Home
SAML Single Sign-On with Pandora FMS
SAML is an open standard for authentication and authorization based on XML. Pandora FMS can function as a service provider with its internal SAML identity provider.
Administrators always authenticate against the local database.
Several steps need to be completed before you can use SAML in Pandora FMS.
1. Have a SAML server running. 2. Configure the settings in Pandora FMS. 3. If planning to use Azure with SAML, configure that server.
Installing SimpleSAMLphp 2.0
Download SimpleSAMLphp version 2.3.2 from its official repository:
Then, upload it to the Pandora FMS server. If the PFMS server has internet access and wget is installed, you can use the following command in a directory with sufficient space and write permissions:
wget https://github.com/simplesamlphp/simplesamlphp/releases/download/v2.3.2/simplesamlphp-2.3.2-full.tar.gz
Extract the downloaded file with:
tar -xvf simplesamlphp-2.3.2-full.tar.gz
Move the folder to its final location:
mv simplesamlphp-2.3.2 /opt/simplesamlphp
To share access with Pandora FMS, create the following symbolic link:
ln -s /opt/simplesamlphp/public /var/www/html/simplesamlphp
SimpleSAMLphp relies on the config.php file for its configuration. With the final location set above, rename the default template:
mv /opt/simplesamlphp/config/config.php.dist /opt/simplesamlphp/config/config.php
Thus, you will have the full path of the configuration file as:
/opt/simplesamlphp/config/config.php
Use your favorite text editor to modify the following values (note that you should replace pandora.local with the PFMS web console URL and keep the comma at the end of the line as part of instruction blocks):
- /opt/simplesamlphp/config/config.php
'baseurlpath' => 'https://pandora.local/simplesamlphp/', 'auth.adminpassword' => '123pandora',
- Note that you must replace
pandora.localwith the PFMS web console URL and keep the comma at the end of the line as part of instruction blocks. - Always use a URL instead of an IP address. Following the case of using
pandora.local, this “URL” should be added to the/etc/hostsfile of the operating system (note: for educational purposes only).
Save the changes to the file and exit to the command line.
If any permission errors occur due to cache, apply the following:
mkdir /var/cache/simplesamlphp && chown apache:apache /var/cache/simplesamlphp
This will get SimpleSAMLphp up and running and should display the home page at the URL https://pandora.local/simplesamlphp/ (replace pandora.local with the PFMS web console URL).
If connecting via HTTP instead of HTTPS, authentication will fail until the Apache web server is configured to listen on the secure port 443.
To access SimpleSAMLphp administration, first rename the authsources.php.dist file:
mv /opt/simplesamlphp/config/authsources.php.dist /opt/simplesamlphp/config/authsources.php
Copy the contents of the XML downloaded earlier, paste it, and process it; this will generate a PHP configuration text which should be copied and added into the /opt/simplesamlphp/metadata/saml20-idp-remote.php file. Then save these additions and exit the file editing.
You can access the admin interface via the URL https://pandora.local/simplesamlphp/admin/ (replace pandora.local with the PFMS web console URL):
Configuring Pandora FMS with SAML
Menu Management → Setup → Setup → Authentication.
The following values are common:
Some notable fields:
- SAML Group Name Attribute: SAML field where the group name is found (while auto-creating remote users is enabled).
- SimpleSAML Path: Directory where the
simplesamlphpfolder is located. - Source SAML: Name of
authsource, e.g.,example-userpass. - SAML Email Attribute: SAML field where the user's email is found (while auto-creating remote users is enabled).
Before configuring any third-party service with SAML, it is recommended to test and verify locally the installed SimpleSAMLphp.
Configuring Azure with SAML
In Azure® services, go to the Extra ID section:
Then go to Enterprise Applications:
Create a new application (or use an existing one):
Go to Single Sign-On:
Edit the basic SAML configuration:
Fill in the following fields with the application ID, the address of the installed SimpleSAMLphp (replace pandora.local with the PFMS web console URL), and the address to which Azure® should redirect after the session is closed:
Download the XML metadata file which will be used later:
Finally, save the ID from the previous step and the URL of the extra identifier:
Configuration in SimpleSAMLphp
Edit the /opt/simplesamlphp/config/authsources.php file with the following values:
Then, go to the SimpleSAMLphp website, under the Federation menu, and then to the Tools section for XML to PHP conversion:
Rename saml20-idp-remote.php.dist to:
mv /opt/simplesamlphp/metadata/saml20-idp-remote.php.dist /opt/simplesamlphp/metadata/saml20-idp-remote.php
Copy the content of the previously downloaded XML, paste it, and process it; this will generate a PHP configuration text which should be copied and pasted into the /opt/simplesamlphp/config/authsources.php file replacing all its content.
If everything is correct, proceed to test:
Obtaining the following result:
The email and user identifier can be extracted from the attributes returned by Azure® during the previous test:
For advanced configuration, you can deepen the mapping of properties or select a default one if no match is found:
