WIP: it works wahoo! and now for the cleanup

dist/identity-provider/authsources.php

@@ -1,21 +0,0 @@
-<?php
-
-declare(strict_types=1);
-$config = [
-    'admin' => [
-      'core:AdminPassword',
-    ],
-    'example-userpass' => [
-        'exampleauth:UserPass',
-        'users' => [
-            'user:user' => [
-                'uid' => ['user'],
-                'eduPersonAffiliation' => ['member', 'student'],
-            ],
-            'admin:admin' => [
-                'uid' => ['admin'],
-                'eduPersonAffiliation' => ['member', 'employee'],
-            ],
-        ],
-    ],
-];

dist/service-provider/authsources.php

@@ -11,7 +11,25 @@ $config = [
 
     'dev-sp' => [
       'saml:SP',
-      'entityID' => 'http://localhost:1080/simplesaml/',
-      'idp' => 'http://localhost:1080/simplesaml-idp/',
+      'entityID' => 'http://localhost:1080/simplesaml/sp',
+      'idp' => 'http://localhost:1080/simplesaml/idp',
+    ],
+
+    'example-userpass' => [
+        'exampleauth:UserPass',
+        'users' => [
+            'user:user' => [
+                'uid' => ['user'],
+                'eduPersonAffiliation' => ['member', 'student'],
+            ],
+            'admin:admin' => [
+                'uid' => ['admin'],
+                'eduPersonAffiliation' => ['member', 'employee'],
+            ],
+        ],
+    ],
+
+    'admin' => [
+      'core:AdminPassword',
     ],
 ];

dist/service-provider/config.php

@@ -190,7 +190,7 @@ $config = [
      * A possible way to generate a random salt is by running the following command from a unix shell:
      * LC_ALL=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
      */
-    'secretsalt' => $SAML_COOKIE_SALT,
+    'secretsalt' => 'supersecretandlongsaltvaluechangeit',
 
     /*
      * This password must be kept secret, and modified from the default value 123.
@@ -202,7 +202,7 @@ $config = [
      * ansible.builtin.password_hash(hashtype='blowfish', ident='2y', rounds=13)
      * to generate this hashed value.
      */
-    'auth.adminpassword' => $SAML_ADMIN_PASSWORD,
+    'auth.adminpassword' => '$argon2id$v=19$m=64,t=4,p=1$anU4QTExRXVDRzJNRkhqaw$VJ/LIKwUjH/9JJjdBbEQNXbTArli5Np9VkIlZx4A1aM',
 
     /*
      * Set this option to true if you want to require administrator password to access the metadata.
@@ -237,7 +237,7 @@ $config = [
      * Example:
      *   'trusted.url.domains' => ['sp.example.com', 'app.example.com'],
      */
-    'trusted.url.domains' => $SAML_TRUSTED_DOMAINS,
+    'trusted.url.domains' => [ 'localhost', 'localhost:1080' ],
 
     /*
      * Enable regular expression matching of trusted.url.domains.
@@ -338,7 +338,7 @@ $config = [
     'debug' => [
         'saml' => true,
         'backtraces' => true,
-        'validatexml' => false,
+        'validatexml' => true,
     ],
 
     /*
@@ -349,7 +349,7 @@ $config = [
      * the error to 'technicalcontact_email'.
      */
     'showerrors' => true,
-    'errorreporting' => false,
+    'errorreporting' => true,
 
     /*
      * When showerrors is true, this is an array of which errors
@@ -612,7 +612,7 @@ $config = [
      * one of the functionalities below, but in some cases you could run multiple functionalities.
      * In example when you are setting up a federation bridge.
      */
-    'enable.saml20-idp' => false,
+    'enable.saml20-idp' => true,
     'enable.adfs-idp' => false,
 
 
@@ -633,6 +633,7 @@ $config = [
      * ],
      */
     'module.enable' => [
+        'exampleauth' => true,
         'core' => true,
         'admin' => true,
         'saml' => true,
@@ -694,7 +695,7 @@ $config = [
      * Example:
      *  'session.cookie.domain' => '.example.org',
      */
-    'session.cookie.domain' => '',
+    // 'session.cookie.domain' => 'localhost',
 
     /*
      * Set the secure flag in the cookie.
@@ -705,7 +706,7 @@ $config = [
      *
      * If unset, SimpleSAMLphp will try to automatically determine the right value
      */
-    'session.cookie.secure' => $SAML_COOKIE_SECURE,
+    'session.cookie.secure' => false,
 
     /*
      * Set the SameSite attribute in the cookie.
@@ -724,14 +725,15 @@ $config = [
      * Example:
      *  'session.cookie.samesite' => 'None',
      */
-    'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
+    // 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
+    'session.cookie.samesite' => 'Lax',
 
     /*
      * Options to override the default settings for php sessions.
      */
     'session.phpsession.cookiename' => 'SimpleSAML',
-    'session.phpsession.savepath' => null,
-    'session.phpsession.httponly' => true,
+    // 'session.phpsession.savepath' => '/home/h7x4/pvv/nettsiden/sessionstate',
+    'session.phpsession.httponly' => false,
 
     /*
      * Option to override the default settings for the auth token cookie
@@ -914,7 +916,7 @@ $config = [
     'language.cookie.name' => 'language',
     'language.cookie.domain' => '',
     'language.cookie.path' => '/',
-    'language.cookie.secure' => true,
+    'language.cookie.secure' => false,
     'language.cookie.httponly' => false,
     'language.cookie.lifetime' => (60 * 60 * 24 * 900),
     'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
@@ -990,7 +992,7 @@ $config = [
      *
      * Defaults to true.
      */
-    'production' => true,
+    'production' => false,
 
     /*
      * SimpleSAMLphp modules can host static resources which are served through PHP.
@@ -1304,7 +1306,7 @@ $config = [
      *
      * The default datastore is 'phpsession'.
      */
-    'store.type'                    => 'phpsession',
+    'store.type'                    => 'sql',
 
     /*
      * The DSN the sql datastore should connect to.
@@ -1312,7 +1314,7 @@ $config = [
      * See http://www.php.net/manual/en/pdo.drivers.php for the various
      * syntaxes.
      */
-    'store.sql.dsn'                 => 'sqlite:/path/to/sqlitedatabase.sq3',
+    'store.sql.dsn'                 => 'sqlite:/home/h7x4/pvv/nettsiden/session.sqlite',
 
     /*
      * The username and password to use when connecting to the database.

dist/service-provider/saml20-idp-hosted.php

@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-$metadata['http://localhost:1080/simplesaml-idp/'] =  [
+$metadata['http://localhost:1080/simplesaml/idp'] =  [
     'host' => '__DEFAULT__',
     'privatekey' => 'localhost.pem',
     'certificate' => 'localhost.crt',

dist/service-provider/saml20-idp-remote.php

@@ -21,20 +21,30 @@ $metadata['https://idp.pvv.ntnu.no/'] =  [
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
 ];
 
-$metadata['http://localhost:1080/simplesaml-idp/'] =  [
+function getCertData(string $path): string
+{
+    $cert = file_get_contents($path);
+    $cert = str_replace("-----BEGIN CERTIFICATE-----", "", $cert);
+    $cert = str_replace("-----END CERTIFICATE-----", "", $cert);
+    $cert = str_replace(["\r", "\n"], "", $cert);
+    return $cert;
+}
+
+$metadata['http://localhost:1080/simplesaml/idp'] =  [
     'metadata-set' => 'saml20-idp-remote',
-    'entityid' => 'https://localhost:1080/',
+    'entityid' => 'https://localhost:1080/simplesaml/idp',
     'SingleSignOnService' => [
         0 => [
             'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-            'Location' => 'http://localhost:1080/simplesaml-idp/simplesaml/saml2/idp/SSOService.php',
+            'Location' => 'http://localhost:1080/simplesaml/saml2/idp/SSOService.php',
         ],
     ],
     'SingleLogoutService' => [
         0 => [
             'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-            'Location' => 'http://localhost:1080/simplesaml-idp/simplesaml/saml2/idp/SingleLogoutService.php',
+            'Location' => 'http://localhost:1080/simplesaml/saml2/idp/SingleLogoutService.php',
         ],
     ],
+    'certData' => getCertData(__DIR__ . '/../cert/localhost.crt'),
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
 ];

dist/service-provider/saml20-sp-remote.php

@@ -1,15 +1,15 @@
 <?php
 
-$metadata['http://localhost:1080/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = [
+$metadata['http://localhost:1080/simplesaml/sp'] = [
     'AssertionConsumerService' => [
         [
-            'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+            'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-acs.php/dev-sp',
             'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
         ],
     ],
     'SingleLogoutService' => [
         [
-            'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+            'Location' => 'http://localhost:1080/simplesaml/module.php/saml/sp/saml2-logout.php/dev-sp',
             'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
         ],
     ],

nix/shell.nix

@@ -29,18 +29,20 @@ pkgs.mkShellNoCC {
       pushd "$PROJECT_ROOT"
       composer install || exit $?
 
-      cp -r vendor/simplesamlphp vendor/simplesamlphp-idp
+      # cp -r vendor/simplesamlphp vendor/simplesamlphp-idp
 
       # Set up SimpleSAMLphp service provider
-      install dist/service-provider/authsources.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
-      install dist/service-provider/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
-      install dist/service-provider/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
+      install -m644 dist/service-provider/authsources.php -t vendor/simplesamlphp/simplesamlphp/config/
+      install -m644 dist/service-provider/config.php -t vendor/simplesamlphp/simplesamlphp/config/
+      install -m644 dist/service-provider/saml20-idp-remote.php -t vendor/simplesamlphp/simplesamlphp/metadata/
+      install -m644 dist/service-provider/saml20-idp-hosted.php -t vendor/simplesamlphp/simplesamlphp/metadata/
+      install -m644 dist/service-provider/saml20-sp-remote.php -t vendor/simplesamlphp/simplesamlphp/metadata/
 
       # Set up SimpleSAMLphp identity provider (for local testing)
-      install dist/identity-provider/authsources.php vendor/simplesamlphp-idp/simplesamlphp/config/authsources.php
-      install dist/identity-provider/config.php vendor/simplesamlphp-idp/simplesamlphp/config/config.php
-      install dist/identity-provider/saml20-idp-hosted.php vendor/simplesamlphp-idp/simplesamlphp/metadata/saml20-idp-hosted.php
-      install dist/identity-provider/saml20-sp-remote.php vendor/simplesamlphp-idp/simplesamlphp/metadata/saml20-sp-remote.php
+      # install -m644 dist/identity-provider/authsources.php -t vendor/simplesamlphp-idp/simplesamlphp/config/
+      # install -m644 dist/identity-provider/config.php -t vendor/simplesamlphp-idp/simplesamlphp/config/
+      # install -m644 dist/identity-provider/saml20-idp-hosted.php -t vendor/simplesamlphp-idp/simplesamlphp/metadata/
+      # install -m644 dist/identity-provider/saml20-sp-remote.php -t vendor/simplesamlphp-idp/simplesamlphp/metadata/
 
       openssl req \
         -newkey rsa:4096 \
@@ -48,14 +50,14 @@ pkgs.mkShellNoCC {
         -x509 \
         -days 3652 \
         -nodes \
-        -out vendor/simplesamlphp-idp/simplesamlphp/cert/localhost.crt \
-        -keyout vendor/simplesamlphp-idp/simplesamlphp/cert/localhost.pem \
+        -out vendor/simplesamlphp/simplesamlphp/cert/localhost.crt \
+        -keyout vendor/simplesamlphp/simplesamlphp/cert/localhost.pem \
         -subj "/C=NO/ST=Trondheim/L=Trondheim/O=Programvareverkstedet/CN=localhost"
 
       cp dist/config.local.php config.php
 
       ln -s ../vendor/simplesamlphp/simplesamlphp/public/ www/simplesaml
-      ln -s ../vendor/simplesamlphp-idp/simplesamlphp/public/ www/simplesaml-idp
+      # ln -s ../vendor/simplesamlphp-idp/simplesamlphp/public/ www/simplesaml-idp
       popd
     fi
   '';