<liclass="level2"><divclass="li"><ahref="#register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</a></div></li>
<liclass="level2"><divclass="li"><ahref="#register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</a></div>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can act as an <abbrtitle="Security Assertion Markup Language">SAML</abbr> 2.0 Identity Provider, that can allow one to federate <abbrtitle="LemonLDAP::NG">LL::NG</abbr> with:
<liclass="level1"><divclass="li"> Another <abbrtitle="LemonLDAP::NG">LL::NG</abbr> system configured with <ahref="authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML authentication</a></div>
Go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><abbrtitle="Security Assertion Markup Language">SAML</abbr></code> and configure:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Activation</strong>: set to <code>On</code>.</div>
</li>
<liclass="level1"><divclass="li"><strong>Path</strong>: keep <code>^/saml/</code> unless you have change <abbrtitle="Security Assertion Markup Language">SAML</abbr> end points suffix in <ahref="samlservice.html"class="wikilink1"title="documentation:2.0:samlservice">SAML service configuration</a>.</div>
</li>
<liclass="level1"><divclass="li"><strong>Use rule</strong>: a rule to allow user to use this module, set to <code>1</code> to always allow.</div>
</li>
</ul>
<divclass="notetip">For example, to allow only users with a strong authentication level:
They are available at the EntityID <abbrtitle="Uniform Resource Locator">URL</abbr>, by default: <ahref="http://auth.example.com/saml/metadata"class="urlextern"title="http://auth.example.com/saml/metadata"rel="nofollow">http://auth.example.com/saml/metadata</a>. You can also use <ahref="http://auth.example.com/saml/metadata/idp"class="urlextern"title="http://auth.example.com/saml/metadata/idp"rel="nofollow">http://auth.example.com/saml/metadata/idp</a> to have only IDP related metadata.
In the Manager, select node <abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers and click on <code>Add <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP</code>.
</p>
<p>
The SP name is asked, enter it and click OK.
</p>
<p>
Now you have access to the SP parameters list.
</p>
</div>
<h4id="metadata">Metadata</h4>
<divclass="level4">
<p>
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata <abbrtitle="Uniform Resource Locator">URL</abbr> (this require a network link between your server and the SP).
<liclass="level1"><divclass="li"><strong>Mandatory</strong>: if set to “On”, then this attribute is required to build the <abbrtitle="Security Assertion Markup Language">SAML</abbr> response, an error will displayed if there is no value for it. Optional attribute will be sent only if there is a value associated. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
<liclass="level1"><divclass="li"><strong>Default NameID format</strong>: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.</div>
</li>
<liclass="level1"><divclass="li"><strong>Force NameID session key</strong>: if empty, the NameID mapping defined in <ahref="samlservice.html"class="wikilink1"title="documentation:2.0:samlservice">SAML service</a> configuration will be used. You can force here another session key that will be used as NameID content.</div>
</li>
<liclass="level1"><divclass="li"><strong>One Time Use</strong>: set the OneTimeUse flag in authentication response (<code><Condtions></code>).</div>
</li>
<liclass="level1"><divclass="li"><strong>sessionNotOnOrAfter duration</strong>: Time in seconds, added to authentication time, to define sessionNotOnOrAfter value in <abbrtitle="Security Assertion Markup Language">SAML</abbr> response (<code><AuthnStatement></code>):</div>
<liclass="level1"><divclass="li"><strong>notOnOrAfter duration</strong>: Time in seconds, added to authentication time, to define notOnOrAfter value in <abbrtitle="Security Assertion Markup Language">SAML</abbr> response (<code><Condtions></code> and <code><SubjectConfirmationData></code>):</div>
<divclass="noteimportant">There is a time tolerance of 60 seconds in <code><Conditions></code>
</div><ul>
<liclass="level1"><divclass="li"><strong>Force UTF-8</strong>: Activate to force UTF-8 decoding of values in <abbrtitle="Security Assertion Markup Language">SAML</abbr> attributes. If set to 0, the value from the session is directly copied into <abbrtitle="Security Assertion Markup Language">SAML</abbr> attribute.</div>
</li>
</ul>
</div>
<h5id="signature">Signature</h5>
<divclass="level5">
<p>
These options override service signature options (see <ahref="samlservice.html#general_options"class="wikilink1"title="documentation:2.0:samlservice">SAML service configuration</a>).
<liclass="level1"><divclass="li"><strong>Encryption mode</strong>: set the encryption mode for this IDP (None, NameID or Assertion).</div>
</li>
<liclass="level1"><divclass="li"><strong>Enable use of IDP initiated <abbrtitle="Uniform Resource Locator">URL</abbr></strong>: set to <code>On</code> to enable IDP Initiated <abbrtitle="Uniform Resource Locator">URL</abbr> on this SP.</div>
</li>
</ul>
<divclass="notetip">The IDP Initiated <abbrtitle="Uniform Resource Locator">URL</abbr> is the <abbrtitle="Single Sign On">SSO</abbr><abbrtitle="Security Assertion Markup Language">SAML</abbr><abbrtitle="Uniform Resource Locator">URL</abbr> with GET parameters:<ul>
For example: <ahref="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp"class="urlextern"title="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp"rel="nofollow">http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp</a>
Using both Issuer::<abbrtitle="Security Assertion Markup Language">SAML</abbr> and Auth::<abbrtitle="Security Assertion Markup Language">SAML</abbr> on the same LLNG may have some side-effects on single-logout.