First stab at SimpleSAMLPHP

Main issue is how to customise the virtual host configuration of the
Mediawiki container to pass /simplesamlphp/ through to the right
directory (or reverse proxy to the `simplesamlphp` container)

compose.yml

@@ -34,6 +34,7 @@ services:
     volumes:
       - 'mediawiki_images:/var/www/html/images'
       - 'parsoid:/usr/lib/parsoid'
+      - 'simplesaml:/var/www/html/simplesamlphp'
     configs:
       - source: LocalSettings_conf
         target: /var/www/html/LocalSettings.php
@@ -60,11 +61,38 @@ services:
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
     entrypoint: /docker-entrypoint2.sh
+  simplesamlphp:
+    image: venatorfox/simplesamlphp:latest
+    environment:
+      - CONFIG_BASEURLPATH=${DOMAIN}/simplesamlphp
+      - CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==
+      - CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy
+      - CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng
+      - CONFIG_TECHNICALCONTACT_EMAIL=helo@autonomic.zone
+      - CONFIG_SHOWERRORS=true
+      - CONFIG_ERRORREPORTING=true
+      - CONFIG_ADMINPROTECTINDEXPAGE=true
+      - CONFIG_LOGGINGLEVEL=INFO
+      - CONFIG_ENABLESAML20IDP=true
+      #- CONFIG_STORETYPE=memcache
+      #- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
+      #- CONFIG_MEMCACHESTORESERVERS=    'memcache_store.servers' => [\n        [\n             ['hostname' => 'some-memcacheda01'],\n             ['hostname' => 'some-memcacheda02'],\n        ],\n        [\n             ['hostname' => 'some-memcachedb01'],\n             ['hostname' => 'some-memcachedb02'],\n        ],
+      - OPENLDAP_TLS_REQCERT=allow
+      - MTA_NULLCLIENT=false
+      - POSTFIX_MYHOSTNAME=${DOMAIN}
+      - POSTFIX_MYORIGIN=$$mydomain
+      - POSTFIX_INETINTERFACES=loopback-only
+      - DOCKER_REDIRECTLOGS=true
+    volumes:
+      - simplesaml:/var/simplesamlphp/
+    networks:
+      - internal
 
 volumes:
   mariadb:
   mediawiki_images:
   parsoid:
+  simplesaml:
 
 networks:
   proxy:

metadata/saml20-idp-hosted.php

@@ -0,0 +1,93 @@
+<?php
+/**
+ * SAML 2.0 IdP configuration for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
+ */
+
+$metadata['__DYNAMIC:1__'] = array(
+	/*
+	 * The hostname of the server (VHOST) that will use this SAML entity.
+	 *
+	 * Can be '__DEFAULT__', to use this entry by default.
+	 */
+	'host' => 'wisera.auth.dev.iww.org.uk',
+
+	// X.509 key and certificate. Relative to the cert directory.
+	'privatekey' => 'saml.pem',
+	'certificate' => 'saml.crt',
+
+	/*
+	 * Authentication source to use. Must be one that is configured in
+	 * 'config/authsources.php'.
+	 */
+	'auth' => 'live',
+
+	/*
+	 * WARNING: SHA-1 is disallowed starting January the 1st, 2014.
+	 *
+	 * Uncomment the following option to start using SHA-256 for your signatures.
+	 * Currently, SimpleSAMLphp defaults to SHA-1, which has been deprecated since
+	 * 2011, and will be disallowed by NIST as of 2014. Please refer to the following
+	 * document for more information:
+	 * 
+	 * http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
+	 *
+	 * If you are uncertain about service providers supporting SHA-256 or other
+	 * algorithms of the SHA-2 family, you can configure it individually in the
+	 * SP-remote metadata set for those that support it. Once you are certain that
+	 * all your configured SPs support SHA-2, you can safely remove the configuration
+	 * options in the SP-remote metadata set and uncomment the following option.
+	 *
+	 * Please refer to the IdP hosted reference for more information.
+	 */
+	'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+
+	/* Uncomment the following to use the uri NameFormat on attributes. */
+	/*
+	'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+	'authproc' => array(
+		// Convert LDAP names to oids.
+		100 => array('class' => 'core:AttributeMap', 'name2oid'),
+	),
+	*/
+
+	/*
+	 * Uncomment the following to specify the registration information in the
+	 * exported metadata. Refer to:
+     * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
+	 * for more information.
+	 */
+	/*
+	'RegistrationInfo' => array(
+		'authority' => 'urn:mace:example.org',
+		'instant' => '2008-01-17T11:28:03Z',
+		'policies' => array(
+			'en' => 'http://example.org/policy',
+			'es' => 'http://example.org/politica',
+		),
+	),
+	*/
+);
+
+$metadata['__DYNAMIC:2__'] = array(
+	'host' => 'nara.auth.dev.iww.org.uk',
+
+	'privatekey' => 'saml.pem',
+	'certificate' => 'saml.crt',
+
+	'auth' => 'redcard',
+
+	'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+);
+
+$metadata['__DYNAMIC:3__'] = array(
+	'host' => 'auth.dev.iww.org.uk',
+
+	'privatekey' => 'saml.pem',
+	'certificate' => 'saml.crt',
+
+	'auth' => 'default-sp',
+
+	'signature.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+);

metadata/saml20-idp-remote.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * SAML 2.0 remote IdP metadata for SimpleSAMLphp.
+ *
+ * Remember to remove the IdPs you don't use from this file.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote 
+ */
+ 
+/*
+ * WISE-RA Members area login.
+ */
+// $metadata['https://service.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
+// 	'name' => array(
+// 		'en' => 'WISE-RA (production)',
+// 	),
+// 	'description'          => 'Log in using your WISE-RA members area user name.',
+// 	'SingleSignOnService'  => 'https://service.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
+// 	'SingleLogoutService'  => 'https://service.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
+// 	'privatekey' => 'saml.pem',
+// 	'certificate' => 'saml.crt',
+// );
+$metadata['https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
+	'name' => array(
+		'en' => 'WISE-RA (dev)',
+	),
+	'description'          => 'Log in using your WISE-RA members area user name.',
+	'SingleSignOnService'  => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
+	'SingleLogoutService'  => 'https://wisera.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
+	'privatekey' => 'saml.pem',
+	'certificate' => 'saml.crt',
+);
+$metadata['https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/metadata.php'] = array(
+	'name' => array(
+		'en' => 'NARA (dev)',
+	),
+	'description'          => 'Log in using your NARA red card username.',
+	'SingleSignOnService'  => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SSOService.php',
+	'SingleLogoutService'  => 'https://nara.auth.dev.iww.org.uk/simplesaml/saml2/idp/SingleLogoutService.php',
+	'privatekey' => 'saml.pem',
+	'certificate' => 'saml.crt',
+);
+
+/*
+ * Guest IdP. allows users to sign up and register. Great for testing!
+ */
+/*
+$metadata['https://openidp.feide.no'] = array(
+	'name' => array(
+		'en' => 'Feide OpenIdP - guest users',
+		'no' => 'Feide Gjestebrukere',
+	),
+	'description'          => 'Here you can login with your account on Feide RnD OpenID. If you do not already have an account on this identity provider, you can create a new one by following the create new account link and follow the instructions.',
+
+	'SingleSignOnService'  => 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
+	'SingleLogoutService'  => 'https://openidp.feide.no/simplesaml/saml2/idp/SingleLogoutService.php',
+	'certFingerprint'      => 'c9ed4dfb07caf13fc21e0fec1572047eb8a7a4cb'
+);
+*/
+

metadata/saml20-sp-remote.php

@@ -0,0 +1,96 @@
+<?php
+/**
+ * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+ */
+
+/*
+ * Default SAML 2.0 SP
+ */
+$metadata['https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
+  'AssertionConsumerService' => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+  'SingleLogoutService'      => 'https://auth.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+);
+
+/*
+ * MediaWiki
+ */
+$metadata['https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
+  'AssertionConsumerService' => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+  'SingleLogoutService'      => 'https://mediawiki.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+);
+
+/*
+ * Moodle
+ */
+$metadata['https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(
+  'AssertionConsumerService' => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+  'SingleLogoutService'      => 'https://moodle.dev.iww.org.uk/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+);
+
+/*
+ * WordPress
+ */
+ $metadata['urn:dev.iww.org.uk'] = array(
+  'AssertionConsumerService' => 'https://dev.iww.org.uk/wp/wp-login.php',
+  'SingleLogoutService'      => 'https://dev.iww.org.uk/wp/wp-login.php',
+);
+$metadata['urn:shop.dev.iww.org.uk'] = array(
+  'AssertionConsumerService' => 'https://shop.dev.iww.org.uk/wp/wp-login.php',
+  'SingleLogoutService'      => 'https://shop.dev.iww.org.uk/wp/wp-login.php',
+);
+
+/*
+ * Nextcloud
+ */
+$metadata['https://cloud.dev.iww.org.uk/apps/user_saml/saml/metadata'] = array(
+  'AssertionConsumerService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/acs',
+  'SingleLogoutService' => 'https://cloud.dev.iww.org.uk/apps/user_saml/saml/sls',
+);
+
+/*
+ * RocketChat
+ */
+$metadata['https://chat.dev.iww.org.uk/_saml/metadata/rc'] = array (
+  'entityid' => 'https://chat.dev.iww.org.uk/_saml/metadata/rc',
+  'contacts' => array (),
+  'metadata-set' => 'saml20-sp-remote',
+  'AssertionConsumerService' => array (
+    0 => array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      'Location' => 'https://chat.dev.iww.org.uk/_saml/validate/rc',
+      'index' => 1,
+      'isDefault' => true,
+    ),
+  ),
+  'SingleLogoutService' => array (
+    0 => array (
+      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+      'Location' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/',
+      'ResponseLocation' => 'https://chat.dev.iww.org.uk/_saml/logout/rc/',
+    ),
+  ),
+  'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+);
+
+/*
+ * Example SimpleSAMLphp SAML 2.0 SP
+ */
+/* $metadata['https://saml2sp.example.org'] = array(
+	'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',
+	'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',
+); */
+
+/*
+ * This example shows an example config that works with Google Apps for education.
+ * What is important is that you have an attribute in your IdP that maps to the local part of the email address
+ * at Google Apps. In example, if your google account is foo.com, and you have a user that has an email john@foo.com, then you
+ * must set the simplesaml.nameidattribute to be the name of an attribute that for this user has the value of 'john'.
+ */
+/* $metadata['google.com'] = array(
+	'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
+	'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+	'simplesaml.nameidattribute' => 'uid',
+	'simplesaml.attributes' => FALSE,
+); */