Update to SimpleSAMLphp 2

ansible/roles/service-simplesamlphp/files/config.php

@@ -4,18 +4,22 @@
 
 require "/var/simplesamlphp/config/secrets.php";
 
+$httpUtils = new \SimpleSAML\Utils\HTTP();
+
 $config = [
   "baseurlpath" => "https://foreningenbs.no/simplesaml/",
   "certdir" => "cert/",
   "loggingdir" => "/storage/log/",
   "datadir" => "/storage/data/",
   "tempdir" => "/tmp/simplesamlphp",
-  "debug" => true,
-  "showerrors" => true,
-  "errorreporting" => true,
-  "debug.validatexml" => false,
+  "debug" => [
+    "saml" => false,
+    "backtraces" => true,
+    "validatexml" => false,
+  ],
+  "showerrors" => false,
+  "errorreporting" => false,
   "auth.adminpassword" => $secret_auth_adminpass,
-  "admin.protectindexpage" => false,
   "admin.protectmetadata" => false,
   "secretsalt" => $secret_secretsalt,
   "technicalcontact_name" => "IT-gruppa",
@@ -29,10 +33,7 @@
   "logging.logfile" => "simplesamlphp.log",
   "statistics.out" => [],
   "enable.saml20-idp" => true,
-  "enable.shib13-idp" => false,
   "enable.adfs-idp" => false,
-  "enable.wsfed-sp" => false,
-  "enable.authmemcookie" => false,
   "session.duration" => 8 * (60 * 60), // 8 hours.
   "session.datastore.timeout" => (4 * 60 * 60), // 4 hours
   "session.state.timeout" => (60 * 60), // 1 hour
@@ -41,6 +42,7 @@
   "session.cookie.path" => "/",
   "session.cookie.domain" => null,
   "session.cookie.secure" => true,
+  "session.cookie.samesite" => $httpUtils->canSetSameSiteNone() ? "None" : null,
   "session.disable_fallback" => false,
   "enable.http_post" => false,
   "session.phpsession.cookiename" => null,
@@ -51,9 +53,9 @@
   "session.rememberme.checked" => true,
   "session.rememberme.lifetime" => (14 * 86400),
   "language.available" => [
-    "en", "no", "nn", "se", "da", "de", "sv", "fi", "es", "fr", "it", "nl", "lb", "cs",
-    "sl", "lt", "hr", "hu", "pl", "pt", "pt-br", "tr", "ja", "zh", "zh-tw", "ru", "et",
-    "he", "id", "sr", "lv", "ro", "eu"
+    "en", "no", "nn", "se", "da", "de", "sv", "fi", "es", "ca", "fr", "it", "nl", "lb",
+    "cs", "sk", "sl", "lt", "hr", "hu", "pl", "pt", "pt-br", "tr", "ja", "zh", "zh-tw",
+    "ru", "et", "he", "id", "sr", "lv", "ro", "eu", "el", "af", "zu", "xh", "st",
   ],
   "language.rtl" => ["ar", "dv", "fa", "ur", "he"],
   "language.default" => "no",
@@ -63,15 +65,13 @@
   "language.cookie.domain" => null,
   "language.cookie.path" => "/",
   "language.cookie.lifetime" => (60 * 60 * 24 * 900),
-  "attributes.extradictionary" => null,
+  "language.cookie.samesite" => $httpUtils->canSetSameSiteNone() ? "None" : null,
   "theme.use" => "fbs:bstheme",
-  "default-wsfed-idp" => "urn:federation:pingfederate:localhost",
   "idpdisco.enableremember" => true,
   "idpdisco.rememberchecked" => true,
   "idpdisco.validate" => true,
   "idpdisco.extDiscoveryStorage" => null,
   "idpdisco.layout" => "dropdown",
-  "shib13.signresponse" => true,
   "authproc.idp" => [
     10 => [
       "class" => "saml:TransientNameID",
@@ -84,6 +84,7 @@
   "authproc.sp" => [
     90 => "core:LanguageAdaptor",
   ],
+  "metadatadir" => "metadata",
   "metadata.sources" => [
     ["type" => "flatfile"],
   ],
@@ -97,7 +98,16 @@
   "metadata.sign.privatekey_pass" => null,
   "metadata.sign.certificate" => null,
   "proxy" => null,
-  "trusted.url.domains" => null,
+  "trusted.url.domains" => ["foreningenbs.no"],
+  "module.enable" => [
+    "admin" => true,
+    "authoauth2" => true,
+    "fbs" => true,
+    "multiauth" => true,
+  ],
+  'headers.security' => [
+    'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com; font-src 'self' https://maxcdn.bootstrapcdn.com; connect-src 'self'; img-src 'self' data:; base-uri 'none'",
+  ],
 ];
 
 // For local development to override this config.

ansible/roles/service-simplesamlphp/files/saml20-idp-hosted.php

@@ -6,7 +6,10 @@
 
 require "/var/simplesamlphp/config/secrets.php";
 
-$metadata["__DYNAMIC:1__"] = [
+$httpUtils = new \SimpleSAML\Utils\HTTP();
+$prefix = $httpUtils->getBaseURL();
+
+$metadata[$prefix . "saml2/idp/metadata.php"] = [
   "host" => "__DEFAULT__",
   // Relative to cert directory.
   "privatekey" => "idp.foreningenbs.no.key",

services/simplesamlphp/Dockerfile

@@ -1,11 +1,5 @@
 FROM php:8.1-apache
 
-# Se latest at https://simplesamlphp.org/download/
-ENV SIMPLESAMLPHP_VERSION=1.19.6
-ENV SIMPLESAMLPHP_SHA256=834bb4a89d63d7498e77cceb49e01b919d1c0a6a3d38a992f905810dad424b7c
-
-ENV COMPOSER_VERSION=2.3.10
-
 RUN set -eux; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
@@ -17,28 +11,29 @@ RUN set -eux; \
     ; \
     rm -rf /var/lib/apt/lists/*
 
-RUN set -eux; \
-    # Set up composer.
-    echo "$(wget -q -O- https://composer.github.io/installer.sig)  composer-setup.php" >composer-setup.php.sha384; \
-    wget -O composer-setup.php https://getcomposer.org/installer; \
-    sha384sum -c composer-setup.php.sha384; \
-    php composer-setup.php --install-dir=/usr/local/bin --filename=composer --quiet; \
-    rm composer-setup.php; \
-    rm composer-setup.php.sha384
+COPY --from=composer:2 /usr/bin/composer /usr/local/bin/composer
 
 RUN set -eux; \
     mkdir /var/simplesamlphp; \
     chown www-data:www-data /var/simplesamlphp /var/www
 
+# renovate: datasource=github-tags depName=https://github.com/simplesamlphp/simplesamlphp.git
+ENV SIMPLESAMLPHP_VERSION=2.2.1
+
+# renovate: datasource=git-refs depName=https://github.com/blindern/simplesamlphp-module-authoauth2.git tag=master
+ENV AUTHOAUTH2_COMMIT=cf49ce136d9f7829e967c5855896b7aee64c3c2c
+
+# renovate: datasource=git-refs depName=https://github.com/blindern/simplesamlphp-module-fbs.git tag=master
+ENV FBS_COMMIT=856a9e75bb026f2f0ddd9ec32785aa2ad4b99a00
+
 USER www-data
 
 RUN set -eux; \
     # Install SimpleSAMLphp.
     # See https://simplesamlphp.org/docs/stable/simplesamlphp-install
     cd /var/simplesamlphp; \
-    curl -fSL "https://github.com/simplesamlphp/simplesamlphp/releases/download/v$SIMPLESAMLPHP_VERSION/simplesamlphp-$SIMPLESAMLPHP_VERSION.tar.gz" \
+    curl -fSL "https://github.com/simplesamlphp/simplesamlphp/releases/download/v$SIMPLESAMLPHP_VERSION/simplesamlphp-$SIMPLESAMLPHP_VERSION-slim.tar.gz" \
       -o simplesamlphp.tar.gz; \
-    echo "$SIMPLESAMLPHP_SHA256 *simplesamlphp.tar.gz" | sha256sum -c -; \
     tar --strip-components=1 -zxf simplesamlphp.tar.gz; \
     rm simplesamlphp.tar.gz; \
     \
@@ -49,8 +44,8 @@ RUN set -eux; \
         {"type": "git", "url": "https://github.com/blindern/simplesamlphp-module-fbs"},\
         {"type": "git", "url": "https://github.com/blindern/simplesamlphp-module-authoauth2"}]' \
       >composer.json; \
-    composer require --ignore-platform-reqs cirrusidentity/simplesamlphp-module-authoauth2 "dev-master#21856d8"; \
-    composer require --ignore-platform-reqs blindern/simplesamlphp-module-fbs "dev-master#6eef140"; \
+    composer require --ignore-platform-reqs cirrusidentity/simplesamlphp-module-authoauth2 "dev-ssp2#${AUTHOAUTH2_COMMIT}"; \
+    composer require --ignore-platform-reqs blindern/simplesamlphp-module-fbs "dev-master#${FBS_COMMIT}"; \
     composer clear-cache
 
 COPY site.conf /etc/apache2/sites-enabled/000-default.conf

services/simplesamlphp/README.md

@@ -13,3 +13,15 @@ docker-compose exec simplesamlphp chown www-data:www-data /storage
 ```
 
 http://localhost:8888/simplesaml/
+
+## Testing full flow
+
+See https://github.com/blindern/intern
+
+Run `intern/backend` with the `DEV_SSO` env set.
+
+```bash
+DEV_SSO=true php artisan serve --port 8081
+```
+
+Trigger login flow at http://localhost:8081/intern/api/saml2/login

services/simplesamlphp/config-override.php

@@ -2,3 +2,5 @@
 
 $config["baseurlpath"] = "http://localhost:8888/simplesaml/";
 $config["session.cookie.secure"] = false;
+$config["session.cookie.samesite"] = "Lax";
+$config["language.cookie.samesite"] = "Lax";

services/simplesamlphp/site.conf

@@ -1,12 +1,12 @@
 <VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/html
-  Alias /simplesaml /var/simplesamlphp/www
+  Alias /simplesaml /var/simplesamlphp/public
 
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
 
-  <Directory "/var/simplesamlphp/www">
+  <Directory "/var/simplesamlphp/public">
     Require all granted
   </Directory>
 </VirtualHost>