2018-11-26 14:15:43 +01:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:renater< / title >
< meta name = "generator" content = "DokuWiki" / >
< meta name = "robots" content = "index,follow" / >
< meta name = "keywords" content = "documentation,2.0,renater" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "renater.html" / >
< link rel = "contents" href = "renater.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : r e n a t e r " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#register_as_service_provider" > Register as Service Provider< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#llng_configuration" > LL::NG configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#metadata_import" > Metadata import< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#add_your_sp_into_the_federation" > Add your SP into the federation< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#register_as_identity_provider" > Register as Identity Provider< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#llng_configuration1" > LL::NG configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#metadata_import1" > Metadata import< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#add_your_idp_into_the_federation" > Add your IDP into the federation< / a > < / div > < / li >
< / ul > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "connect_to_renater_federation" > Connect to Renater Federation< / h1 >
< div class = "level1" >
< p >
< img src = "logos/1renater.png" class = "mediacenter" alt = "" / >
< / p >
< / div >
<!-- EDIT1 SECTION "Connect to Renater Federation" [1 - 80] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
< a href = "https://www.renater.fr/" class = "urlextern" title = "https://www.renater.fr/" rel = "nofollow" > Renater< / a > provides an < abbr title = "Security Assertion Markup Language" > SAML< / abbr > federation for higher education in France.
< / p >
< p >
It is based on SAMLv2 but add some specific items like a WAYF service and a metadata bundle to list all SP and IDP from the federation.
< / p >
< p >
Since < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > 2.0, you can register into Renater federation.
< / p >
< / div >
<!-- EDIT2 SECTION "Presentation" [81 - 401] -->
< h2 class = "sectionedit3" id = "register_as_service_provider" > Register as Service Provider< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT3 SECTION "Register as Service Provider" [402 - 443] -->
< h3 class = "sectionedit4" id = "llng_configuration" > LL::NG configuration< / h3 >
< div class = "level3" >
< p >
Configure < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > as < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Service Provider with this < a href = "authsaml.html" class = "wikilink1" title = "documentation:2.0:authsaml" > documentation< / a > . You don' t need to declare any IDP for the moment.
< / p >
< p >
Configure < a href = "samlservice.html#discovery_protocol" class = "wikilink1" title = "documentation:2.0:samlservice" > SAML Discovery Protocol< / a > to redirect users on WAYF Service. The endpoint < abbr title = "Uniform Resource Locator" > URL< / abbr > is < a href = "https://discovery.renater.fr/renater/WAYF" class = "urlextern" title = "https://discovery.renater.fr/renater/WAYF" rel = "nofollow" > https://discovery.renater.fr/renater/WAYF< / a > .
< / p >
< / div >
<!-- EDIT4 SECTION "LL::NG configuration" [444 - 778] -->
< h3 class = "sectionedit5" id = "metadata_import" > Metadata import< / h3 >
< div class = "level3" >
< p >
You now need to import IDP metadata in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > configuration. Use the < code > importMetadata< / code > script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: < a href = "https://services.renater.fr/federation/technique/metadata" class = "urlextern" title = "https://services.renater.fr/federation/technique/metadata" rel = "nofollow" > https://services.renater.fr/federation/technique/metadata< / a > , for example:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i " idp-renater" -s " sp-renater" < / pre >
< div class = "noteimportant" > You need to add this in cron to refresh metadata into < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > configuration.
< / div >
< p >
If you need too customize some settings of the script, copy it and edit configuration:
< / p >
< pre class = "code" > cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom
vi /usr/share/lemonldap-ng/bin/importMetadataCustom< / pre >
< p >
Set attributes (use the < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Name, not FriendlyName) that are provided by IDPs, for example:
< / p >
< pre class = "code file perl" > < span class = "kw1" > my< / span > < span class = "re0" > $exportedAttributes< / span > < span class = "sy0" > =< / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'cn'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:2.5.4.3'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'eduPersonPrincipalName'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '1;urn:oid:1.3.6.1.4.1.5923.1.1.1.6'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'givenName'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:2.5.4.42'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'sn'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:2.5.4.4'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'eduPersonAffiliation'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:1.3.6.1.4.1.5923.1.1.1.1'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'eduPersonPrimaryAffiliation'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:1.3.6.1.4.1.5923.1.1.1.5'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'mail'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:0.9.2342.19200300.100.1.3'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'supannListeRouge'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;urn:oid:1.3.6.1.4.1.7135.1.2.1.1'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'supannEtuCursusAnnee'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '0;rn:oid:1.3.6.1.4.1.5923.1.1.1.10'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ;< / span > < / pre >
< p >
Adapt IDP options, for example:
< / p >
< pre class = "code file perl" > < span class = "kw1" > my< / span > < span class = "re0" > $idpOptions< / span > < span class = "sy0" > =< / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsAdaptSessionUtime'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsAllowLoginFromIDP'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsAllowProxiedAuthn'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsCheckAudience'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsCheckSLOMessageSignature'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsCheckSSOMessageSignature'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsCheckTime'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsEncryptionMode'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'none'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsForceAuthn'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsForceUTF8'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsIsPassive'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsNameIDFormat'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'transient'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsRelayStateURL'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsSignSLOMessage'< / span > < span class = "sy0" > => < / span > < span class = "sy0" > -< / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsSignSSOMessage'< / span > < span class = "sy0" > => < / span > < span class = "sy0" > -< / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsStoreSAMLToken'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPMetaDataOptionsUserAttribute'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6'< / span > < span class = "sy0" > ,< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ;< / span > < / pre >
< / div >
<!-- EDIT5 SECTION "Metadata import" [779 - 3520] -->
< h3 class = "sectionedit6" id = "add_your_sp_into_the_federation" > Add your SP into the federation< / h3 >
< div class = "level3" >
< p >
Go to < a href = "https://federation.renater.fr/registry" class = "urlextern" title = "https://federation.renater.fr/registry" rel = "nofollow" > https://federation.renater.fr/registry< / a > and register your SP.
< / p >
< div class = "noteimportant" > Be sure to check all attributes as mandatory to be able to get them in < abbr title = "Security Assertion Markup Language" > SAML< / abbr > assertions.
< / div >
< / div >
<!-- EDIT6 SECTION "Add your SP into the federation" [3521 - 3747] -->
< h2 class = "sectionedit7" id = "register_as_identity_provider" > Register as Identity Provider< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT7 SECTION "Register as Identity Provider" [3748 - 3790] -->
< h3 class = "sectionedit8" id = "llng_configuration1" > LL::NG configuration< / h3 >
< div class = "level3" >
< p >
Configure < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > as < abbr title = "Security Assertion Markup Language" > SAML< / abbr > Identity Provider with this < a href = "idpsaml.html" class = "wikilink1" title = "documentation:2.0:idpsaml" > documentation< / a > . You don' t need to declare any SP for the moment.
< / p >
2019-04-09 22:26:40 +02:00
< div class = "noteimportant" > If your < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server will act as SP and IDP inside Renater federation, you need to set the advanced parameter “Override Entity ID for IDP”. Indeed, Renater do not allow to register a SP and an IDP with the same entityID.
< / div >
2018-11-26 14:15:43 +01:00
< / div >
2019-04-09 22:26:40 +02:00
<!-- EDIT8 SECTION "LL::NG configuration" [3791 - 4198] -->
2018-11-26 14:15:43 +01:00
< h3 class = "sectionedit9" id = "metadata_import1" > Metadata import< / h3 >
< div class = "level3" >
< p >
You now need to import SP metadata in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > configuration. Use the < code > importMetadata< / code > script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: < a href = "https://services.renater.fr/federation/technique/metadata" class = "urlextern" title = "https://services.renater.fr/federation/technique/metadata" rel = "nofollow" > https://services.renater.fr/federation/technique/metadata< / a > , for example:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml -r -i " idp-renater" -s " sp-renater" < / pre >
< div class = "noteimportant" > You need to add this in cron to refresh metadata into < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > configuration.
< / div >
< p >
If you need too customize some settings of the script, copy it and edit configuration:
< / p >
< pre class = "code" > cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom
vi /usr/share/lemonldap-ng/bin/importMetadataCustom< / pre >
< p >
Adapt IDP options, for example:
< / p >
< pre class = "code file perl" > < span class = "kw1" > my< / span > < span class = "re0" > $spOptions< / span > < span class = "sy0" > =< / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'samlSPMetaDataOptionsCheckSLOMessageSignature'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsCheckSSOMessageSignature'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsEnableIDPInitiatedURL'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsEncryptionMode'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'none'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsForceUTF8'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsNameIDFormat'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > ''< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsNotOnOrAfterTimeout'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 72000< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsOneTimeUse'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 0< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsSessionNotOnOrAfterTimeout'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 72000< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsSignSLOMessage'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlSPMetaDataOptionsSignSSOMessage'< / span > < span class = "sy0" > => < / span > < span class = "nu0" > 1< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ;< / span > < / pre >
< / div >
2019-04-09 22:26:40 +02:00
<!-- EDIT9 SECTION "Metadata import" [4199 - 5798] -->
2018-11-26 14:15:43 +01:00
< h3 class = "sectionedit10" id = "add_your_idp_into_the_federation" > Add your IDP into the federation< / h3 >
< div class = "level3" >
< p >
Go to < a href = "https://federation.renater.fr/registry" class = "urlextern" title = "https://federation.renater.fr/registry" rel = "nofollow" > https://federation.renater.fr/registry< / a > and register your IDP.
< / p >
< / div >
2019-04-09 22:26:40 +02:00
<!-- EDIT10 SECTION "Add your IDP into the federation" [5799 - ] --> < / div >
2018-11-26 14:15:43 +01:00
< / body >
< / html >