</font></font>
auth source we created.</p>
<p>On line 4, we use the object and tell it we require
authentication. If the user is authenticated, the script will proceed
to the next line, if not however, they will begin the authentication
process and be redirected to Azure AD to sign in. Once signed in,
they will be redirected back to this page.</p>
<p>On line 6, we pull the attributes from the SAML token and store
them in the $attributes array. These are then used later (line 21) to
show the user their claims.</p>
<p>On line 25 we get a logout URL from the <font face="Courier New"><font size="2" style="font-size: 10pt">$as</font></font>
object and send that back to the interface so the user can click a
link to log out.</p>
<ol>
<li/>
<p style="margin-bottom: 0cm">The user navigates to the web
application. Given they’re not logged in, they’re automatically
redirected to the Azure AD sign in page.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_dec2608edd73bf73.png" name="Imagen31" align="bottom" width="257" height="40" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">The user lands at the Azure AD
sign in page.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_50ae7bc4871617aa.png" name="Imagen32" align="bottom" width="486" height="231" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">The user logs in with a valid
Azure AD account.<br/>
<em>Notice as well that the page also says
</em><em><font face="Courier New"><font size="2" style="font-size: 10pt">sso.lewisroberts.com</font></font></em><em>
– a bit of free branding.</em><br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_8d239220edda0706.png" name="Imagen33" align="bottom" width="370" height="207" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">After successfully
authenticating, the user is redirected back to the site where they
can see their claims and a logout link.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_da7360d37776a6ea.png" name="Imagen34" align="bottom" width="444" height="585" border="0"/>
</p>
<li/>
<p>When clicking the <strong>Logout</strong> link, the user is
logged out of their account.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_94ef2c7a676780d4.png" name="Imagen35" align="bottom" width="564" height="305" border="0"/>
</p>
</ol>
<h1 class="western">A little something extra?</h1>
<p>One thing I’ve wondered while doing all this was whether we
could get additional claims through rather than just those few that
are shown in the screenshots. Something like groups would be great.
As it turns out, that feature was introduced at the back end of 2014.
I’ll run through it very quickly in the context of our application
but for more details (and how to handle users who might be members of
more than 150 groups (in SAML)) you really should <a href="http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/">visit
the blog of Dushyant Gill</a>.</p>
<ol>
<li/>
<p style="margin-bottom: 0cm">In the Windows Azure management
portal, navigate to your application and click <strong>Manage
Manifest</strong> then <strong>Download Manifest</strong>.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_e68bdd707b6f9230.png" name="Imagen36" align="bottom" width="356" height="328" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Download the manifest file and
save it to disk. Leave the portal open, you’ll need it shortly.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_4abeaf105fb46806.png" name="Imagen37" align="bottom" width="480" height="167" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Open the file in any decent text
editor. I’ve chosen to do it in Visual Studio code. Locate the
<font face="Courier New"><font size="2" style="font-size: 10pt">groupMembershipClaims</font></font>
value.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_531db411762659d4.png" name="Imagen38" align="bottom" width="449" height="272" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Change this to one of
<font face="Courier New"><font size="2" style="font-size: 10pt">SecurityGroup</font></font>
or <font face="Courier New"><font size="2" style="font-size: 10pt">All</font></font>.</p>
<ul>
<li/>
<p style="margin-bottom: 0cm"><font face="Courier New"><font size="2" style="font-size: 10pt">SecurityGroup</font></font>
– The <font face="Courier New"><font size="2" style="font-size: 10pt">groups</font></font>
claim will contain the identifiers of all security groups that the
user is a member of.
</p>
<li/>
<p style="margin-bottom: 0cm"><font face="Courier New"><font size="2" style="font-size: 10pt">All</font></font>
– The <font face="Courier New"><font size="2" style="font-size: 10pt">groups</font></font>
claim will contain the identifiers of all security groups and
distribution lists that the user is a member of.
</p>
</ul>
<li/>
<p style="margin-bottom: 0cm">I’ve chosen to just enable
<font face="Courier New"><font size="2" style="font-size: 10pt">SecurityGroup</font></font>
option in the screenshot below. Save the file.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_8387e801d583df2.png" name="Imagen39" align="bottom" width="456" height="229" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Back on the portal site, <strong>Manage
Manifest</strong> and then click <strong>Upload Manifest</strong>.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_be9cfe1d2f1232ae.png" name="Imagen40" align="bottom" width="230" height="141" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm">Browse for the saved file and
then click the tick icon to upload it.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_21be36e8b30e9e8.png" name="Imagen41" align="bottom" width="333" height="225" border="0"/>
</p>
<li/>
<p style="margin-bottom: 0cm"><strong>Dushyant’s post goes
on to mention that you should grant additional permissions in the
application. This is only really required </strong><strong><em>if</em></strong><strong>
you are going to be dealing with “overage” scenarios which means
users who are members of more than 150 groups, since these can’t
be included in the SAML token. Read <a href="http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/">his
blog post for more info</a>. For our demo app purposes, our user is
a member of only one group.</strong></p>
<li/>
<p style="margin-bottom: 0cm">So, I’ve created a group in my
Azure AD and added the user to it. Note the <strong>Object ID</strong>,
this is the value that will be shown in the claim.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_56a106814b1e0105.png" name="Imagen42" align="bottom" width="475" height="379" border="0"/>
<br/>
Members<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_ff4a1a630e232295.png" name="Imagen43" align="bottom" width="495" height="149" border="0"/>
</p>
<li/>
<p>Now if we re-try our authentication (and without making any
code changes to our <font face="Courier New"><font size="2" style="font-size: 10pt">index.php</font></font>
file) we see that the <font face="Courier New"><font size="2" style="font-size: 10pt">groups</font></font>
claim is carried through in to the application. Of course this means
you can use it for security trimming etc. within your custom
app.<br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_fce8d54ca6e2ec46.png" name="Imagen44" align="bottom" width="498" height="696" border="0"/>
<br/>
<em><strong>Note</strong></em><em>:
I noticed that there was another group id in the claim – I’m
assuming this is related to this user’s status as a Global
Administrator since if I authenticate as a user who is purely a
member of the LocalAzureAD group, the only groups claim attribute is
the Object ID of the LocalAzureAD group.</em><br/>
<img src="Single_Sign_on_to_Azure_AD_using%20SimpleSAMLphp_html_ba038090900fb500.png" name="Imagen45" align="bottom" width="447" height="122" border="0"/>
</p>
</ol>
<p>So, another not insignificant post ends and hopefully you’ve
learned a little something along the way. Seeing that it’s possible
to pull group claims through in to the application opens a lot of
possibilities for developers of bespoke PHP applications and I’m
sure it’ll be very handy to know in the future.</p>
<p>I think I’ve got one more post in me about SimpleSAMLphp and
that is probably going to be integrating SimpleSAMLphp with ADFS
2012R2. That post will hopefully be shorter since we’ll be
repeating a lot of the activities we’ve done above. For example,
instead of importing the federation metadata from our Azure
Application, we’ll import from the ADFS server and set that up in
SimpleSAMLphp. We’ll configure our PHP “application” as a
Relying Party Trust and get all the necessary information
automatically from simpleSAMLphp and finally configure the ADFS
server as the IdP for the application.</p>
<p style="margin-bottom: 0cm; line-height: 100%"><br/>
</p>
</body>
</html>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment