<p><divclass="noteclassic"><abbrtitle="Security Assertion Markup Language">SAML</abbr> service configuration is a common step to configure <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as <ahref="../../documentation/1.9/authsaml.html"class="wikilink1"title="documentation:1.9:authsaml">SAML SP</a> or <ahref="../../documentation/1.9/idpsaml.html"class="wikilink1"title="documentation:1.9:idpsaml">SAML IDP</a>.
This documentation explains how configure <abbrtitle="Security Assertion Markup Language">SAML</abbr> service in <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, in particular:
<p><divclass="noteimportant">Service configuration will be used to generate <abbrtitle="LemonLDAP::NG">LL::NG</abbr><abbrtitle="Security Assertion Markup Language">SAML</abbr> metadata, that will be shared with other providers. It means that if you modify some settings here, you will have to share again the metadata with other providers. In other words, take the time to configure this part before sharing metadata.
SAML2 implementation is based on <ahref="http://lasso.entrouvert.org"class="urlextern"title="http://lasso.entrouvert.org"rel="nofollow">Lasso</a>. You will need a very recent version of Lasso (>= 2.3.0).
There are packages available here: <ahref="http://deb.entrouvert.org/"class="urlextern"title="http://deb.entrouvert.org/"rel="nofollow">http://deb.entrouvert.org/</a>.
RPMs are available in <abbrtitle="LemonLDAP::NG">LL::NG</abbr> RPM repository (see <ahref="../../documentation/1.9/installrpm.html#yum_repository"class="wikilink1"title="documentation:1.9:installrpm">yum_repository</a>)
<ahref="http://lasso.entrouvert.org/download/"class="urlextern"title="http://lasso.entrouvert.org/download/"rel="nofollow">Download the Lasso tarball</a> and compile it on your system.
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in <ahref="../../documentation/1.9/configlocation.html#portal"class="wikilink1"title="documentation:1.9:configlocation">Apache portal configuration</a>:
You can define keys for <abbrtitle="Security Assertion Markup Language">SAML</abbr> message signature and encryption. If no encryption keys are defined, signature keys are used for signature and encryption.
<liclass="level1"><divclass="li"> import your own private and public keys (<code>Load from a file</code> input)</div>
</li>
<liclass="level1"><divclass="li"> generate new public and private keys (<code>Generate</code> button)</div>
</li>
</ul>
<p>
<p><divclass="notetip">You can enter a password to protect private key with a password. It will be prompted if you generate keys, else you can set it in the <code>Private key password</code>.
<p><divclass="notetip">You can import a certificate containing the public key instead the raw public key. However, certificate will not be really validated by other <abbrtitle="Security Assertion Markup Language">SAML</abbr> components (expiration date, common name, etc.), but will just be a public key wrapper.
<abbrtitle="Security Assertion Markup Language">SAML</abbr> can use different NameID formats. The NameID is the main user identifier, carried in <abbrtitle="Security Assertion Markup Language">SAML</abbr> messages. You can configure here which field of <abbrtitle="LemonLDAP::NG">LL::NG</abbr> session will be associated to a NameID format.
<p><divclass="noteclassic">This parameter is used by <ahref="../../documentation/1.9/idpsaml.html"class="wikilink1"title="documentation:1.9:idpsaml">SAML IDP</a> to fill the NameID in authentication responses.
<p><divclass="notetip">For example, if you are using <ahref="../../documentation/1.9/authldap.html"class="wikilink1"title="documentation:1.9:authldap">AD as authentication backend</a>, you can use sAMAccountName for the Windows NameID format.
Each <abbrtitle="LemonLDAP::NG">LL::NG</abbr> authentication module has an authentication level, which can be associated to an <ahref="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf"class="urlextern"title="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf"rel="nofollow">SAML authentication context</a>.
<p><divclass="noteclassic">This parameter is used by <ahref="../../documentation/1.9/idpsaml.html"class="wikilink1"title="documentation:1.9:idpsaml">SAML IDP</a> to fill the authentication context in authentication responses. It will use the authentication level registered in user session to match the <abbrtitle="Security Assertion Markup Language">SAML</abbr> authentication context. It is also used by <ahref="../../documentation/1.9/authsaml.html"class="wikilink1"title="documentation:1.9:authsaml">SAML SP</a> to fill the authentication level in user session, based on authentication response authentication context.
<liclass="level1"><divclass="li"><strong><abbrtitle="Uniform Resource Locator">URL</abbr></strong>: <abbrtitle="Uniform Resource Locator">URL</abbr> of your society</div>
<liclass="level1"><divclass="li"><strong>Want Authentication Request Signed</strong>: set to On to require that received authentication request are signed.</div>
</li>
</ul>
<p>
<p><divclass="notetip">This option can then be overridden for each Service Provider.
<liclass="level1"><divclass="li"><strong>IDP resolution cookie name</strong>: by default, it's the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> cookie name suffixed by <code>idp</code>, for example: <code>lemonldapidp</code>.</div>
By default, the main session module is used to store <abbrtitle="Security Assertion Markup Language">SAML</abbr> temporary data (like relay-states), but <abbrtitle="Security Assertion Markup Language">SAML</abbr> sessions need to use a session module compatible with the <ahref="../../documentation/features.html#session_restrictions"class="wikilink1"title="documentation:features">sessions restrictions feature</a>.
This is not the case of <ahref="../../documentation/1.9/memcachedsessionbackend.html"class="wikilink1"title="documentation:1.9:memcachedsessionbackend">Memcached</a> for example. In this case, you can choose a different module to manage <abbrtitle="Security Assertion Markup Language">SAML</abbr> sessions.
<p><divclass="notetip">You can also choose a different session module to split <abbrtitle="Single Sign On">SSO</abbr> sessions and <abbrtitle="Security Assertion Markup Language">SAML</abbr> sessions.
<liclass="level1"><divclass="li"><strong>RelayState session timeout</strong>: timeout for RelayState sessions. By default, the RelayState session is deleted when it is read. This timeout allows to purge sessions of lost RelayState.</div>
<liclass="level1"><divclass="li"><strong>Use specific query_string method</strong>: the CGI query_string method may break invalid <abbrtitle="Uniform Resource Locator">URL</abbr> encoded signatures (issued for example by ADFS). This option allows to use a specific method to extract query string, that should be compliant with non standard <abbrtitle="Uniform Resource Locator">URL</abbr> encoded parameters.</div>
<p><divclass="noteclassic">Common Domain Cookie is also know as <ahref="http://www.switch.ch/aai/support/tools/wayf.html"class="urlextern"title="http://www.switch.ch/aai/support/tools/wayf.html"rel="nofollow">WAYF Service</a>.
The common domain is used by <ahref="../../documentation/1.9/authsaml.html"class="wikilink1"title="documentation:1.9:authsaml">SAML SP</a> to find an Identity Provider for the user, and by <ahref="../../documentation/1.9/idpsaml.html"class="wikilink1"title="documentation:1.9:idpsaml">SAML IDP</a> to register itself in user's IDP list.
<liclass="level1"><divclass="li"><strong>Reader <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: <abbrtitle="Uniform Resource Locator">URL</abbr> used by <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP to read the cookie. Leave blank to deactivate the feature.</div>
<liclass="level1"><divclass="li"><strong>Writer <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: <abbrtitle="Uniform Resource Locator">URL</abbr> used by <abbrtitle="Security Assertion Markup Language">SAML</abbr> IDP to write the cookie. Leave blank to deactivate the feature.</div>
By default, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> publish the public key in metadata, which may not fit to your partner SP or IDP. Here is a simple method to replace the public key by a certificate.
<liclass="level1"><divclass="li"> Create the certificate from the private key as explained in <ahref="../../documentation/1.9/applications/googleapps.html#certificate"class="wikilink1"title="documentation:1.9:applications:googleapps">Google Apps tutorial</a>.</div>