2020-05-14 23:29:41 +02:00
|
|
|
Active Directory Federation Services
|
|
|
|
|
====================================
|
|
|
|
|
|
|
|
|
|
|image0|
|
|
|
|
|
|
|
|
|
|
Presentation
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
Microsoft ADFS (Active Directory Federation Services) is an
|
|
|
|
|
Identity/Service Provider, compatible with several protocols, including
|
|
|
|
|
SAML 2.0.
|
|
|
|
|
|
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. attention::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
This documentation does not explains how to setup ADFS,
|
|
|
|
|
but give only tricks to make it works with LL::NG
|
|
|
|
|
|
|
|
|
|
ADFS as Identity Provider
|
|
|
|
|
-------------------------
|
|
|
|
|
|
|
|
|
|
When ADFS is declared as an Identity Provider in LemonLDAP::NG, you need
|
|
|
|
|
to take care of the following items:
|
|
|
|
|
|
|
|
|
|
- HTTPS is mandatory on LL::NG portal
|
|
|
|
|
- You need to use a certificate in LL::NG SAML metadata instead of a
|
|
|
|
|
raw public key
|
|
|
|
|
- Activate option ``Use specific query_string method`` in SAML Service
|
|
|
|
|
- Use SHA1 instead of SHA256 as signature algorithm on ADFS if using a
|
|
|
|
|
Lasso version < 2.5.0
|
|
|
|
|
- Force SAML response to be sent by POST and not Artifact (signature
|
|
|
|
|
verification fails with Artifact)
|
|
|
|
|
- Enable ``Allow proxy authentication`` in IDP options on LL::NG side
|
|
|
|
|
|
|
|
|
|
.. |image0| image:: /applications/microsoft-adfs.png
|
|
|
|
|
:class: align-center
|
|
|
|
|
|
