dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Doc update:

Browse Source 
* Typo in Zimbra
* New reference: Region Basse-Normandie
* SAML (SP and IDP) (Closes #131)
This commit is contained in:
Clément Oudot 2010-07-23 14:17:57 +00:00
parent 6edaf7c264
commit bde14e8852
18 changed files with 912 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
build/lemonldap-ng/doc/3-Table-of-contents-fr.html
View File

@ -341,7 +341,10 @@
<p class="paragraph"></p><i class="italic">Services pouvant utiliser
LemonLDAP::NG comme fournisseur d'identit&eacute;</i>
<ul class="star"></ul>
<ul class="star">
<li><span class="wikilink"><a href=
"4.8-SAML-issuer-backend.html">SAML</a></span> (en)</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HSpC3A9cificitC3A9sLDAP">Sp&eacute;cificit&eacute;s LDAP</span></h4>

5
build/lemonldap-ng/doc/3-Table-of-contents.html
View File

@ -331,7 +331,10 @@
<p class="paragraph"></p><i class="italic">Services that can use
LemonLDAP::NG as Identity Provider</i>
<ul class="star"></ul>
<ul class="star">
<li><span class="wikilink"><a href=
"4.8-SAML-issuer-backend.html">SAML</a></span> (en)</li>
</ul>
<h4 class="heading-1-1-1"><span id="HLDAPspecificities">LDAP
specificities</span></h4>

427
build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
View File

@ -65,72 +65,51 @@
<li><a href="#HPresentation">Presentation</a></li>
<li>
<a href="#HTechnicalrequirements">Technical requirements</a>
<a href="#HConfiguration">Configuration</a>
<ul>
<li><a href="#HLasso">Lasso</a></li>
<li><a href="#HSAMLService">SAML Service</a></li>
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
<li><a href="#HSAML2IDP">SAML2 IDP</a></li>
<li><a href="#HPublic2Fprivatekey">Public/private key</a></li>
</ul>
</li>
<li>
<a href="#HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG
configuration</a>
<ul>
<li><a href="#HAuthenticationandUserDB">Authentication and
UserDB</a></li>
<li><a href=
"#HRegisterLemonLDAP3A3ANGonpartnerIdentityProvider">Register
LemonLDAP::NG on partner Identity Provider</a></li>
<li>
<a href="#HSAML2Service">SAML2 Service</a>
<a href=
"#HRegisterpartnerIdentityProvideronLemonLDAP3A3ANG">Register
partner Identity Provider on LemonLDAP::NG</a>
<ul>
<li><a href="#HNodeSAML2Service">Node SAML 2 Service</a></li>
<li><a href="#HMetadata">Metadata</a></li>
<li><a href="#HNodeOrganization">Node Organization</a></li>
<li><a href="#HExportedattributes">Exported attributes</a></li>
<li>
<a href="#HNodeServiceProvider">Node Service Provider</a>
<a href="#HOptions">Options</a>
<ul>
<li><a href="#HNodeSingleLogout">Node SingleLogout</a></li>
<li><a href="#HGeneraloptions">General options</a></li>
<li><a href="#HNodeAssertionConsumer">Node Assertion
Consumer</a></li>
<li><a href="#HAuthenticationrequest">Authentication
request</a></li>
<li><a href="#HNodeNameIDFormat">Node NameID Format</a></li>
<li><a href="#HSession">Session</a></li>
<li><a href="#HSignature">Signature</a></li>
<li><a href="#HBinding">Binding</a></li>
<li><a href="#HSecurity">Security</a></li>
</ul>
</li>
<li><a href="#HNodeIdentityProvider">Node Identity
Provider</a></li>
</ul>
</li>
<li>
<a href="#HIdentityProviderregistration">Identity Provider
registration</a>
<ul>
<li><a href="#HMetadataXML">Metadata XML</a></li>
<li><a href="#HNodeExportedattributes">Node Exported
attributes</a></li>
<li><a href="#HNodeOptions">Node Options</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#HPartnerIDPconfiguration">Partner IDP
configuration</a></li>
</ul><strong class="strong">Since LemonLDAP::NG 1.0</strong>
</ul><strong class="strong">Since LemonLDAP::NG 1.0rc1</strong>
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
@ -144,82 +123,16 @@
rule.
<p class="paragraph"></p>For each IDP, you can configure attributes that
are asked. Some can be mandatory, so if they are not givn by IDP, the
session will not open.
<h3 class="heading-1-1"><span id="HTechnicalrequirements">Technical
requirements</span></h3>
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
<p class="paragraph"></p>SAML2 implementation is based on <span class=
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
You will need a very recent version of Lasso (&gt;= 2.2.91).
<p class="paragraph"></p>For lucky Debian users, there are packages
available here: <span class="wikiexternallink"><a href=
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
<p class="paragraph"></p>You will only need to install liblasso3-perl
package:
<div class="code">
<pre>
$ sudo apt-get install liblasso3-perl
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
rules</span></h4><br />
<br />
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
<div class="code">
<pre>
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteRule ^/saml/metadata /metadata.pl
RewriteRule ^/saml/.* /index.pl
&lt;/IfModule&gt;
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HSAML2IDP">SAML2 IDP</span></h4>
<p class="paragraph"></p>Of course you need an SAML2 IDP. If you don't
have one, you can check:
<ul class="star">
<li><span class="wikiexternallink"><a href=
"http://authentic.labs.libre-entreprise.org/">Authentic</a></span></li>
<li><span class="wikiexternallink"><a href=
"https://rnd.feide.no/simplesamlphp">simpleSAMLphp</a></span></li>
</ul>
<h4 class="heading-1-1-1"><span id="HPublic2Fprivatekey">Public/private
key</span></h4>
<p class="paragraph"></p>Since SAML2 use a lot a signature and encoding,
you need to generate a public/private key pair.
<p class="paragraph"></p>You can do this with openssl:
<div class="code">
<pre>
$ openssl genrsa -out private_key.pem 1024
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
</pre>
</div>
are collected. Some can be mandatory, so if they are not retruned by IDP,
the session will not open.
<h3 class="heading-1-1"><span id=
"HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</span></h3>
"HConfiguration">Configuration</span></h3>
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
Manager. Connect to it first (by default <span class=
"wikiexternallink"><a href=
"http://manager.example.com">http://manager.example.com</a></span>).
<h4 class="heading-1-1-1"><span id="HSAMLService">SAML Service</span></h4>
<p class="paragraph"></p>See <span class="wikilink"><a href=
"SAMLService.html">SAML service configuration chapter</a></span>.
<h4 class="heading-1-1-1"><span id=
"HAuthenticationandUserDB">Authentication and UserDB</span></h4>
@ -239,179 +152,177 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
<li>Display password change: 0</li>
</ul>
<h4 class="heading-1-1-1"><span id="HSAML2Service">SAML2
Service</span></h4>
<h4 class="heading-1-1-1"><span id=
"HRegisterLemonLDAP3A3ANGonpartnerIdentityProvider">Register LemonLDAP::NG
on partner Identity Provider</span></h4>
<p class="paragraph"></p>This is where you configure SAML2 settings for
LemonLDAP::NG service. These settings will be used to build metadata that
will be shared with identity providers.
<h5 class="heading-1-1-1-1"><span id="HNodeSAML2Service">Node SAML 2
Service</span></h5>
<ul class="star">
<li>Entity Identifier: your EntityID, often use as metadata URL, by
default <span class="nobr"><a href=
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
Change this value to fit your portal URL.</li>
<li>Private key: load your private key file. This will not be published
in metadata.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeOrganization">Node
Organization</span></h5>
<ul class="star">
<li>Display Name: will be displayed on IDP, this is often your society
name</li>
<li>Name: internal name</li>
<li>URL: URL of your society</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeServiceProvider">Node Service
Provider</span></h5>
<ul class="star">
<li>Signed Authentication Request: set to On to require signed
authentication request. Off by default.</li>
<li>Signing Key: load your public key file.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeSingleLogout">Node
SingleLogout</span></h6>
<p class="paragraph"></p>For each binding you can set:
<ul class="star">
<li>Location: Access Point for SLO request. Change this value to fit
your portal URL.</li>
<li>Response Location: Access Point for SLO response. Change this value
to fit your portal URL.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeAssertionConsumer">Node
Assertion Consumer</span></h6>
<p class="paragraph"></p>For each binding you can set:
<ul class="star">
<li>Default: will this binding be used by default for authentication
response</li>
<li>Location: Access Point for SSO request and response. Change this
value to fit your portal URL.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeNameIDFormat">Node NameID
Format</span></h6>
<p class="paragraph"></p>For each NameID Format, you can activate and
deactivate it in metadata. The first will be chosen by default if no
NameID Format is set in authentication request.
<h5 class="heading-1-1-1-1"><span id="HNodeIdentityProvider">Node Identity
Provider</span></h5>
<p class="paragraph"></p>Not used here.
<p class="paragraph"></p>After configuring <span class="wikilink"><a href=
"SAMLService.html">SAML Service</a></span>, you can export metadata to
your partner Identity Provider. They are available at the EntityID URL, by
default: <strong class="strong"><span class="nobr"><a href=
"http://auth.example.com/saml/metadata">http://auth.example.com/saml/metadata</a></span></strong>.
<h4 class="heading-1-1-1"><span id=
"HIdentityProviderregistration">Identity Provider registration</span></h4>
"HRegisterpartnerIdentityProvideronLemonLDAP3A3ANG">Register partner
Identity Provider on LemonLDAP::NG</span></h4>
<p class="paragraph"></p>Now you have to register partner IDP. For that,
select node Identity Providers and click on New metadatas.
<p class="paragraph"></p>In the Manager, select node Identity Providers
and click on New metadatas:
<p class="paragraph"></p><img src="manager-saml-idp-new.png" alt=
"manager-saml-idp-new.png" />
<p class="paragraph"></p>The IDP name is asked, enter it and click OK.
<h5 class="heading-1-1-1-1"><span id="HMetadataXML">Metadata
XML</span></h5>
<p class="paragraph"></p>Now you have access to the IDP parameters list:
<p class="paragraph"></p><img src=
"/xwiki/bin/download/NG/AuthSAML/manager-saml-idp-list.png" alt=
"manager-saml-idp-list.png" />
<h5 class="heading-1-1-1-1"><span id="HMetadata">Metadata</span></h5>
<p class="paragraph"></p>You must register IDP metadata here. You can do
it either by uploading the file, or with IDP metadata URL.
it either by uploading the file, or get it from IDP metadata URL (this
require a network link between your server and the IDP):
<h5 class="heading-1-1-1-1"><span id="HNodeExportedattributes">Node
Exported attributes</span></h5>
<p class="paragraph"></p><img src="manager-saml-idp-metadata.png" alt=
"manager-saml-idp-metadata.png" />
<p class="paragraph"></p>You can also copy/paste the metadata: just click
on the <strong class="strong">Edit</strong> button. When the text is
pasted, click on the <strong class="strong">Apply</strong> button to keep
the value.
<h5 class="heading-1-1-1-1"><span id="HExportedattributes">Exported
attributes</span></h5>
<p class="paragraph"></p>For each attribute, you can set:
<ul class="star">
<li>Key name: name of the key in LemonLDAP::NG session (for example
"uid" will then be used as $uid in access rules)</li>
<li><strong class="strong">Key name</strong>: name of the key in
LemonLDAP::NG session (for example "uid" will then be used as $uid in
access rules)</li>
<li>Mandatory : if set to "On", then session will not open if this
attribute is not given by IDP.</li>
<li><strong class="strong">Mandatory</strong>: if set to "On", then
session will not open if this attribute is not given by IDP.</li>
<li>Name : SAML attribute name.</li>
<li><strong class="strong">Name</strong>: SAML attribute name.</li>
<li>Friendly Name: optional, SAML attribute friendly name.</li>
<li><strong class="strong">Friendly Name</strong>: optional, SAML
attribute friendly name.</li>
<li>Format: optional, SAML attribute format.</li>
</ul>
<li><strong class="strong">Format</strong>: optional, SAML attribute
format.</li>
</ul><img src="manager-saml-idp-attribute.png" alt=
"manager-saml-idp-attribute.png" />
<h5 class="heading-1-1-1-1"><span id="HNodeOptions">Node
Options</span></h5>
<h5 class="heading-1-1-1-1"><span id="HOptions">Options</span></h5>
<h6 class="heading-1-1-1-1-1"><span id="HGeneraloptions">General
options</span></h6>
<ul class="star">
<li>NameID format: force NameID format here (email, persistent,
transient, etc.). If no value, will use first NameID Format activated in
metadata.</li>
<li><strong class="strong">Resolution Rule</strong>: rule that will be
applied to preselect an IDP for a user. You have access to all
environment variable, like user IP address.</li>
</ul>For example, to preselect this IDP for users comming from
129.168.0.0/16 network:<br />
<br />
<li>Force authentication: set ForceAuthn flag in authentication
request</li>
<div class="code">
<pre>
$ENV{ =~ /^192.168/
</pre>
</div>
<li>Passive authentication: set IsPassive flag in authentication
request</li>
<h6 class="heading-1-1-1-1-1"><span id=
"HAuthenticationrequest">Authentication request</span></h6>
<li>Allow proxied authentication: allow an authentication response to be
issued from another IDP that the one we register (proxy IDP). If you
disallow this, you should also disallow direct login form IDP, because
proxy restiction is set in authentication requests.</li>
<ul class="star">
<li><strong class="strong">NameID format</strong>: force NameID format
here (email, persistent, transient, etc.). If no value, will use first
NameID Format activated in metadata.</li>
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
etc.)</li>
<li><strong class="strong">Force authentication</strong>: set ForceAuthn
flag in authentication request</li>
<li>SLO binding: force binding to use for SLO (http-redirect, http-post,
etc.)</li>
<li><strong class="strong">Passive authentication</strong>: set
IsPassive flag in authentication request</li>
<li>Resolution rule: Perl expression that will be evaluate to know if
this IDP is the default for the connected user. You can use for example
$ENV{ to get user's IP.</li>
<li><strong class="strong">Allow proxied authentication</strong>: allow
an authentication response to be issued from another IDP that the one we
register (proxy IDP). If you disallow this, you should also disallow
direct login form IDP, because proxy restiction is set in authentication
requests.</li>
<li>Allow login from IDP: allow a user to connect directly from an IDP
link. In this case, authentication is not a response to an issued
authentication request, and we have less control on conditions.</li>
<li><strong class="strong">Allow login from IDP</strong>: allow a user
to connect directly from an IDP link. In this case, authentication is
not a response to an issued authentication request, and we have less
control on conditions.</li>
<li>Adapt session lifetime: session lifetime will be adapted from
SessionNotOnOrAfter value found in authentication response. It means
that if the IDP propose to close session earlier than the default
LemonLDAP::NG timeout, the session _utime will be modified so that
session is erased at the date indicated by the IDP.</li>
<li>Sign SSO message: sign SSO message</li>
<li>Check SSO message signature: check SSO message signature</li>
<li>Sign SLO message: sign SLO message</li>
<li>Check SLO message signature: check SLO message signature</li>
<li>Required authentication context: this context is set in
authentication request, and then checked in authentication response. If
authentication context in response is not the one requested, an error is
raised.</li>
<li><strong class="strong">Requested authentication context</strong>:
this context is declared in authentication request. When receiving the
request, the real authentication context will be mapped ton an internal
authenticationLevel, that you can check to allow or deny session
creation.</li>
</ul>
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
configuration</span></h3>
<h6 class="heading-1-1-1-1-1"><span id="HSession">Session</span></h6>
<p class="paragraph"></p>You have to give LemonLDAP::NG metadata to your
partner. After previous steps, metadata can be viewed at Entity Identifier
URL (by default <span class="nobr"><a href=
"http://auth.example.com/saml/metadata/">http://auth.example.com/saml/metadata/</a></span>)
<ul class="star">
<li><strong class="strong">Adapt session lifetime</strong>: session
lifetime will be adapted from SessionNotOnOrAfter value found in
authentication response. It means that if the IDP propose to close
session earlier than the default LemonLDAP::NG timeout, the session
_utime will be modified so that session is erased at the date indicated
by the IDP.</li>
<li><strong class="strong">Force UTF-8</strong>: this will force UTF-8
conversion of attributes values collected from IDP.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id=
"HSignature">Signature</span></h6><br />
<br />
These options override service signature options (see <span class=
"wikilink"><a href="SAMLService.html">SAML service
configuration</a></span>).
<ul class="star">
<li><strong class="strong">Sign SSO message</strong>: sign SSO
message</li>
<li><strong class="strong">Check SSO message signature</strong>: check
SSO message signature</li>
<li><strong class="strong">Sign SLO message</strong>: sign SLO
message</li>
<li><strong class="strong">Check SLO message signature</strong>: check
SLO message signature</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HBinding">Binding</span></h6>
<ul class="star">
<li><strong class="strong">SSO binding</strong>: force binding to use
for SSO (http-redirect, http-post, etc.)</li>
<li><strong class="strong">SLO binding</strong>: force binding to use
for SLO (http-redirect, http-post, etc.)</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HSecurity">Security</span></h6>
<ul class="star">
<li><strong class="strong">Encryption mode</strong>: set the encryption
mode for this IDP (None, NameID or Assertion).</li>
<li><strong class="strong">Check conditions</strong>: set to Off to
disable conditions checking on authentication responses. Use with
caution.</li>
</ul>
</div>
<p class="footer"><a href="index.html">Index</a></p>

176
build/lemonldap-ng/doc/4.8-SAML-issuer-backend.html
View File

@ -51,9 +51,185 @@
}
/*]]>*/
</style>
<style type="text/css">
/*<![CDATA[*/
div.c1 {margin-left: 2em}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HSAMLIssuerBackend">SAML Issuer
Backend</span></h2>
<p class="paragraph"></p>
<ul>
<li><a href="#HSAMLService">SAML Service</a></li>
<li><a href="#HIssuerDB">IssuerDB</a></li>
<li><a href="#HRegisterLemonLDAP3A3ANGonpartnerServiceProvider">Register
LemonLDAP::NG on partner Service Provider</a></li>
<li>
<a href="#HRegisterpartnerServiceProvideronLemonLDAP3A3ANG">Register
partner Service Provider on LemonLDAP::NG</a>
<div class="c1">
<ul>
<li><a href="#HMetadata">Metadata</a></li>
<li><a href="#HExportedattributes">Exported attributes</a></li>
<li>
<a href="#HOptions">Options</a>
<ul>
<li><a href="#HAuthenticationresponse">Authentication
response</a></li>
<li><a href="#HSignature">Signature</a></li>
<li><a href="#HSecurity">Security</a></li>
</ul>
</li>
</ul>
</div>
</li>
</ul><strong class="strong">Since LemonLDAP::NG 1.0rc2</strong>
<h2 class="heading-1"><span id="HPresentation">Presentation</span></h2>
<h2 class="heading-1"><span id="HConfiguration">Configuration</span></h2>
<h3 class="heading-1-1"><span id="HSAMLService">SAML Service</span></h3>
<p class="paragraph"></p>See <span class="wikilink"><a href=
"SAMLService.html">SAML service configuration chapter</a></span>.
<h3 class="heading-1-1"><span id="HIssuerDB">IssuerDB</span></h3><br />
<br />
In General Parameters &gt; Modules &gt; Issuer module, select
<strong class="strong">SAML v2</strong>.<br />
<br />
You can add an Issuer rule that will be checked to allow a user to use
Issuer module. This can be helpful to prevent some users to use the SAML
module. Set in in General Parameters &gt; Advanced Parameters &gt;
Security &gt; Issuer Activation Rule.<br />
<br />
For example, allow only users from "SAML" group:<br />
<br />
<div class="code">
<pre>
$groups =~ /SAML/
</pre>
</div>
<h3 class="heading-1-1"><span id=
"HRegisterLemonLDAP3A3ANGonpartnerServiceProvider">Register LemonLDAP::NG
on partner Service Provider</span></h3><br />
<br />
After configuring <span class="wikilink"><a href="SAMLService.html">SAML
Service</a></span>, you can export metadata to your partner Service
Provider. They are available at the EntityID URL, by default:
<strong class="strong"><span class="nobr"><a href=
"http://auth.example.com/saml/metadata">http://auth.example.com/saml/metadata</a></span></strong>.
<h3 class="heading-1-1"><span id=
"HRegisterpartnerServiceProvideronLemonLDAP3A3ANG">Register partner
Service Provider on LemonLDAP::NG</span></h3><br />
<br />
In the Manager, select node Servce Providers and click on New
metadatas:<br />
<br />
<img src="manager-saml-sp-new.png" alt="manager-saml-sp-new.png" /><br />
<br />
The SP name is asked, enter it and click OK.<br />
<br />
Now you have access to the SP parameters list.
<h5 class="heading-1-1-1-1"><span id=
"HMetadata">Metadata</span></h5><br />
<br />
You must register SP metadata here. You can do it either by uploading the
file, or get it from SP metadata URL (this require a network link between
your server and the SP).<br />
<br />
You can also copy/paste the metadata: just click on the <strong class=
"strong">Edit</strong> button. When the text is pasted, click on the
<strong class="strong">Apply</strong> button to keep the value.
<h5 class="heading-1-1-1-1"><span id="HExportedattributes">Exported
attributes</span></h5><br />
<br />
For each attribute, you can set:
<ul class="star">
<li><strong class="strong">Key name</strong>: name of the key in
LemonLDAP::NG session</li>
<li><strong class="strong">Mandatory</strong>: if set to "On", then this
attribute will be sent in authentication response. Else it just will be
sent trough an attribute response, if explicitely requested in an
attribute request.</li>
<li><strong class="strong">Name</strong>: SAML attribute name.</li>
<li><strong class="strong">Friendly Name</strong>: optional, SAML
attribute friendly name.</li>
<li><strong class="strong">Format</strong>: optional, SAML attribute
format.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HOptions">Options</span></h5>
<h6 class="heading-1-1-1-1-1"><span id=
"HAuthenticationresponse">Authentication response</span></h6>
<ul class="star">
<li><strong class="strong">Default NameID format</strong>: if no NameID
format is requested, or the NameID format <strong class=
"strong">undefined</strong>, this NameID format will be used. If no
value, the default NameID format is <strong class=
"strong">Email</strong>.</li>
<li><strong class="strong">One Time Use</strong>: set the OneTimeUse
flag in authentication response.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id=
"HSignature">Signature</span></h6><br />
<br />
These options override service signature options (see <span class=
"wikilink"><a href="SAMLService.html">SAML service
configuration</a></span>).
<ul class="star">
<li><strong class="strong">Sign SSO message</strong>: sign SSO
message</li>
<li><strong class="strong">Check SSO message signature</strong>: check
SSO message signature</li>
<li><strong class="strong">Sign SLO message</strong>: sign SLO
message</li>
<li><strong class="strong">Check SLO message signature</strong>: check
SLO message signature</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HSecurity">Security</span></h6>
<ul class="star">
<li><strong class="strong">Encryption mode</strong>: set the encryption
mode for this IDP (None, NameID or Assertion).</li>
</ul>
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>

2
build/lemonldap-ng/doc/5-Appli-Zimbra.html
View File

@ -132,7 +132,7 @@
<p class="paragraph"></p>Choose for example <span class=
"wikiexternallink"><a href=
"http://zimbra.example.com/zimbrasso">http://zimbra.example.com/zimbrasso</a></span>
as SSO URL and set in in application menu.
as SSO URL and set it in application menu.
<h4 class="heading-1-1-1"><span id=
"HConfigureZimbravirtualhostinApache">Configure Zimbra virtual host in

56
build/lemonldap-ng/doc/6-References.html
View File

@ -60,6 +60,9 @@
<p class="paragraph"></p>
<ul>
<li><a href="#HRC3A9gionBasseNormandie">R&eacute;gion
Basse-Normandie</a></li>
<li><a href="#HGendarmerieNationale">Gendarmerie Nationale</a></li>
<li><a href=
@ -71,6 +74,45 @@
<li><a href="#HSGS">SGS</a></li>
</ul>They use LemonLDAP::NG:
<h3 class="heading-1-1"><span id="HRC3A9gionBasseNormandie">R&eacute;gion
Basse-Normandie</span></h3>
<ul class="star">
<li>Nb users: ~1800</li>
<li>Nb protected applications: ~10</li>
<li>Authentication portal: <span class="nobr"><a href=
"https://www.portail.crbn.fr">https://www.portail.crbn.fr</a></span></li>
<li>Applications: Outlook Web Access, ...</li>
</ul>Some screenshots:
<p class="paragraph"></p>
<table class="wiki-table" cellpadding="0" cellspacing="0" border="0">
<tr>
<th>Authentication portal</th>
<th>Application List</th>
</tr>
<tr class="table-odd">
<td><img src="rbn-portal-300px.png" alt="rbn-portal-300px.png" /></td>
<td><img src="/xwiki/bin/download/NG/References/rbn-applis-300px.png"
alt="rbn-applis-300px.png" /></td>
</tr>
<tr class="table-even">
<td>Zoom: <a href=
"/xwiki/bin/download/NG/References/rbn-portal.png"></a>rbn-portal.png</td>
<td>Zoom: <a href=
"/xwiki/bin/download/NG/References/rbn-applis.png"></a>rbn-applis.png</td>
</tr>
</table>
<h3 class="heading-1-1"><span id="HGendarmerieNationale">Gendarmerie
Nationale</span></h3>
@ -81,6 +123,8 @@
<li>Nb users: 105.000</li>
<li>Nb protected applications: ~100</li>
<li>Applications: Sympa, MediaWiki, ...</li>
</ul>
<h3 class="heading-1-1"><span id=
@ -93,6 +137,9 @@
<li>Nb users: ~500</li>
<li>Nb protected applications: ~10</li>
<li>Authentication portal: <span class="nobr"><a href=
"https://websso.dmz.bpi.fr/">https://websso.dmz.bpi.fr/</a></span></li>
</ul>
<h3 class="heading-1-1"><span id="HLINAGORAGroup">LINAGORA
@ -101,14 +148,15 @@
<p class="paragraph"></p><img src="linagora_logo.png" alt=
"linagora_logo.png" />
<p class="paragraph"></p>They use LemonLDAP::NG to secure their intranet.
Protected softwares are Dotclear, GLPI, OBM, Alfresco, and other specific
tools.
<ul class="star">
<li>Nb users: ~150</li>
<li>Nb protected applications: ~5</li>
<li>Authentication portal: <span class="nobr"><a href=
"https://auth.linagora.com/">https://auth.linagora.com/</a></span></li>
<li>Applications: Wordpress, GLPI, OBM, Dokuwiki, ...</li>
</ul>
<h3 class="heading-1-1"><span id="HSGS">SGS</span></h3>

502
build/lemonldap-ng/doc/SAML-Service.html Normal file
View File

@ -0,0 +1,502 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 25 March 2009), see www.w3.org" />
<title>Lemonldap::NG documentation: SAML-Service.html</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<style type="text/css">
/*<![CDATA[*/
body{
background: #ddd;
font-family: sans-serif;
font-size: 11pt;
padding: 0 50px;
}
div.main-content{
padding: 10px;
background: #fff;
border: 2px #ccc solid;
}
a{
text-decoration: none;
}
p.footer{
text-align: center;
margin: 5px 0 0 0;
}
.heading-1{
text-align: center;
color: orange;
font-variant: small-caps;
font-size: 20pt;
}
.heading-1-1{
color: orange;
font-size: 14pt;
border-bottom: 2px #ccc solid;
}
pre{
background: #eee;
border: 2px #ccc solid;
padding: 5px;
border-left: 10px #ccc solid;
}
ul.star li{
list-style-type: square;
}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HSAMLserviceconfiguration">SAML service
configuration</span></h2>
<p class="paragraph"></p>
<ul>
<li><a href="#HPresentation">Presentation</a></li>
<li>
<a href="#HPrerequisites">Prerequisites</a>
<ul>
<li>
<a href="#HLasso">Lasso</a>
<ul>
<li><a href="#HDebian2FUbuntu">Debian/Ubuntu</a></li>
<li><a href="#HRHEL2FCentOS2FFedora">RHEL/CentOS/Fedora</a></li>
<li><a href="#HOther">Other</a></li>
</ul>
</li>
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
</ul>
</li>
<li>
<a href="#HServiceconfiguration">Service configuration</a>
<ul>
<li><a href="#HEntryIdentifier">Entry Identifier</a></li>
<li><a href="#HSecurityparameters">Security parameters</a></li>
<li><a href="#HNameIDformats">NameID formats</a></li>
<li><a href="#HOrganization">Organization</a></li>
<li>
<a href="#HServiceProvider">Service Provider</a>
<ul>
<li><a href="#HGeneraloptions">General options</a></li>
<li><a href="#HSingleLogout">Single Logout</a></li>
<li><a href="#HAssertionConsumer">Assertion Consumer</a></li>
<li><a href="#HArtifactResolution">Artifact Resolution</a></li>
</ul>
</li>
<li>
<a href="#HIdentityProvider">Identity Provider</a>
<ul>
<li><a href="#HGeneralparameters">General parameters</a></li>
<li><a href="#HSingleSignOn">Single Sign On</a></li>
<li><a href="#HSingleLogout-1">Single Logout</a></li>
<li><a href="#HArtifactResolution-1">Artifact
Resolution</a></li>
</ul>
</li>
<li>
<a href="#HAttributeAuthority">Attribute Authority</a>
<ul>
<li><a href="#HAttributeService">Attribute Service</a></li>
</ul>
</li>
<li><a href="#HAdvanced">Advanced</a></li>
</ul>
</li>
</ul>
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
<p class="paragraph"></p>This documentation explains how configure SAML
service in LemonLDAP::NG, in particular:
<ul class="star">
<li>Install prerequisites</li>
<li>Import or generation security keys</li>
<li>Set SAML end points</li>
</ul>Service configuration will be used to generate LemonLDAP::NG SAML
metadata, that will be shared with other providers. It means that if you
modify some settings here, you will have to share again the metadata with
other providers. In other words, take the time to configure this part
before sharing metadata.
<h3 class="heading-1-1"><span id=
"HPrerequisites">Prerequisites</span></h3>
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
<p class="paragraph"></p>SAML2 implementation is based on <span class=
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
You will need a very recent version of Lasso (&gt;= 2.3.0).
<h5 class="heading-1-1-1-1"><span id=
"HDebian2FUbuntu">Debian/Ubuntu</span></h5>
<p class="paragraph"></p>There are packages available here: <span class=
"wikiexternallink"><a href=
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
<p class="paragraph"></p>You will only need to install liblasso3-perl
package:
<div class="code">
<pre>
$ sudo apt-get install liblasso3-perl
</pre>
</div>
<h5 class="heading-1-1-1-1"><span id=
"HRHEL2FCentOS2FFedora">RHEL/CentOS/Fedora</span></h5><br />
<br />
Packages should be available soon.
<h5 class="heading-1-1-1-1"><span id="HOther">Other</span></h5><br />
<br />
Download the Lasso tarball and compile it on your system
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
rules</span></h4><br />
<br />
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
<div class="code">
<pre>
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteRule ^/saml/metadata /metadata.pl
RewriteRule ^/saml/.* /index.pl
&lt;/IfModule&gt;
</pre>
</div>
<h3 class="heading-1-1"><span id="HServiceconfiguration">Service
configuration</span></h3>
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
Manager. Connect to it first (by default <span class=
"wikiexternallink"><a href=
"http://manager.example.com">http://manager.example.com</a></span>). The
service configuration is done into the node <strong class="strong">SAML 2
Service</strong>.
<h4 class="heading-1-1-1"><span id="HEntryIdentifier">Entry
Identifier</span></h4><br />
<br />
Your EntityID, often use as metadata URL, by default <span class=
"nobr"><a href=
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
Change this value to fit your portal URL, for example:<br />
<br />
<div class="code">
<pre>
<span class="nobr"><a href=
"http://auth.mycompany.com/saml/metadata">http://auth.mycompany.com/saml/metadata</a></span>
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HSecurityparameters">Security
parameters</span></h4><br />
<br />
This section concerns public and private keys, mandatory to exchange SAML
messages with other providers. You have two options:
<ul class="star">
<li>use your own keys generated from your PKI</li>
<li>generate keys from configuration interface</li>
</ul><strong class="strong">Warning</strong>: private keys are not
published in metadata, but they are stored in configuration backend.<br />
<br />
You can set keys for signing and encryption. Keys for signing are
mandatory, but if no keys are defined for encryption, keys for signing
will be used.<br />
<br />
Private keys can be protected by a password: in this case, set the
password in the private key password field.<br />
<br />
Public key can be a raw public key or a certificate containing the public
key.<br />
<br />
If you want to generate key from the interface, click on <strong class=
"strong">Private key</strong>, and the on <strong class=
"strong">Generate</strong>:<br />
<br />
<img src="manager-saml-private-key.png" alt=
"manager-saml-private-key.png" /><br />
<br />
A password will be prompted. Leave blank if you don't want to protect the
private key with a password.<br />
<br />
The private and public are then generated in <strong class="strong">Public
key</strong> and <strong class="strong">Private key</strong> fields.
<h4 class="heading-1-1-1"><span id="HNameIDformats">NameID
formats</span></h4><br />
<br />
<img src="manager-saml-namid-formats.png" alt=
"manager-saml-namid-formats.png" /><br />
<br />
SAML can use differents NameID formats. The NameID is the main user
identifier, carried in SAML messages. You can configure here which field
of LemonLDAP::NG session will be associated to a NameID format.<br />
<br />
Customizable NameID formats are:
<ul class="star">
<li>Email</li>
<li>X509</li>
<li>Windows</li>
<li>Kerberos</li>
</ul>For example, if you are using AD as authentication backend, you can
use sAMAccountName for the Windows NameID format.<br />
<br />
Other NameID formats are automatically managed:
<ul class="star">
<li><strong class="strong">Transient</strong>: NameID is generated</li>
<li><strong class="strong">Persistent</strong>: NameID is restored from
previous sessions</li>
<li><strong class="strong">Undefined</strong>: Default NameID format is
used (see <span class="wikilink"><a href=
"4.8-SAML-issuer-backend.html">issuer SAML
configuration</a></span>)</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HOrganization">Organization</span></h4><br />
<br />
This concerns all parameters for the Organization metadata section:
&lt;Organization&gt;&lt;/Organization&gt;.
<ul class="star">
<li><strong class="strong">Display Name</strong>: should be displayed on
IDP, this is often your society name</li>
<li><strong class="strong">Name</strong>: internal name</li>
<li><strong class="strong">URL</strong>: URL of your society</li>
</ul>
<h4 class="heading-1-1-1"><span id="HServiceProvider">Service
Provider</span></h4><br />
<br />
This concerns all parameters for the Service Provider metadata section:
&lt;SPSSODescriptor&gt;&lt;/SPSSODescriptor&gt;.
<h5 class="heading-1-1-1-1"><span id="HGeneraloptions">General
options</span></h5>
<ul class="star">
<li><strong class="strong">Signed Authentication Request</strong>: set
to On to always sign authentication request.</li>
<li><strong class="strong">Want Assertions Signed</strong>: set to On to
require that received assertions are signed.</li>
</ul>These options can then be overridden for each Identity Provider, see
<span class="wikilink"><a href="4.8-SAML-issuer-backend.html">issuer SAML
configuration</a></span>.
<h5 class="heading-1-1-1-1"><span id="HSingleLogout">Single
Logout</span></h5><br />
<br />
For each binding you can set:
<ul class="star">
<li><strong class="strong">Location</strong>: Access Point for SLO
request. Change this value to fit your portal URL.</li>
<li><strong class="strong">Response Location</strong>: Access Point for
SLO response. Change this value to fit your portal URL.</li>
</ul><img src="manager-saml-service-sp-slo.png" alt=
"manager-saml-service-sp-slo.png" /><br />
<br />
Available bindings are:
<ul class="star">
<li>HTTP Redirect</li>
<li>HTTP POST</li>
<li>HTTP SOAP</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HAssertionConsumer">Assertion
Consumer</span></h5><br />
<br />
For each binding you can set:
<ul class="star">
<li><strong class="strong">Default</strong>: will this binding be used
by default for authentication response</li>
<li><strong class="strong">Location</strong>: Access Point for SSO
request and response. Change this value to fit your portal URL.</li>
</ul><img src="manager-saml-service-sp-ac.png" alt=
"manager-saml-service-sp-ac.png" /><br />
<br />
Available bindings are:
<ul class="star">
<li>HTTP Artifact</li>
<li>HTTP Redirect</li>
<li>HTTP POST</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HArtifactResolution">Artifact
Resolution</span></h5><br />
<br />
The only authorized binding is SOAP. This should be set as Default.
Location has to be adapted to fit your portal URL.
<h4 class="heading-1-1-1"><span id="HIdentityProvider">Identity
Provider</span></h4><br />
<br />
This concerns all parameters for the Service Provider metadata section:
&lt;IDPSSODescriptor&gt;&lt;/IDPSSODescriptor&gt;.
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
parameters</span></h5>
<ul class="star">
<li><strong class="strong">Want Authentication Request Signed</strong>:
set to On to require that received authentication request are
signed.</li>
</ul>This option can then be overridden for each serivec Provider, see
<span class="wikilink"><a href="4.5-SAML-authentication-backend.html">SAML
authentication configuration</a></span>.
<h5 class="heading-1-1-1-1"><span id="HSingleSignOn">Single Sign
On</span></h5><br />
<br />
For each binding you can set:
<ul class="star">
<li><strong class="strong">Location</strong>: Access Point for SSO
request. Change this value to fit your portal URL.</li>
<li><strong class="strong">Response Location</strong>: Access Point for
SSO response. Change this value to fit your portal URL.</li>
</ul>Available bindings are:
<ul class="star">
<li>HTTP Redirect</li>
<li>HTTP POST</li>
<li>HTTP Artifact</li>
<li>HTTP SOAP</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HSingleLogout">Single
Logout</span></h5><br />
<br />
For each binding you can set:
<ul class="star">
<li><strong class="strong">Location</strong>: Access Point for SLO
request. Change this value to fit your portal URL.</li>
<li><strong class="strong">Response Location</strong>: Access Point for
SLO response. Change this value to fit your portal URL.</li>
</ul>Available bindings are:
<ul class="star">
<li>HTTP Redirect</li>
<li>HTTP POST</li>
<li>HTTP SOAP</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HArtifactResolution">Artifact
Resolution</span></h5><br />
<br />
The only authorized binding is SOAP. This should be set as Default.
Location has to be adapted to fit your portal URL.
<h4 class="heading-1-1-1"><span id="HAttributeAuthority">Attribute
Authority</span></h4><br />
<br />
This concerns all parameters for the Attribute Authority metadata section:
&lt;AttributeAuthorityDescriptor&gt;&lt;/AttributeAuthorityDescriptor&gt;.
<h5 class="heading-1-1-1-1"><span id="HAttributeService">Attribute
Service</span></h5><br />
<br />
This is the only service to configure, and it accept only the SOAP
binding.<br />
<br />
Location has to be adapted to fit your portal URL. Response Location
should be empty, as SOAP responses are directly returned (synchronous
binding).
<h4 class="heading-1-1-1"><span id="HAdvanced">Advanced</span></h4><br />
<br />
These parameters are not mandatory to run SAML service, but can help to
customize it:
<ul class="star">
<li><strong class="strong">IDP resolution cookie name</strong>: by
default, it's the LemonLDAP::NG cookie name suffixed by 'idp', for
example: 'lemonldapidp'.</li>
<li><strong class="strong">UTF8 metadata conversion</strong>: set to On
to convert partner's metadata, in cas of the carry special
characters.</li>
<li><strong class="strong">SAML sessions module name and
options</strong>: by default, the main session module is used to store
SAML temporary data (like relaystates), but SAML sessions need to use a
module compatible with the searchOn functions. This is not the case of
Memcached for example. In this case, you can choose a different module
to manage SAML sessions.</li>
</ul>
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>

1
build/lemonldap-ng/doc/index.html
View File

@ -123,6 +123,7 @@
<li><a href="6-Errors-fr.html">6 Errors (FR)</a></li>
<li><a href="6-References.html">6 References</a></li>
<li><a href="6-Roadmap.html">6 Roadmap</a></li>
<li><a href="SAML-Service.html">SAML Service</a></li>
</ul>
</div>
<p class="footer">Find the latest version of the documentation on <a href="http://wiki.lemonldap.ow2.org">LemonLDAP::NG Wiki</a> !</p>

BIN
build/lemonldap-ng/doc/manager-saml-idp-attribute.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
build/lemonldap-ng/doc/manager-saml-idp-metadata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
build/lemonldap-ng/doc/manager-saml-idp-new.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
build/lemonldap-ng/doc/manager-saml-namid-formats.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.2 KiB

BIN
build/lemonldap-ng/doc/manager-saml-private-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
build/lemonldap-ng/doc/manager-saml-service-sp-ac.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
build/lemonldap-ng/doc/manager-saml-service-sp-slo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
build/lemonldap-ng/doc/manager-saml-sp-new.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
build/lemonldap-ng/doc/rbn-portal-300px.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

3
build/lemonldap-ng/scripts/doc.pl
View File

@ -184,6 +184,8 @@ my $docs = {
'6-References.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/Accounting' =>
'6-Accounting.html',
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/SAMLService' =>
'SAML-Service.html',
};
my %imgs;
@ -376,6 +378,7 @@ s#/xwiki/bin/view/NG/DocAppBasicAuthentication#5-Appli-HTTP-Basic-Authentication
s#/xwiki/bin/view/NG/Roadmap#6-Roadmap.html#g;
s#/xwiki/bin/view/NG/References#6-References.html#g;
s#/xwiki/bin/view/NG/Accounting#6-Accounting.html#g;
s#/xwiki/bin/view/NG/SAMLService#SAMLService.html#g;
# Remove pages not yet created
s#<li><a class=\"wikicreatelink\".*##g;