SAML authentication backend
Since LemonLDAP::NG 1.0Presentation
LemonLDAP::NG can used SAML2 authentication to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2 Service Provider (SP). Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule. For each IDP, you can configure attributes that are asked. Some can be mandatory, so if they are not givn by IDP, the session will not open.Technical requirements
Lasso
SAML2 implementation is based on Lasso. You will need a very recent version of Lasso (>= 2.2.91). For lucky Debian users, there are packages available here: http://deb.entrouvert.org/. You will only need to install liblasso3-perl package:$ sudo apt-get install liblasso3-perl
Apache rewrite rules
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in etc/portal-apache2.conf:
<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^/saml/metadata /metadata.pl RewriteRule ^/saml/.* /index.pl </IfModule>
SAML2 IDP
Of course you need an SAML2 IDP. If you don't have one, you can check:Public/private key
Since SAML2 use a lot a signature and encoding, you need to generate a public/private key pair. You can do this with openssl:$ openssl genrsa -out private_key.pem 1024 $ openssl rsa -pubout -in private_key.pem -out public_key.pem
LemonLDAP::NG configuration
All configuration can be done with LemonLDAP::NG Manager. Connect to it first (by default http://manager.example.com).Authentication and UserDB
In General Parameters > Authentication, set:- Users database type: SAML
- Authentication module: SAML
- Display reset password: 0
- Display password change: 0
SAML2 Service
This is where you configure SAML2 settings for LemonLDAP::NG service. These settings will be used to build metadata that will be shared with identity providers.Node SAML 2 Service
- Entity Identifier: your EntityID, often use as metadata URL, by default http://auth.example.com/saml/metadata. Change this value to fit your portal URL.
- Private key: load your private key file. This will not be published in metadata.
Node Organization
- Display Name: will be displayed on IDP, this is often your society name
- Name: internal name
- URL: URL of your society
Node Service Provider
- Signed Authentication Request: set to On to require signed authentication request. Off by default.
- Signing Key: load your public key file.
Node SingleLogout
For each binding you can set:- Location: Access Point for SLO request. Change this value to fit your portal URL.
- Response Location: Access Point for SLO response. Change this value to fit your portal URL.
Node Assertion Consumer
For each binding you can set:- Default: will this binding be used by default for authentication response
- Location: Access Point for SSO request and response. Change this value to fit your portal URL.
Node NameID Format
For each NameID Format, you can activate and deactivate it in metadata. The first will be chosen by default if no NameID Format is set in authentication request.Node Identity Provider
Not used here.Identity Provider registration
Now you have to register partner IDP. For that, select node Identity Providers and click on New metadatas. The IDP name is asked, enter it and click OK.Metadata XML
You must register IDP metadata here. You can do it either by uploading the file, or with IDP metadata URL.Node Exported attributes
For each attribute, you can set:- Key name: name of the key in LemonLDAP::NG session (for example "uid" will then be used as $uid in access rules)
- Mandatory : if set to "On", then session will not open if this attribure is not given by IDP.
- Name : SAML attribute name.
- Friendly Name: optional, SAML attribute friendly name.
- Format: optional, SAML attribute format.
Node Options
- NameID format: force NameID format here (email, persitent, transient, etc.). If no value, will use first NameID Format activated in metadata.
- Force authentication: set ForceAuthn flag in authentication request
- Allow proxied authentication: allow an authentication response to be issued from another IDP that the one we register (proxy IDP). If you disallow this, you should also disallow direct login form IDP, because proxy restiction is set in authentication requests.
- SSO binding: force binding to use for SSO (http-redirect, http-post, etc.)
- SLO binding: force binding to use for SLO (http-redirect, http-post, etc.)
- Resolution rule: Perl expression that will be evaluate to know if this IDP is the default for the connected user. You can use for example $ENV{ to get user's IP.
- Allow login from IDP: allow a user to connect directly from an IDP link. In this case, authentication is not a response to an issued authentication request, and we have less control on conditions.