Version 1, last updated by maarten.koopmans at May 13, 2011 11:51 UTC

Decrease font size Decrease font size

Increase font size Increase font size

Print this page Print this page

SSO and SAML with Lift howto

What

This page describes SAML working with Lift, simplesamlPHP, memcached and Apache 2.2 as reverse proxy. And mod_perl to make it really multi-everything. Keep in mind, this road has been chosen as it is the easiest way to success in terms of turnaround time. This will give you a reverse proxied Lift setup that can hook into quit a lot of (federated) SSO systems!

Why these components?

First, Apache 2.2 was chosen because that one works best later on with simplesamlphp and mod_authmemcookie. Authmemcookie is simplesaml’s way of working with non-PHP applications. The Apache authmemcookie module is a pain to compile, so we use mod_perl and the CPAN module Apache::Auth::AuthMemCookie which works flawlessly. Simplesaml was chosen because it’s pretty simple and supports quite a few SSO systems (SAML, openid, OAuth, Facebook, LDAP, SQL…). Now that we’ve had the rationales, on to the “HOWTO”:

  • Install Apache 2.2 with mod_php and mod_perl. Make sure that mod_php meets the prerequisites of simplesaml (check the simplesamlphp install docs, they are excellent)
  • Set up and install simplesaml as SP (Service Provider) and use the test IdP to test your install. If you follow their docs you’ll get there quite fast.
  • install and start memcached to hold the authmem cookies on the same machine as Apache: memcached -p 11211 -v
  • Install Apache::Auth::AuthMemCookie from CPAN. I ran “perl -MCPAN -e shell” and then type “install Apache::Auth::AuthMemCookie” … done.

Now we need to setup Apache as ReverseProxy, and protect a location (say “/static” from the basic project). I assume Lift runs on
localhost:8080

Assuming that you load mod_php and mod_perl in the main config, I’ve added a virtualhost that looks like this:

<VirtualHost *>
 ServerName yourhost
 DocumentRoot /path/to/root
 Alias /simplesaml /var/simplesaml/www
 AddType application/x-httpd-php .php

 ProxyPass /simplesaml !
 ProxyPass / http://localhost:8080/
 ProxyPassReverse / http://localhost:8080/
 ProxyPassReverseCookieDomain localhost:8080 yourhost

 perlModule Apache::Auth::AuthMemCookie
 PerlAuthenHandler Apache::Auth::AuthMemCookie::authen_handler
 PerlSetVar AuthMemCookie "AuthMemCookie"
 PerlSetVar AuthMemServers "127.0.0.1:11211"
 # if you want to debug set to 1
 PerlSetVar AuthMemDebug 0
 # use headers instead of ENV vars
 PerlSetVar AuthMemAttrsInHeaders 1

 <Location /static>
   # get redirected here when not authorised
   ErrorDocument 401 "/simplesaml/authmemcookie.php"
   AuthType Cookie
   AuthName "My Login"
   Require valid-user
 </Location>
</VirtualHost>

<Directory /var/simplesaml>
 Options All
 Allow from all
</Directory>
<Directory /path/to/root>
 Options All
 Allow from all
</Directory>

What happens is not that complicated: we add a virtual host, and set up an alias for simplesaml (as per their docs). We then have a few Proxy instructions to get Apache running as reverse proxy, passing everything to Lift except the authmemcookie stuff from simplesaml

Then there are a few lines setting up the Perl module that works with AuthMemCookie, as per the example code in Apache::Auth::AuthMemCookie. Most of these are self-explanatory.

Then the Location /static – that is the way to protect the /static part on your Lift app. When going there, simplesamlphp will be invoked, authenticate you at your IdP and redirect you back. All attributes will be set in the memcookie in memcached and passed as
header values per the Perl directive above.

Finally, the Directory locations make everything very accessible – you want to tighten the Options in production!

This works like a charm – now you can fetch the user id from the header or memcached (use the value of the AuthMemCookie cookie as key) and use that to personalize after logging in for the first time.

Some links
CPAN
SimpleSAMLPHP