diff --git a/build/lemonldap-ng/doc/3.1-Install-prerequesites.html b/build/lemonldap-ng/doc/3.1-Install-prerequesites.html
index 130c18a28..53abeda42 100644
--- a/build/lemonldap-ng/doc/3.1-Install-prerequesites.html
+++ b/build/lemonldap-ng/doc/3.1-Install-prerequesites.html
@@ -152,6 +152,10 @@
HTML::Template
SOAP::Lite
+
+ Config::IniFiles
+
+ JSON
Reset Password
@@ -168,12 +172,19 @@
@@ -194,7 +205,7 @@
-# apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl
+# apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl
# apt-get install libstring-random-perl libemail-date-format-perl libmime-lite-perl
@@ -211,7 +222,7 @@
-# yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite
+# yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON
@@ -273,6 +284,18 @@
0.90 |
+
+
+ 1.0-rc1 |
+
+ |
+
+ |
+
+ |
+
+ |
+
diff --git a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
index 3807cd849..cd579930a 100644
--- a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
+++ b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
@@ -63,11 +63,334 @@
+
+
+ Technical requirements
+
+
+
+
+
+ LemonLDAP::NG
+ configuration
+
+
+
+
+ Partner IDP
+ configuration
+ Since LemonLDAP::NG 1.0
Presentation
- This feature is a work in progress.
+ LemonLDAP::NG can used SAML2 authentication to
+ get user identity and grab some attributes defined in user profile on its
+ Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2
+ Service Provider (SP).
+
+ Several IDPs are allowed, in this case the user
+ will choose the IDP he wants. You can preselect IDP with an IDP resolution
+ rule.
+
+ For each IDP, you can configure attributes that
+ are asked. Some can be mandatory, so if they are not givn by IDP, the
+ session will not open.
+
+ Technical
+ requirements
+
+ Lasso
+
+ SAML2 implementation is based on Lasso.
+ You will need a very recent version of Lasso (>= 2.2.91).
+
+ For lucky Debian users, there are packages
+ available here: http://deb.entrouvert.org/.
+
+ You will only need to install liblasso3-perl
+ package:
+
+
+
+$ sudo apt-get install liblasso3-perl
+
+
+
+ Apache rewrite
+ rules
+
+ Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
+ activated in etc/portal-apache2.conf:
+
+
+
+<IfModule mod_rewrite.c>
+ RewriteEngine On
+ RewriteRule ^/saml/metadata /metadata.pl
+ RewriteRule ^/saml/.* /index.pl
+</IfModule>
+
+
+
+ SAML2 IDP
+
+ Of course you need an SAML2 IDP. If you don't
+ have one, you can check:
+
+
+
+ Public/private
+ key
+
+ Since SAML2 use a lot a signature and encoding,
+ you need to generate a public/private key pair.
+
+ You can do this with openssl:
+
+
+
+$ openssl genrsa -out private_key.pem 1024
+$ openssl rsa -pubout -in private_key.pem -out public_key.pem
+
+
+
+ LemonLDAP::NG configuration
+
+ All configuration can be done with LemonLDAP::NG
+ Manager. Connect to it first (by default http://manager.example.com).
+
+ Authentication and UserDB
+
+ In General Parameters > Authentication, set:
+
+
+ - Users database type: SAML
+
+ - Authentication module: SAML
+
As passwords will not be managed by LL::NG, you can also go in
+ General Parameters > Portal :
+
+
+ - Display reset password: 0
+
+ - Display password change: 0
+
+
+ SAML2
+ Service
+
+ This is where you configure SAML2 settings for
+ LemonLDAP::NG service. These settings will be used to build metadata that
+ will be shared with identity providers.
+
+ Node SAML 2
+ Service
+
+
+ - Entity Identifier: your EntityID, often use as metadata URL, by
+ default http://auth.example.com/saml/metadata.
+ Change this value to fit your portal URL.
+
+ - Private key: copy all the content of your private key file, with
+ header and footer. This will not be published in metadata.
+
+
+ Node
+ Organization
+
+
+ - Display Name: will be displayed on IDP, this is often your society
+ name
+
+ - Name: internal name
+
+ - URL: URL of your society
+
+
+ Node Service
+ Provider
+
+
+ - Signed Authentication Request: set to On to require signed
+ authentication request. Off by default.
+
+ - Protocol: Protocol support enumeration string. Do not change.
+
+ - Signing Key: copy the content of your public key file,
+ without header and footer.
+
+
+ Node
+ SingleLogout
+
+ For each binding you can set:
+
+
+ - Location: Access Point for SLO request. Change this value to fit
+ your portal URL.
+
+ - Response Location: Access Point for SLO response. Change this value
+ to fit your portal URL.
+
+
+ Node
+ Assertion Consumer
+
+ For each binding you can set:
+
+
+ - Default: will this binding be used by default for authentication
+ response
+
+ - Index: Do not change.
+
+ - Binding: SAML2 binding string. Do not change.
+
+ - Location: Access Point for SSO request and response. Change this
+ value to fit your portal URL.
+
+
+ Node NameID
+ Format
+
+ For each NameID Format, you can activate and
+ deactivate it in metadata. The first will be chosen by default if no
+ NameID Format is set in authentication request.
+
+ Node Identity
+ Provider
+
+ Not used here.
+
+ Identity Provider registration
+
+ Now you have to register partner IDP. For that,
+ select node Identity Providers and click on New metadatas.
+
+ The IDP name is asked, enter it and click OK.
+
+ Metadata
+ XML
+
+ You must register IDP metadata here. You can do
+ it either by uploading the file, or with IDP metadata URL.
+
+ Node
+ Exported attributes
+
+ For each attribute, you can set:
+
+
+ - Key name: name of the key in LemonLDAP::NG session (for example
+ "uid" will then be used as $uid in access rules)
+
+ - Mandatory : if set to "On", then session will not open if this
+ attribure is not given by IDP.
+
+ - Name : SAML attribute name.
+
+ - Friendly Name: optional, SAML attribute friendly name.
+
+ - Format: optional, SAML attribute format.
+
+
+ Node
+ Options
+
+
+ - NameID format: force NameID format here (email, persitent,
+ transient, etc.). If no value, will use first NameID Format activated in
+ metadata.
+
+ - Force authentication: set ForceAuthn flag in authentication
+ request
+
+ - Allow proxied authentication: allow an authentication response to be
+ issued from another IDP that the one we register (proxy IDP)
+
+ - SSO binding: force binding to use for SSO (http-redirect, http-post,
+ etc.)
+
+ - SLO binding: force binding to use for SLO (http-redirect, http-post,
+ etc.)
+
+ - Resolution rule: Perl expression that will be evaluate to know if
+ this IDP is the default for the connected user. You can use for example
+ $ENV{ to get user's IP.
+
+
+ Partner IDP
+ configuration
+
+ You have to give LemonLDAP::NG metadata to your
+ partner. After previous steps, metadata can be viewed at Entity Identifier
+ URL (by default http://auth.example.com/saml/metadata/)
diff --git a/build/lemonldap-ng/scripts/doc.pl b/build/lemonldap-ng/scripts/doc.pl
index 658ea0579..b62f18c3c 100755
--- a/build/lemonldap-ng/scripts/doc.pl
+++ b/build/lemonldap-ng/scripts/doc.pl
@@ -53,7 +53,7 @@ my $docs = {
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/UserDBLDAP' => '4.6-LDAP-user-backend.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/UserDBNull' => '4.6-Null-user-backend.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/UserDBMulti' => '4.6-Multiple-user-backend.html',
- 'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/userDBSAML' => '4.6-SAML-user-backend.html',
+ 'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/userDBSAML' => '4.6-SAML-user-backend.html',
# Password backends
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/PasswordDBLDAP' => '4.7-LDAP-password-backend.html',
# LDAP specificities