Set up your DiscourseConnect(DiscourseSSO) to SimpleSAMLphp, use your Discourse forum as a SAML IDP (Identify Provider)

Discourse has intergrated a DiscourseConnect that allows you to change your Discourse into a SSO provider. You can find it in “Using Discourse as an identity provider (SSO, DiscourseConnect)” this article. However what it provides is not a standard SAML or Oauth protocol.

So we need to use a module that created by Paul B. in Discourse forum. This is a module that allows us connect DiscourseConnect to SimpleSAMLphp and then use SimpleSAMLphp to provide standard SAML login service protocol. In here I want to give great thanks for his help that allows this to real. You can also find the module in here:

Now let’s start the guide.

First, we need to config SimpleSAMLphp.

Download SimpleSAMLphp first.

wget https://simplesamlphp.org/download?latest

And then unzip.

tar zxf download?latest

Then move file to /var/simplesamlphp.

sudo cp -a simplesamlphp-1.x.y/. /var/simplesamlphp/

Then give this folder to www-data user and 755 permission.

sudo chown -R www-data:www-data /var/simplesamlphp/
sudo chmod -R 755 /var/simplesamlphp/

You may ask why the path must be in /var/simplesamlphp, because offcial documentation is put in here, you will need extra config if you put it into other place.

Then config nginx and point the index to /www in its folder. If you using apache, please find config in offcial documentation.

upstream saml-php-handler {
    server unix:/run/php/php8.0-fpm.sock;
}

server {
        listen 443 ssl;
        server_name YOUR_SAML_DOMAIN;
        index index.php;
        ssl_certificate    YOUR_CERT;
        ssl_certificate_key    YOUR_KEY;
        ssl_protocols          TLSv1.3 TLSv1.2;
        ssl_ciphers            EECDH+AESGCM:EDH+AESGCM;
        location ^~ /simplesaml {
            alias /var/simplesamlphp/www;
            location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
                include          fastcgi_params;
                fastcgi_pass     saml-php-handler;
                fastcgi_param SCRIPT_FILENAME $document_root$phpfile;
                # Must be prepended with the baseurlpath
                fastcgi_param SCRIPT_NAME /simplesaml$phpfile;
                fastcgi_param PATH_INFO $pathinfo if_not_empty;
            }
        }
}

Then update your source:

sudo apt update

Then install software package:

sudo apt install php-xml php-mbstring php-curl php-memcache php-ldap memcached

Notice: Here requires you to install according to your php version. For example, if you are using php8.0, you will need to add “8.0” after all “php”. Like: php8.0-xml

Restart Nginx to activate new php extension after install has been completed:

sudo systemctl restart Nginx

Then generate a salt:

openssl rand -base64 32

Copy this salt.

Then open /var/simplesamlphp/config/config.php

'auth.adminpassword',YOUR_PASSWORD;
'secretsalt',YOUR_SALT;
'technicalcontact_name',YOUR_NAME;
'technicalcontact_email' ,YOUR_EMAIL;
 'language.default',CHANGE_TO_YOUR_LANGUAGE;
'timezone',CHANGE_TO_YOUR_AREA;
'enable.saml20-idp' => true,

Then open https://YOUR_SAML_DOMAIN/simplesaml, theoretically your SimpleSAMLphp should working now.

Then install Composer.

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php
sudo mv composer.phar /usr/bin/composer

Then you should type composer to run.

Go to /var/simplesamlphp, edit composer.json, change version to dev-master.

The reason why it do it here is because the discourse-simplesamlphp module requires “dev-master” version, however its default version is number, so we need to change the version to “dev-master”.

Then start to install this module.

composer require swcc/simplesamlphp-module-authdiscourse dev-master --ignore-platform-reqs

The parameter “–ignore-platform-reqs” is to prevent your php version not match the requirement.

Now you should see composer start to install swcc/simplesamlphp-module-authdiscourse.

After install completed, input:

touch /var/simplesamlphp/modules/authdiscourse/enable

To enable this plugin.



Then enable “discourse connect provider secrets” and “enable discourse connect provider” these two options in your Discourse forum.

In “discourse connect provider secrets” input your SAML domain and a sso secret.

Then edit config/authsources.php in simplesamlphp folder:

<?php
$config = [
    // This is a authentication source which handles admin authentication.
    'admin' => [
        'core:AdminPassword',
    ],

    // This is the authentication source using the Discourse authentication.
    'discourse-sso' => [
      'authdiscourse:Discourse',
      'url' => 'https://discourse.your-domain.org',
      'secret' => '<your-sso-secret>',
    ],

];

You need to add this part into suitable place:

    'discourse-sso' => [
      'authdiscourse:Discourse',
      'url' => 'YOUR_DISCOURSE_DOMAIN',
      'secret' => 'DISCOURSE_SSO_SECRET',
    ],

To allow SimpleSAMLphp use discourse-sso for authentication.

Finally, open https://YOUR_SAML_DOMAIN/simplesaml/module.php/core/authenticate.php?as=discourse-sso

OR

Open https://YOUR_SAML_DOMAIN/simplesaml/ then click authentication then clickdiscourse-sso to test.

If it returns correct information, then it means you have successfully configure your SimpleSAMLphp connect to your Discourse.

Now you need to configure your IDP settings.

First you need to generate a certificate for IDP using:

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out YOUR_SAML_DOMAIN.crt -keyout YOUR_SAML_DOMAIN.pem

If you generate it at root directory, you can see your new cert in there.

Then move your cert to whatever to want to place, then give them to user www-data and 755 permission.

chown -R www-data:www-data /YOUR_CERT_PATH
chmod -R 755 /YOUR_CERT_PATH

Finally, edit your cert path and your auth source in metadata/saml20-idp-hosted.php.

<?php
$metadata['__DYNAMIC:1__'] = [
    /*
     * The hostname for this IdP. This makes it possible to run multiple
     * IdPs from the same configuration. '__DEFAULT__' means that this one
     * should be used by default.
     */
    'host' => '__DEFAULT__',

    /*
     * The private key and certificate to use when signing responses.
     * These are stored in the cert-directory.
     */
    'privatekey' => '/YOUR_KEY_PATH',
    'certificate' => '/YOUR_CERT_PATH',
    /*

     * The authentication source which should be used to authenticate the
     * user. This must match one of the entries in config/authsources.php.
     * NOTICE: YOU NEED TO CHANGE THE AUTH METHOD TO "discourse-sso"
     */
    'auth' => 'discourse-sso',
];

Now your SimpleSAMLphp is using Discourse as user database backend, as a SAML IDP, providing standard SAML login protocol.

IDP ID(URI):https://YOUR_SAML_DOMAIN/simplesaml/saml2/idp/metadata.php

URL Target(Use to send SP identify Requirement):https://YOUR_SAML_DOMAIN/simplesaml/saml2/idp/SSOService.php

X509 Cert:https://YOUR_SAML_DOMAIN/simplesaml/module.php/saml/idp/certs.php/idp.crt

Or for those SP that allows you to upload IDP Metadata file directly, you can download IDP Metadata:https://YOUR_SAML_DOMAIN/simplesaml/saml2/idp/metadata.php

All done. Everything should be working now.

enjoy~

Next I may introduce how to connect SimpleSAMLphp that powered by Discourse as NextCloud’s SAML login way.

Anything that misunderstood can reply this post or contact me via admin@rail.moe.

5 Likes

Thank you for this guide! I’m actually really interested in making this switch! I didn’t fully understand how to set this up but, I’m going to give it a shot when I get the chance.