This guide describes how to set up and configure NetScaler as saml service provider, protecting a very basic IIS hosted website. Requests get authenticated against a saml identity provider, here simplesamlphp. The guide further describes how to set up a basic CentOS installation via net install based on XenServer 6.0.2. Simplesamlphp will be installed and configured together with Apache and PHP and SSL.
The environment consists of two class c networks, 192.168.199.0/24 (dmz) and 192.168.200.0/24 (lab.local). In the dmz a NetScaler MPX resides which will be the SAML service provider in target configuration. Lab.local contains all internal services and the machine which will be set up throughout this guide.
This document is targeted towards a NetScaler and networking experienced audience. Hence some tools and basic knowledge may not be described here.
- Working and base configured NetScaler 10 MPX
- XenServer host with 8GB storage for virtual machine, 512MB of free RAM
- Network for guest vm with internet access
- CentOS install media (http://ftp.uni-bayreuth.de/linux/CentOS/6/isos/x86_64/CentOS-6.3-x86_64-netinstall.iso)
- Putty SSH client
- A certificate authority to sign the both certificates and it’s public key (“lab-ca.crt”, Base64 encoded)
- A certificate and private key for “centos.lab.local” (centos.lab.local.key / “centos.lab.local.cert”, Base64 encoded, no password for key)
- A certificate and private key for “aaa.lab.local” (“aaa.lab.local.key” / “aaa.lab.local.cert”, Base64 encoded, no password for key)
- DNS names of centos.lab.local (IdP), dclb.lab.local (protected LB VSERVER) and aaa.lab.local (AAA VSERVER) must be resolvable
Creation of XenServer guest
Log in to XenCenter and create a new guest vm with the given parameters
- 1 CPU
- 512 MB RAM
- 8 GB oh hdd
- 1 Network interface, connected to a network with internet access and DHCP (or configure the vm’s IP address manually later)
- DVD drive connected to the CentOS net install iso file
Installation of base system
After having completed the creation process XenServer will launch the newly created machine. When installation starts complete the steps with the following parameters
- Skip media test (as we are in lab)
- Language: English
- Installation Method: URL
- Configure TCP/IP: Enable IP v4 suport with DHCP only
- URL setup: http://mirror.centos.org/centos/6/os/x86_64
- Timezone settings: to fit your territory
- Root Password: chose one!
- Partitioning Type: replace existing Linux system
Once rebooted login using username root and the previously chosen password and find out the system’s ip address using the following command line.
[root@localhost ~]# ifconfig eth0
Now login using Putty, which makes it a lot easier to work with the system.
From now on all work can be done via Putty. Command line examples can be copied and pasted into Putty.
Configuration of base system
First install nano, an easy to use command line editor.
[root@localhost ~]# yum -y install nano
After having installed nano, some system parameters have to be changed. To save time a few tools need to be installed-
[root@localhost ~]# yum -y install system-config-network-tui system-config-firewall-base
Use system-config-network to update your network configuration.
[root@localhost ~]# system-config-network
Disable selinux, open selinux config and change line starting with
[root@localhost ~]# nano /etc/selinux/config (CTRL + X to save)
Stop and disable iptables.
[root@localhost ~]# /etc/init.d/iptables stop [root@localhost ~]# chkconfig iptables off
To restart the network interface with the newly configured parameters use the XenCenter console of your CentOS vm and enter the following lines.
[root@localhost ~]# ifdown eth0 [root@localhost ~]# ifup eth0
From now on connect to your CentOS vm using Putty and the new IP address.
Installation / Configuration of Apache, PHP, SSL
The system has been installed in a minimal configuration. No services more than basic things are running. As we will install a PHP script we first need a webserver equipped with scripting language support (PHP) and secure socket layer (SSL). To install apache and the addons the following commands need to be issued.
Install apache and php base:
[root@localhost ~]# yum -y install httpd mod_ssl php
Install needed php addons:
[root@localhost ~]# yum -y install php-xml php-ldap php-memcache
Try starting apache:
[root@localhost ~]# service httpd start
Now you can access the vm’s website using http://<configured ip>
<a href="/blogs/2012/08/24/174193098/bildschirmfoto-2012-08-16-um-18-08-30/" rel="attachment wp-att-174193126"><img class="alignnone size-medium wp-image-174193126" src="/blogs/wp-content/uploads/2012/08/Bildschirmfoto-2012-08-16-um-18.08.30-300x202.png" alt="" width="300" height="202" /></a>
To test the PHP installation create a new file called test.php in /var/www/html and fill it with the example below.
[root@localhost ~]# nano /var/www/html/test.php (CTRL + X to save)
<?php phpinfo(); ?>
PHP can be tested using a browser and the URL http://<configured ip>/test.php. The result should look like this.
Now the webserver is ready to be configured with a socket on port 443 tcp – obviously secured by ssl. To do this an ssl certificate is needed. This guide uses two seperate files, one containing the private key and another file containing the certificate. The certificate was made for the dns name “centos.lab.local”. As the files are relatively small they can be copied into the clipboard and pasted into the Putty session. To do this first change into the directory /etc/pki/tls/private and open a new file “centos.lab.local.key” with nano.
[root@localhost ~]# cd /etc/pki/tls/private/
[root@localhost private]# nano centos.lab.local.key
Paste the previously copied content of the private key into the Putty window by clicking the right mouse button and save the file with CTRL + X. Now change directory to /etc/pli/tls/certs and open a new file “centos.lab.local.cert” with nano.
[root@localhost certs]# nano centos.lab.local.cert
[root@localhost ~]# cd /etc/pki/tls/certs
To configure apache with the new certificate two values in the file /etc/httpd/conf.d/ssl.conf need to be changed using nano as follows.
After saving the file apache needs to be resarted using the following command line.
[root@localhost conf.d]# /etc/init.d/httpd restart
After apache has been restarted the default website is reachable on https, too.
Installation and configuration of Simplesamlphp
As the webserver is ready to host applications now the identity provider can be downloaded. To do this the easiest way to get the files to the CentOS machine is curl.
[root@localhost ~]# curl http://simplesamlphp.googlecode.com/files/simplesamlphp-1.9.1.tar.gz > /root/simplesamlphp.tar.gz
Tar needs to be used to unpack the downloaded archive.
[root@localhost ~]# tar -xvzf /root/simplesamlphp.tar.gz
To clean up things a bit the directories name needs to be changed to simplesamlphp.
[root@localhost ~]# mv simplesamlphp-1.9.1/ simplesamlphp
Now the whole directory needs to be copied to /var, because /root is a user folder.
[root@localhost ~]# mv simplesamlphp /var/
To make simplesamlphp’s webinterface visible to users apache needs to be configured with an alias. Open the file /etc/httpd/conf.d/ssl.conf with nano and scroll down to the end of the file. Locate the line “</VirtualHost>” and insert the following code on top of it.
Alias /simplesaml /var/simplesamlphp/www
[root@localhost ~]# /etc/init.d/httpd restart
Simlesamlphp is now accessible via https://<configured ip>/simplesaml. (Configure dns for the CentOS vm to get rid of certificate errors)
To be able to log in as administrator the file /var/simplesamlphp/config/config.php needs to be edited via nano. The following lines need to be changed.
Change “123” to a new and secure administrator password.
'auth.adminpassword' => '123',
Change “defaultsecretsalt” to some random string. E.g. “NetScalerRocks”.
'secretsalt' => 'defaultsecretsalt',
Change NULL to a PHP timezone (see http://php.net/manual/en/timezones.php)
'timezone' => NULL,
Change false to true.
'enable.saml20-idp' => false,
Save config.php with CTRL + X.
Enable the authentication via local test accounts.
[root@localhost ~]# mv /var/simplesamlphp/modules/exampleauth/default-disable /var/simplesamlphp/modules/exampleauth/default-enable
Now saml needs to be configured. First the IdP part needs some changes which need to be made in the file saml20-idp-hosted.php.
[root@localhost ~]# nano /var/simplesamlphp/metadata/saml20-idp-hosted.php
The following lines need to be added below the line
$metadata['__DYNAMIC:1__'] = array(
/* * Disable the message signing as the NetScaler does not understand this signature type */ 'saml20.sign.response' => FALSE, 'saml20.sign.assertion' => FALSE,
The following line needs to be configured with “example-userpass” for the local accounts to work.
'auth' => 'example-userpass',
Save the file and quit nano using CTRL+X. Now the IdP part is finished and the IdP needs to know how to deal with saml requests for certain service providers. This needs to be done in the file “saml20-sp-remote.php”.
[root@localhost ~]# nano /var/simplesamlphp/metadata/saml20-sp-remote.php
At the end of the file the following lines must be inserted. Quit nano using CTRL+X after insertion.
$metadata['dclb.lab.local'] = array( 'AssertionConsumerService' => 'http://dclb.lab.local/cgi/samlauth', );
As saml works with tickets and as tickets have a defined lifetime time synchronization between all systems is highly necessary. To have time on IdP in sync ntp needs to be installed. This can be done with the following commands.
[root@localhost ~]# yum -y install ntp [root@localhost ~]# chkconfig ntpd on [root@localhost ~]# ntpdate pool.ntp.org [root@localhost ~]# /etc/init.d/ntpd start
Now the system’s time gets synchronized with the NTP servers at pool.ntp.org.
In this example a default IIS page will be secured by a AAA VSERVER. To achieve this the following steps need to be performed.
- Copy lab-ca.crt, aaa.lab.local.key/.cert, centos.lab.local.cert onto NetScaler in direcory /nsconfig/ssl
- Install SSL certificates for CA, AAA VSERVER and IdP’s public key on NetScaler.
- Create AAA VSERVER with SAML authentication policy/server.
- Create a LB VSERVER with a backend SERVICE pointing to a Microsoft IIS server.
- Configure LB VSERVER with authentication.
Now the aaa.lab.local certificate needs to be linked to the LAB CA cert.
Now as the certificates are installed a AAA VSERVER listening on port 443 (ssl) can be added and configured with an authentication against the previously installed and configured saml IdP.
In NetScaler GUI switch to AAA-Application Traffic, Policies, Authentication, SAML create AAA authentication server and policy.
Create AAA VSERVER.
In NetScaler GUI switch to Load Balancing, Services and create a service pointing to an IIS server at the backend.
Switch to Virtual Servers and create LB VSERVER with authentication.
Now NetScaler is configured.
To test the environment point a browser to http://dclb.lab.local. NetScaler will mention there is no saml assertion in the request and will forward the browser to the configured redirect url (IdP). After logging in there the IdP will redirect the browser back to the originally requested resource.
Log in using student / studentpass.
IdP will check the login data and redirects to requested resource.
- Authorization with saml (affiliations)
- Authentication against ldap (Active Directory)