Helix Swarm Guide (2018.3)

Helix SAML authentication PHP config

Helix SAML supports authentication using SAML 2.0 for Helix Core Servers. This section describes how to configure SAML 2.0 in the Swarm config.php file to enable Swarm to authenticate with a Helix Server that is configured for Helix SAML. The SAML PHP configuration block in the SWARM_ROOT/data/config.php file configures the Identity Provider (IdP) and Service Provider (SP) connection details for Swarm. This enables Swarm to connect to your IdP and your IdP to connect to Swarm so that you can log in to Swarm using the IdP log in process.

Important

To use Helix SAML with Swarm:

Helix Server version 2018.2 or later is required.
Write a Helix Server trigger for Helix SAML. For instructions on developing the Helix Server trigger for Helix SAML, see Triggering to use external authentication in Helix Core Server Administrator Guide: Fundamentals.
Enable Helix SAML in Swarm with the sso_enabled configurable, see Swarm configuration.
Configure the Swarm admin user to use ticket-based authentication, see Swarm configuration.
Configure Swarm for Helix SAML as described on this page.

Swarm specific SAML 2.0 settings

This section describes the minimum settings that you must enter to enable Swarm to connect to a Helix Server that is enabled for Helix SAML. The saml configuration block must be added to the end of the SWARM_ROOT/data/config.php file as shown in the following example.

Tip

The exact content of your saml configuration block depends on your SAML configuration, you can add other configurables to the SAML PHP block if they are required by your Helix Server SAML configuration. For example your x509cert and privateKey might be in the certs folder so you would not need to have them specified in the saml block. For an overview of SAML 2.0 , see https://github.com/onelogin/php-saml.

Example SAML PHP configuration, follow the underlined links for more information about the configurables:

Warning

While the syntax of this example is correct, it includes configuration values that cannot work. Ensure that you adjust the configuration appropriately for your SAML configuration before using the saml block in testing or production.

<?php
    // the saml block should be a peer of 'p4' located at the end of 
    // the Swarm configuration block in the config.php file
    'saml' => array(
        // If your Helix Server trigger expects a message header so that it can 
        // easily recognize SAML response messages, add the header text
		'header' => 'saml-response: ', // leave empty for no message header ''
        // Service Provider Data that we are deploying
        'sp' => array(
            // Identifier of the SP entity  (must be a URI)
            'entityId' => '<urn:my_swarm:sp>',
            // Specifies info about where and how the AuthnResponse message MUST be
            // returned to the requester, in this case our SP.
            'assertionConsumerService' => array(
                // URL Location where the Response from the IdP will be returned, this is the Swarm URL and port
                'url' => '<[http[s]://]<swarm-host>[:<port>]>',
            ),
        ),
        // Identity Provider Data that we want to connect to with our SP (Swarm)
        'idp' => array(
            // Identifier of the IdP entity  (must be a URI)
            'entityId' => '<my_entityid_provided_by_the_idp>',
            // SSO endpoint info of the IdP. (Authentication Request protocol)
            'singleSignOnService' => array(
                // URL Target of the IdP where the SP (Swarm) will send the Authentication Request Message
                'url' => '<full_idp_URL_path_to_send_authentication_request_message_to>',
            ),

            // Usually x509cert and privateKey of the SP (Swarm) are provided by files placed in
            // the certs folder. But we can also provide them with the following parameters
            'x509cert' => '<my_swarm_cert>',
            'privateKey' => '<my_swarm_private_key>',
        ),
    ),
);

Note

The Swarm configuration file does not include PHP's standard closing tag (?>). This is intentional as it prevents unintentional whitespace from being introduced into Swarm's output, which would interfere with Swarm's ability to control HTTP headers. Debugging problems that result from unintentional whitespace can be challenging, since the resulting behavior and error messages often appear to be misleading.

header

Some Helix Server Helix SAML triggers need a header (prefix) added to SAML response messages so that the Helix Server can easily identify the messages. The header is set in the header value.

If a header is not required, set header to empty ''.

<?php
    'saml' => array(
        // If your Helix Server trigger expects a message header so that it can 
        // easily recognize SAML response messages, add the header text
        'header' => 'saml-response: ', // leave empty for no message header ''
        ),
    ),
);

The default value is 'saml-response: '.

sp

The sp (service provider) section defines the callback destination and identifier information for your IdP (Identity Provider). This tells your IdP how to connect to Swarm.

entityId: this is the identifier your IdP knows your Swarm as. Set your Entity ID here and then use the same value in your IdP's configuration tool. When Swarm connects to your IdP the Entity ID is used to verify your connection. This must be a URI.
assertionConsumerService url: enter your Swarm URL and port number. This sets your Swarm instance as the URL your IdP sends responses to. If you don't enter a port number, port 80 is used.

Important

Do not use localhost for the url.

<?php
    'saml' => array(
        // Service Provider Data that we are deploying
        'sp' => array(
            // Identifier of the SP entity  (must be a URI)
            'entityId' => '<urn:my_swarm:sp>',
            // Specifies info about where and how the AuthnResponse message MUST be
            // returned to the requester, in this case our SP.
            'assertionConsumerService' => array(
                // URL Location where the Response from the IdP will be returned, this is the Swarm URL and port
                'url' => '<[http[s]://]<swarm-host>[:<port>]>',
            ),
        ),
    ),
);

idp

The idp (identity provider) section defines the IdP connection and security information, this tells Swarm how to connect to your IdP.

entityId: enter your Entity ID, this is provided by your IdP. This enables Swarm to connect to your IdP. This must be a URI.
singleSignOnService url: enter the URL Swarm sends authentication requests to. This is provided by your IdP.
x509cert privateKey: enter your Swarm instance security connection details.

<?php
    'saml' => array(
        // Identity Provider Data that we want to connect to with our SP (Swarm)
        'idp' => array(
            // Identifier of the IdP entity  (must be a URI)
            'entityId' => '<my_entityid_provided_by_the_idp>',
            // SSO endpoint info of the IdP. (Authentication Request protocol)
            'singleSignOnService' => array(
                // URL Target of the IdP where the SP (Swarm) will send the Authentication Request Message
                'url' => '<full_idp_URL_path_to_send_authentication_request_message_to>',
            ),

            // Usually x509cert and privateKey of the SP (Swarm) are provided by files placed in
            // the certs folder. But we can also provide them with the following parameters
            'x509cert' => '<my_swarm_cert>',
            'privateKey' => '<my_swarm_private_key>',
        ),
    ),
);

Your search for returned result(s).