<acronymtitle="LemonLDAP::NG">LL::NG</acronym> can act as an <acronymtitle="Security Assertion Markup Language">SAML</acronym> 2.0 Identity Provider, that can allow to federate <acronymtitle="LemonLDAP::NG">LL::NG</acronym> with:
<liclass="level1"><divclass="li"> Another <acronymtitle="LemonLDAP::NG">LL::NG</acronym> system configured with <ahref="../../documentation/1.4/authsaml.html"class="wikilink1"title="documentation:1.4:authsaml">SAML authentication</a></div>
<p><divclass="noteclassic">This requires to configure <acronymtitle="LemonLDAP::NG">LL::NG</acronym> as an <spanclass="curid"><ahref="../../documentation/1.4/idpsaml.html"class="wikilink1"title="documentation:1.4:idpsaml">SAML Identity Provider</a></span>.
Go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><acronymtitle="Security Assertion Markup Language">SAML</acronym></code> and configure:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Activation</strong>: set to <code>On</code>.</div>
<liclass="level1"><divclass="li"><strong>Path</strong>: keep <code>^/saml/</code> unless you have change <acronymtitle="Security Assertion Markup Language">SAML</acronym> end points suffix in <ahref="../../documentation/1.4/samlservice.html"class="wikilink1"title="documentation:1.4:samlservice">SAML service configuration</a>.</div>
<liclass="level1"><divclass="li"><strong>Use rule</strong>: a rule to allow user to use this module, set to <code>1</code> to always allow.</div>
</li>
</ul>
<p>
<p><divclass="notetip">
For example, to allow only users with a strong authentication level:
</p>
<preclass="code">
$authenticationLevel > 2
</pre>
<p>
</div></p>
</p>
</div>
<!-- SECTION "IssuerDB" [432-907] -->
<h3><aname="register_lemonldapng_on_partner_service_provider"id="register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</a></h3>
<divclass="level3">
<p>
After configuring <acronymtitle="Security Assertion Markup Language">SAML</acronym> Service, you can export metadata to your partner Service Provider.
</p>
<p>
They are available at the EntityID <acronymtitle="Uniform Resource Locator">URL</acronym>, by default: <ahref="http://auth.example.com/saml/metadata"class="urlextern"title="http://auth.example.com/saml/metadata"rel="nofollow">http://auth.example.com/saml/metadata</a>.
</p>
</div>
<!-- SECTION "Register LemonLDAP::NG on partner Service Provider" [908-1152] -->
<h3><aname="register_partner_service_provider_on_lemonldapng"id="register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</a></h3>
<divclass="level3">
<p>
In the Manager, select node <acronymtitle="Security Assertion Markup Language">SAML</acronym> service providers and click on New service provider:
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata <acronymtitle="Uniform Resource Locator">URL</acronym> (this require a network link between your server and the SP).
</p>
<p>
<p><divclass="notetip">You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
<liclass="level1"><divclass="li"><strong>Key name</strong>: name of the key in LemonLDAP::NG session</div>
</li>
<liclass="level1"><divclass="li"><strong>Mandatory</strong>: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
<liclass="level1"><divclass="li"><strong>Default NameID format</strong>: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.</div>
<liclass="level1"><divclass="li"><strong>Force NameID session key</strong>: if empty, the NameID mapping defined in <ahref="../../documentation/1.4/samlservice.html"class="wikilink1"title="documentation:1.4:samlservice">SAML service</a> configuration will be used. You can force here another session key that will be used as NameID content.</div>
These options override service signature options (see <ahref="../../documentation/1.4/samlservice.html#general_options"class="wikilink1"title="documentation:1.4:samlservice">SAML service configuration</a>).
<liclass="level1"><divclass="li"><strong>Enable use of IDP initiated <acronymtitle="Uniform Resource Locator">URL</acronym></strong>: set to <code>On</code> to enable IDP Initiated <acronymtitle="Uniform Resource Locator">URL</acronym> on this SP.</div>
The IDP Initiated <acronymtitle="Uniform Resource Locator">URL</acronym> is the <acronymtitle="Single Sign On">SSO</acronym><acronymtitle="Security Assertion Markup Language">SAML</acronym><acronymtitle="Uniform Resource Locator">URL</acronym> with GET parameters:
For example: <ahref="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp"class="urlextern"title="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp"rel="nofollow">http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp</a>