Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Installation using the installation script

The installation script is available at . The script sets up a portal at the web address (DNS entry) that you provide, with which you obtain certificates from one CA and for a specific realm, which you specify. Additionally, the script copies the metadata from the link but if automatic refresh is needed, you need to set this up later. At the end of the installation process, you get a link to find the SAML SP metadata to register with your federation. In the firewall you need to open the ports TCP/80 and TCP/443 . In order to check that everything is OK at this point, please use the command

Code Block
curl -sSk --resolve DOMAIN:443: https://DOMAIN; echo

You should see an output like {"href":"./","": if the webserver is running OK internally. You should also be able to reach your server with a browser. Next, try to check the metadata with https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. At this point, please obtain and install a server certificate for your web server. The configuration file is named letswifi-portal.conf.

At this point you may find out that the SimpleSAMLphp version that your OS comes with is too old. Please download a new one and install it.  Copy the apache.conf of the newly installed SimpleSAMLphp to the /config - directory and take it into use at /etc/apache2/conf-available with

Code Block
ln -sf /NEW-SIMPLESAMLPHP/config/apache.conf /etc/apache2/conf-available/simplesamlphp.conf

In config.php you may need to change 'baseurlpath' from 'simplesaml/' to 'simplesamlphp/'. In /usr/share/letswifi-portal/etc/letswifi.conf.php the 'autoloadInclude' needs to be changed to point to the correct SimpleSAMLphp version. Do a web server restart.

Next, connect your SimpleSAMLphp to your federation. More extensive guidelines can be found here and here. In case you need certificates for signing and encryption, you can generate them with:

Code Block
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml-geteduroam.crt -keyout saml-geteduroam.key

In /etc/simplesamlphp/authsources.php, under ’default-sp’, please insert the following

Code Block
'certificate' => '/PATH/TO/saml-geteduroam.crt',
'privatekey' => '/PATH/TO/saml-geteduroam.key',
'redirect.sign' => true,
'redirect.validate' => true,

You should see the changes in https://YOUR-ADDRESS/simplesamlphp/module.php/saml/sp/metadata.php/default-sp?output=xhtml. If needed, enable automatic metadata refresh, extensive guidelines can be found here. In the module section of /SIMPLESAMLPHP/config/config.php you need

Code Block
'module.enable' => [
         'cron' => true,
         'metarefresh' => true,
         'core' => true,
         'saml' => true

instead of 'exampleauth'.

Please copy the necessary templates with

Code Block
cp modules/cron/config-templates/*.php /etc/simplesamlphp/
cp modules/metarefresh/config-templates/*.php /etc/simplesamlphp/

From /modules/metarefresh/bin you can test with 

Code Block
./metarefresh.php -s https://PATH/TO/your-metadata.xml

Please go through the config-metarefresh file and change it to match your federation requirements. The actual update is controlled by cron.  Set the key in module_cron.php and the 'auth.adminpassword' in config.php. In the same file, the 'technicalcontact_email' needs to be updated. Next, make sure that www-data has access to the metadata folder. You can update the metadata with HTTP or CLI, with HTTP you need something like this in /etc/corn.d/

Code Block
20 0 * * * www-data curl --silent "https://YOUR-ADDRESS/simplesamlphp/module.php/cron/cron.php?key=YOUR-KEY&tag=daily" > /dev/null 2>&1

Next, your need to create a CAT profile for your users. With this done, you should now be able to log in with your federation ID from the geteduroam app and generate certificates and .eap-config files. Keep in mind that even though the portal includes a version check, you may encounter a OpenSSL-PHP mismatch, in which case the PKCS12 is encoded with the wrong algorithm and the profile installation fails. The php version number can be set in src/fyrkat/openssl/pkcs.12. A functioning .eap-config file has the PKCS 7 encrypted data as pbeWithSHA1And40BitRC2-CBC, Iteration 2048.

As a final remark, you can make the web server enforce HSTS with

Code Block
a2enmod headers
systemctl restart apache2

Then please add to letswifi-portal.conf

Code Block
Header always set Strict-Transport-Security "max-age=15768000"

and do another web server restart.

Connecting to a RADIUS server

In order to connect the portal to a RADIUS server for user authentication and authorization, the server needs to know the CA of your Let's WiFi portal. You can set up a server for this purpose, using the guidelines available at freeradius-idp. You need to copy the CA from /var/lib/letswifi/database with

Code Block
sqlite3 letswifi.sqlite "select pub from ca where sub in (select signer_ca_sub from realm_signer);" > /etc/freeradius/3.0/certs/geteduroam-ca.pem

In the eap file you define this cert as the ca_file and then you also need something like the following

Code Block
eap {
        default_eap_type = tls

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = no

        max_sessions = ${max_requests}

        tls-config tls-common {
                private_key_file = ${certdir}/radius.geteduroam.TLD.key
                certificate_file = ${certdir}/radius.geteduroam.TLD.crt
                ca_file = ${cadir}/geteduroam-ca.pem
                auto_chain = no
                dh_file = ${certdir}/dh
                ca_path = ${cadir}
                #check_cert_cn = %{User-Name}
                cipher_list = "DEFAULT"

                cipher_server_preference = no

                tls_min_version = "1.2"
                tls_max_version = "1.3"

        fragment_size = 1450

                ecdh_curve = "prime256v1"

                cache {
                        enable = no

                        store {

                verify {

                ocsp {
                        enable = no
                        override_cert_url = yes
                        url = ""

        tls {
                tls = tls-common
        		virtual_server = check-eap-tls

        ttls {
                tls = tls-common
                virtual_server = "inner-tunnel"
                default_eap_type = mschapv2
                copy_request_to_tunnel = no
                use_tunneled_reply = no

In this configuration the certificate_file contains the whole chain. The sites-enabled/check-eap-tls (sites-available/check-eap-tls) should look similar to

Code Block
server check-eap-tls {

  authorize {

    #if ("%{TLS-Client-Cert-Common-Name}" =~ /\@(.*)$/) {
    if (&TLS-Client-Cert-Common-Name =~ /\@(.*)$/) {
      if (&Realm == "%{1}") {
        update config {
          Auth-Type = Accept
      else {
        update config {
          Auth-Type = Reject

in order to accept anonymous outer IDs, if needed.

In the Let's WiFi portal, please import the CA that was used to get the RADIUS server certificate with

Code Block
/usr/share/letswifi-portal# cat /etc/ssl/certs/CA-FILE.pem | bin/import-ca.php

You can view the result with sqlite> select * from ca;

You also need to update the realm trust with

Code Block
/var/lib/letswifi/database# sqlite3 letswifi.sqlite
sqlite> update realm_trust set trusted_ca_sub='C=XX, ST=StateName, L=CityName, O=CompanyName, CN= CommonNameOrHostname' where realm='YOUR-REALM';

You can view the result with sqlite> select * from realm_trust;

Also check the server name and change it if needed

Code Block
sqlite> SELECT * FROM realm_server_name;


sqlite> update realm_server_name set server_name='YOUR-SERVER-NAME' where realm='YOUR-REALM';

In the table realm_signer, you can set how many days the certificate should be valid. Certification revokation must be enforced by the RADIUS server, so either blocklist the common names, or create a CRL file, or set up an OCSP responder.