dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SAML: documentation for AuthSAML

Browse Source
This commit is contained in:
Clément Oudot 2010-03-12 16:27:35 +00:00
parent f80620fae4
commit 7da7106e5f
3 changed files with 352 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
build/lemonldap-ng/doc/3.1-Install-prerequesites.html
View File

@ -152,6 +152,10 @@
<li>HTML::Template</li>
<li>SOAP::Lite</li>
<li>Config::IniFiles</li>
<li>JSON</li>
</ul>
<h4 class="heading-1-1-1"><span id="HResetPasswordbyMail">Reset Password
@ -168,12 +172,19 @@
<h4 class="heading-1-1-1"><span id="HExtras">Extras</span></h4>
<ul class="star">
<li>Lasso (see <span class="wikiexternallink"><a href=
<li>Lasso (Liberty Alliance, SAML2) (see <span class=
"wikiexternallink"><a href=
"http://lasso.entrouvert.org/">http://lasso.entrouvert.org/</a></span>)</li>
<li>CAS (see <span class="wikiexternallink"><a href=
"http://sourcesup.cru.fr/projects/perlcas/">http://sourcesup.cru.fr/projects/perlcas/</a></span>)</li>
<li>Net::OpenID::Consumer</li>
<li>Net::OpenID::Server</li>
<li>Net::Twitter</li>
<li>Test::POD</li>
</ul>
@ -194,7 +205,7 @@
<div class="code">
<pre>
# apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl
# apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl
# apt-get install libstring-random-perl libemail-date-format-perl libmime-lite-perl
</pre>
</div>
@ -211,7 +222,7 @@
<div class="code">
<pre>
# yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-<span class="java-object">String</span> perl-XML-LibXSLT perl-SOAP-Lite
# yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-<span class="java-object">String</span> perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON
</pre>
</div>
@ -273,6 +284,18 @@
<td>0.90</td>
</tr>
<tr class="table-even">
<td>1.0-rc1</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</div>

327
build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
View File

@ -63,11 +63,334 @@
<ul>
<li><a href="#HPresentation">Presentation</a></li>
</ul>
<li>
<a href="#HTechnicalrequirements">Technical requirements</a>
<ul>
<li><a href="#HLasso">Lasso</a></li>
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
<li><a href="#HSAML2IDP">SAML2 IDP</a></li>
<li><a href="#HPublic2Fprivatekey">Public/private key</a></li>
</ul>
</li>
<li>
<a href="#HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG
configuration</a>
<ul>
<li><a href="#HAuthenticationandUserDB">Authentication and
UserDB</a></li>
<li>
<a href="#HSAML2Service">SAML2 Service</a>
<ul>
<li><a href="#HNodeSAML2Service">Node SAML 2 Service</a></li>
<li><a href="#HNodeOrganization">Node Organization</a></li>
<li>
<a href="#HNodeServiceProvider">Node Service Provider</a>
<ul>
<li><a href="#HNodeSingleLogout">Node SingleLogout</a></li>
<li><a href="#HNodeAssertionConsumer">Node Assertion
Consumer</a></li>
<li><a href="#HNodeNameIDFormat">Node NameID Format</a></li>
</ul>
</li>
<li><a href="#HNodeIdentityProvider">Node Identity
Provider</a></li>
</ul>
</li>
<li>
<a href="#HIdentityProviderregistration">Identity Provider
registration</a>
<ul>
<li><a href="#HMetadataXML">Metadata XML</a></li>
<li><a href="#HNodeExportedattributes">Node Exported
attributes</a></li>
<li><a href="#HNodeOptions">Node Options</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#HPartnerIDPconfiguration">Partner IDP
configuration</a></li>
</ul><strong class="strong">Since LemonLDAP::NG 1.0</strong>
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
<p class="paragraph"></p>This feature is a work in progress.
<p class="paragraph"></p>LemonLDAP::NG can used SAML2 authentication to
get user identity and grab some attributes defined in user profile on its
Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2
Service Provider (SP).
<p class="paragraph"></p>Several IDPs are allowed, in this case the user
will choose the IDP he wants. You can preselect IDP with an IDP resolution
rule.
<p class="paragraph"></p>For each IDP, you can configure attributes that
are asked. Some can be mandatory, so if they are not givn by IDP, the
session will not open.
<h3 class="heading-1-1"><span id="HTechnicalrequirements">Technical
requirements</span></h3>
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
<p class="paragraph"></p>SAML2 implementation is based on <span class=
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
You will need a very recent version of Lasso (&gt;= 2.2.91).
<p class="paragraph"></p>For lucky Debian users, there are packages
available here: <span class="wikiexternallink"><a href=
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
<p class="paragraph"></p>You will only need to install liblasso3-perl
package:
<div class="code">
<pre>
$ sudo apt-get install liblasso3-perl
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
rules</span></h4><br />
<br />
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
<div class="code">
<pre>
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteRule ^/saml/metadata /metadata.pl
RewriteRule ^/saml/.* /index.pl
&lt;/IfModule&gt;
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HSAML2IDP">SAML2 IDP</span></h4>
<p class="paragraph"></p>Of course you need an SAML2 IDP. If you don't
have one, you can check:
<ul class="star">
<li><span class="wikiexternallink"><a href=
"http://authentic.labs.libre-entreprise.org/">Authentic</a></span></li>
<li><span class="wikiexternallink"><a href=
"https://rnd.feide.no/simplesamlphp">simpleSAMLphp</a></span></li>
</ul>
<h4 class="heading-1-1-1"><span id="HPublic2Fprivatekey">Public/private
key</span></h4>
<p class="paragraph"></p>Since SAML2 use a lot a signature and encoding,
you need to generate a public/private key pair.
<p class="paragraph"></p>You can do this with openssl:
<div class="code">
<pre>
$ openssl genrsa -out private_key.pem 1024
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
</pre>
</div>
<h3 class="heading-1-1"><span id=
"HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</span></h3>
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
Manager. Connect to it first (by default <span class=
"wikiexternallink"><a href=
"http://manager.example.com">http://manager.example.com</a></span>).
<h4 class="heading-1-1-1"><span id=
"HAuthenticationandUserDB">Authentication and UserDB</span></h4>
<p class="paragraph"></p>In General Parameters &gt; Authentication, set:
<ul class="star">
<li>Users database type: SAML</li>
<li>Authentication module: SAML</li>
</ul>As passwords will not be managed by LL::NG, you can also go in
General Parameters &gt; Portal :
<ul class="star">
<li>Display reset password: 0</li>
<li>Display password change: 0</li>
</ul>
<h4 class="heading-1-1-1"><span id="HSAML2Service">SAML2
Service</span></h4>
<p class="paragraph"></p>This is where you configure SAML2 settings for
LemonLDAP::NG service. These settings will be used to build metadata that
will be shared with identity providers.
<h5 class="heading-1-1-1-1"><span id="HNodeSAML2Service">Node SAML 2
Service</span></h5>
<ul class="star">
<li>Entity Identifier: your EntityID, often use as metadata URL, by
default <span class="nobr"><a href=
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
Change this value to fit your portal URL.</li>
<li>Private key: copy all the content of your private key file, with
header and footer. This will not be published in metadata.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeOrganization">Node
Organization</span></h5>
<ul class="star">
<li>Display Name: will be displayed on IDP, this is often your society
name</li>
<li>Name: internal name</li>
<li>URL: URL of your society</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeServiceProvider">Node Service
Provider</span></h5>
<ul class="star">
<li>Signed Authentication Request: set to On to require signed
authentication request. Off by default.</li>
<li>Protocol: Protocol support enumeration string. Do not change.</li>
<li>Signing Key: copy the content of your public key file,
<strong class="strong">without</strong> header and footer.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeSingleLogout">Node
SingleLogout</span></h6>
<p class="paragraph"></p>For each binding you can set:
<ul class="star">
<li>Location: Access Point for SLO request. Change this value to fit
your portal URL.</li>
<li>Response Location: Access Point for SLO response. Change this value
to fit your portal URL.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeAssertionConsumer">Node
Assertion Consumer</span></h6>
<p class="paragraph"></p>For each binding you can set:
<ul class="star">
<li>Default: will this binding be used by default for authentication
response</li>
<li>Index: Do not change.</li>
<li>Binding: SAML2 binding string. Do not change.</li>
<li>Location: Access Point for SSO request and response. Change this
value to fit your portal URL.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeNameIDFormat">Node NameID
Format</span></h6>
<p class="paragraph"></p>For each NameID Format, you can activate and
deactivate it in metadata. The first will be chosen by default if no
NameID Format is set in authentication request.
<h5 class="heading-1-1-1-1"><span id="HNodeIdentityProvider">Node Identity
Provider</span></h5>
<p class="paragraph"></p>Not used here.
<h4 class="heading-1-1-1"><span id=
"HIdentityProviderregistration">Identity Provider registration</span></h4>
<p class="paragraph"></p>Now you have to register partner IDP. For that,
select node Identity Providers and click on New metadatas.
<p class="paragraph"></p>The IDP name is asked, enter it and click OK.
<h5 class="heading-1-1-1-1"><span id="HMetadataXML">Metadata
XML</span></h5>
<p class="paragraph"></p>You must register IDP metadata here. You can do
it either by uploading the file, or with IDP metadata URL.
<h5 class="heading-1-1-1-1"><span id="HNodeExportedattributes">Node
Exported attributes</span></h5>
<p class="paragraph"></p>For each attribute, you can set:
<ul class="star">
<li>Key name: name of the key in LemonLDAP::NG session (for example
"uid" will then be used as $uid in access rules)</li>
<li>Mandatory : if set to "On", then session will not open if this
attribure is not given by IDP.</li>
<li>Name : SAML attribute name.</li>
<li>Friendly Name: optional, SAML attribute friendly name.</li>
<li>Format: optional, SAML attribute format.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeOptions">Node
Options</span></h5>
<ul class="star">
<li>NameID format: force NameID format here (email, persitent,
transient, etc.). If no value, will use first NameID Format activated in
metadata.</li>
<li>Force authentication: set ForceAuthn flag in authentication
request</li>
<li>Allow proxied authentication: allow an authentication response to be
issued from another IDP that the one we register (proxy IDP)</li>
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
etc.)</li>
<li>SLO binding: force binding to use for SLO (http-redirect, http-post,
etc.)</li>
<li>Resolution rule: Perl expression that will be evaluate to know if
this IDP is the default for the connected user. You can use for example
$ENV{ to get user's IP.</li>
</ul>
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
configuration</span></h3>
<p class="paragraph"></p>You have to give LemonLDAP::NG metadata to your
partner. After previous steps, metadata can be viewed at Entity Identifier
URL (by default <span class="nobr"><a href=
"http://auth.example.com/saml/metadata/">http://auth.example.com/saml/metadata/</a></span>)
</div>
<p class="footer"><a href="index.html">Index</a></p>

2
build/lemonldap-ng/scripts/doc.pl
View File

@ -53,7 +53,7 @@ my $docs = {
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/UserDBLDAP' => '4.6-LDAP-user-backend.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/UserDBNull' => '4.6-Null-user-backend.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/UserDBMulti' => '4.6-Multiple-user-backend.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/userDBSAML' => '4.6-SAML-user-backend.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/userDBSAML' => '4.6-SAML-user-backend.html',
# Password backends
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/PasswordDBLDAP' => '4.7-LDAP-password-backend.html',
# LDAP specificities