Doc update:
* Typo in Zimbra * New reference: Region Basse-Normandie * SAML (SP and IDP) (Closes #131)
|
@ -341,7 +341,10 @@
|
|||
<p class="paragraph"></p><i class="italic">Services pouvant utiliser
|
||||
LemonLDAP::NG comme fournisseur d'identité</i>
|
||||
|
||||
<ul class="star"></ul>
|
||||
<ul class="star">
|
||||
<li><span class="wikilink"><a href=
|
||||
"4.8-SAML-issuer-backend.html">SAML</a></span> (en)</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HSpC3A9cificitC3A9sLDAP">Spécificités LDAP</span></h4>
|
||||
|
|
|
@ -331,7 +331,10 @@
|
|||
<p class="paragraph"></p><i class="italic">Services that can use
|
||||
LemonLDAP::NG as Identity Provider</i>
|
||||
|
||||
<ul class="star"></ul>
|
||||
<ul class="star">
|
||||
<li><span class="wikilink"><a href=
|
||||
"4.8-SAML-issuer-backend.html">SAML</a></span> (en)</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HLDAPspecificities">LDAP
|
||||
specificities</span></h4>
|
||||
|
|
|
@ -65,72 +65,51 @@
|
|||
<li><a href="#HPresentation">Presentation</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HTechnicalrequirements">Technical requirements</a>
|
||||
<a href="#HConfiguration">Configuration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HLasso">Lasso</a></li>
|
||||
<li><a href="#HSAMLService">SAML Service</a></li>
|
||||
|
||||
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
|
||||
|
||||
<li><a href="#HSAML2IDP">SAML2 IDP</a></li>
|
||||
|
||||
<li><a href="#HPublic2Fprivatekey">Public/private key</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG
|
||||
configuration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HAuthenticationandUserDB">Authentication and
|
||||
UserDB</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HRegisterLemonLDAP3A3ANGonpartnerIdentityProvider">Register
|
||||
LemonLDAP::NG on partner Identity Provider</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HSAML2Service">SAML2 Service</a>
|
||||
<a href=
|
||||
"#HRegisterpartnerIdentityProvideronLemonLDAP3A3ANG">Register
|
||||
partner Identity Provider on LemonLDAP::NG</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HNodeSAML2Service">Node SAML 2 Service</a></li>
|
||||
<li><a href="#HMetadata">Metadata</a></li>
|
||||
|
||||
<li><a href="#HNodeOrganization">Node Organization</a></li>
|
||||
<li><a href="#HExportedattributes">Exported attributes</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HNodeServiceProvider">Node Service Provider</a>
|
||||
<a href="#HOptions">Options</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HNodeSingleLogout">Node SingleLogout</a></li>
|
||||
<li><a href="#HGeneraloptions">General options</a></li>
|
||||
|
||||
<li><a href="#HNodeAssertionConsumer">Node Assertion
|
||||
Consumer</a></li>
|
||||
<li><a href="#HAuthenticationrequest">Authentication
|
||||
request</a></li>
|
||||
|
||||
<li><a href="#HNodeNameIDFormat">Node NameID Format</a></li>
|
||||
<li><a href="#HSession">Session</a></li>
|
||||
|
||||
<li><a href="#HSignature">Signature</a></li>
|
||||
|
||||
<li><a href="#HBinding">Binding</a></li>
|
||||
|
||||
<li><a href="#HSecurity">Security</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HNodeIdentityProvider">Node Identity
|
||||
Provider</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HIdentityProviderregistration">Identity Provider
|
||||
registration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HMetadataXML">Metadata XML</a></li>
|
||||
|
||||
<li><a href="#HNodeExportedattributes">Node Exported
|
||||
attributes</a></li>
|
||||
|
||||
<li><a href="#HNodeOptions">Node Options</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HPartnerIDPconfiguration">Partner IDP
|
||||
configuration</a></li>
|
||||
</ul><strong class="strong">Since LemonLDAP::NG 1.0</strong>
|
||||
</ul><strong class="strong">Since LemonLDAP::NG 1.0rc1</strong>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
|
||||
|
||||
|
@ -144,82 +123,16 @@
|
|||
rule.
|
||||
|
||||
<p class="paragraph"></p>For each IDP, you can configure attributes that
|
||||
are asked. Some can be mandatory, so if they are not givn by IDP, the
|
||||
session will not open.
|
||||
|
||||
<h3 class="heading-1-1"><span id="HTechnicalrequirements">Technical
|
||||
requirements</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
|
||||
|
||||
<p class="paragraph"></p>SAML2 implementation is based on <span class=
|
||||
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
|
||||
You will need a very recent version of Lasso (>= 2.2.91).
|
||||
|
||||
<p class="paragraph"></p>For lucky Debian users, there are packages
|
||||
available here: <span class="wikiexternallink"><a href=
|
||||
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
|
||||
|
||||
<p class="paragraph"></p>You will only need to install liblasso3-perl
|
||||
package:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ sudo apt-get install liblasso3-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
|
||||
rules</span></h4><br />
|
||||
<br />
|
||||
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
|
||||
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
RewriteRule ^/saml/metadata /metadata.pl
|
||||
RewriteRule ^/saml/.* /index.pl
|
||||
</IfModule>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HSAML2IDP">SAML2 IDP</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Of course you need an SAML2 IDP. If you don't
|
||||
have one, you can check:
|
||||
|
||||
<ul class="star">
|
||||
<li><span class="wikiexternallink"><a href=
|
||||
"http://authentic.labs.libre-entreprise.org/">Authentic</a></span></li>
|
||||
|
||||
<li><span class="wikiexternallink"><a href=
|
||||
"https://rnd.feide.no/simplesamlphp">simpleSAMLphp</a></span></li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HPublic2Fprivatekey">Public/private
|
||||
key</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Since SAML2 use a lot a signature and encoding,
|
||||
you need to generate a public/private key pair.
|
||||
|
||||
<p class="paragraph"></p>You can do this with openssl:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ openssl genrsa -out private_key.pem 1024
|
||||
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
||||
</pre>
|
||||
</div>
|
||||
are collected. Some can be mandatory, so if they are not retruned by IDP,
|
||||
the session will not open.
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</span></h3>
|
||||
"HConfiguration">Configuration</span></h3>
|
||||
|
||||
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
|
||||
Manager. Connect to it first (by default <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://manager.example.com">http://manager.example.com</a></span>).
|
||||
<h4 class="heading-1-1-1"><span id="HSAMLService">SAML Service</span></h4>
|
||||
|
||||
<p class="paragraph"></p>See <span class="wikilink"><a href=
|
||||
"SAMLService.html">SAML service configuration chapter</a></span>.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HAuthenticationandUserDB">Authentication and UserDB</span></h4>
|
||||
|
@ -239,179 +152,177 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
|||
<li>Display password change: 0</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HSAML2Service">SAML2
|
||||
Service</span></h4>
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HRegisterLemonLDAP3A3ANGonpartnerIdentityProvider">Register LemonLDAP::NG
|
||||
on partner Identity Provider</span></h4>
|
||||
|
||||
<p class="paragraph"></p>This is where you configure SAML2 settings for
|
||||
LemonLDAP::NG service. These settings will be used to build metadata that
|
||||
will be shared with identity providers.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HNodeSAML2Service">Node SAML 2
|
||||
Service</span></h5>
|
||||
|
||||
<ul class="star">
|
||||
<li>Entity Identifier: your EntityID, often use as metadata URL, by
|
||||
default <span class="nobr"><a href=
|
||||
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
|
||||
Change this value to fit your portal URL.</li>
|
||||
|
||||
<li>Private key: load your private key file. This will not be published
|
||||
in metadata.</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HNodeOrganization">Node
|
||||
Organization</span></h5>
|
||||
|
||||
<ul class="star">
|
||||
<li>Display Name: will be displayed on IDP, this is often your society
|
||||
name</li>
|
||||
|
||||
<li>Name: internal name</li>
|
||||
|
||||
<li>URL: URL of your society</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HNodeServiceProvider">Node Service
|
||||
Provider</span></h5>
|
||||
|
||||
<ul class="star">
|
||||
<li>Signed Authentication Request: set to On to require signed
|
||||
authentication request. Off by default.</li>
|
||||
|
||||
<li>Signing Key: load your public key file.</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HNodeSingleLogout">Node
|
||||
SingleLogout</span></h6>
|
||||
|
||||
<p class="paragraph"></p>For each binding you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li>Location: Access Point for SLO request. Change this value to fit
|
||||
your portal URL.</li>
|
||||
|
||||
<li>Response Location: Access Point for SLO response. Change this value
|
||||
to fit your portal URL.</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HNodeAssertionConsumer">Node
|
||||
Assertion Consumer</span></h6>
|
||||
|
||||
<p class="paragraph"></p>For each binding you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li>Default: will this binding be used by default for authentication
|
||||
response</li>
|
||||
|
||||
<li>Location: Access Point for SSO request and response. Change this
|
||||
value to fit your portal URL.</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HNodeNameIDFormat">Node NameID
|
||||
Format</span></h6>
|
||||
|
||||
<p class="paragraph"></p>For each NameID Format, you can activate and
|
||||
deactivate it in metadata. The first will be chosen by default if no
|
||||
NameID Format is set in authentication request.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HNodeIdentityProvider">Node Identity
|
||||
Provider</span></h5>
|
||||
|
||||
<p class="paragraph"></p>Not used here.
|
||||
<p class="paragraph"></p>After configuring <span class="wikilink"><a href=
|
||||
"SAMLService.html">SAML Service</a></span>, you can export metadata to
|
||||
your partner Identity Provider. They are available at the EntityID URL, by
|
||||
default: <strong class="strong"><span class="nobr"><a href=
|
||||
"http://auth.example.com/saml/metadata">http://auth.example.com/saml/metadata</a></span></strong>.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HIdentityProviderregistration">Identity Provider registration</span></h4>
|
||||
"HRegisterpartnerIdentityProvideronLemonLDAP3A3ANG">Register partner
|
||||
Identity Provider on LemonLDAP::NG</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Now you have to register partner IDP. For that,
|
||||
select node Identity Providers and click on New metadatas.
|
||||
<p class="paragraph"></p>In the Manager, select node Identity Providers
|
||||
and click on New metadatas:
|
||||
|
||||
<p class="paragraph"></p><img src="manager-saml-idp-new.png" alt=
|
||||
"manager-saml-idp-new.png" />
|
||||
|
||||
<p class="paragraph"></p>The IDP name is asked, enter it and click OK.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HMetadataXML">Metadata
|
||||
XML</span></h5>
|
||||
<p class="paragraph"></p>Now you have access to the IDP parameters list:
|
||||
|
||||
<p class="paragraph"></p><img src=
|
||||
"/xwiki/bin/download/NG/AuthSAML/manager-saml-idp-list.png" alt=
|
||||
"manager-saml-idp-list.png" />
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HMetadata">Metadata</span></h5>
|
||||
|
||||
<p class="paragraph"></p>You must register IDP metadata here. You can do
|
||||
it either by uploading the file, or with IDP metadata URL.
|
||||
it either by uploading the file, or get it from IDP metadata URL (this
|
||||
require a network link between your server and the IDP):
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HNodeExportedattributes">Node
|
||||
Exported attributes</span></h5>
|
||||
<p class="paragraph"></p><img src="manager-saml-idp-metadata.png" alt=
|
||||
"manager-saml-idp-metadata.png" />
|
||||
|
||||
<p class="paragraph"></p>You can also copy/paste the metadata: just click
|
||||
on the <strong class="strong">Edit</strong> button. When the text is
|
||||
pasted, click on the <strong class="strong">Apply</strong> button to keep
|
||||
the value.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HExportedattributes">Exported
|
||||
attributes</span></h5>
|
||||
|
||||
<p class="paragraph"></p>For each attribute, you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li>Key name: name of the key in LemonLDAP::NG session (for example
|
||||
"uid" will then be used as $uid in access rules)</li>
|
||||
<li><strong class="strong">Key name</strong>: name of the key in
|
||||
LemonLDAP::NG session (for example "uid" will then be used as $uid in
|
||||
access rules)</li>
|
||||
|
||||
<li>Mandatory : if set to "On", then session will not open if this
|
||||
attribute is not given by IDP.</li>
|
||||
<li><strong class="strong">Mandatory</strong>: if set to "On", then
|
||||
session will not open if this attribute is not given by IDP.</li>
|
||||
|
||||
<li>Name : SAML attribute name.</li>
|
||||
<li><strong class="strong">Name</strong>: SAML attribute name.</li>
|
||||
|
||||
<li>Friendly Name: optional, SAML attribute friendly name.</li>
|
||||
<li><strong class="strong">Friendly Name</strong>: optional, SAML
|
||||
attribute friendly name.</li>
|
||||
|
||||
<li>Format: optional, SAML attribute format.</li>
|
||||
</ul>
|
||||
<li><strong class="strong">Format</strong>: optional, SAML attribute
|
||||
format.</li>
|
||||
</ul><img src="manager-saml-idp-attribute.png" alt=
|
||||
"manager-saml-idp-attribute.png" />
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HNodeOptions">Node
|
||||
Options</span></h5>
|
||||
<h5 class="heading-1-1-1-1"><span id="HOptions">Options</span></h5>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HGeneraloptions">General
|
||||
options</span></h6>
|
||||
|
||||
<ul class="star">
|
||||
<li>NameID format: force NameID format here (email, persistent,
|
||||
transient, etc.). If no value, will use first NameID Format activated in
|
||||
metadata.</li>
|
||||
<li><strong class="strong">Resolution Rule</strong>: rule that will be
|
||||
applied to preselect an IDP for a user. You have access to all
|
||||
environment variable, like user IP address.</li>
|
||||
</ul>For example, to preselect this IDP for users comming from
|
||||
129.168.0.0/16 network:<br />
|
||||
<br />
|
||||
|
||||
<li>Force authentication: set ForceAuthn flag in authentication
|
||||
request</li>
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ENV{ =~ /^192.168/
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<li>Passive authentication: set IsPassive flag in authentication
|
||||
request</li>
|
||||
<h6 class="heading-1-1-1-1-1"><span id=
|
||||
"HAuthenticationrequest">Authentication request</span></h6>
|
||||
|
||||
<li>Allow proxied authentication: allow an authentication response to be
|
||||
issued from another IDP that the one we register (proxy IDP). If you
|
||||
disallow this, you should also disallow direct login form IDP, because
|
||||
proxy restiction is set in authentication requests.</li>
|
||||
<ul class="star">
|
||||
<li><strong class="strong">NameID format</strong>: force NameID format
|
||||
here (email, persistent, transient, etc.). If no value, will use first
|
||||
NameID Format activated in metadata.</li>
|
||||
|
||||
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
|
||||
etc.)</li>
|
||||
<li><strong class="strong">Force authentication</strong>: set ForceAuthn
|
||||
flag in authentication request</li>
|
||||
|
||||
<li>SLO binding: force binding to use for SLO (http-redirect, http-post,
|
||||
etc.)</li>
|
||||
<li><strong class="strong">Passive authentication</strong>: set
|
||||
IsPassive flag in authentication request</li>
|
||||
|
||||
<li>Resolution rule: Perl expression that will be evaluate to know if
|
||||
this IDP is the default for the connected user. You can use for example
|
||||
$ENV{ to get user's IP.</li>
|
||||
<li><strong class="strong">Allow proxied authentication</strong>: allow
|
||||
an authentication response to be issued from another IDP that the one we
|
||||
register (proxy IDP). If you disallow this, you should also disallow
|
||||
direct login form IDP, because proxy restiction is set in authentication
|
||||
requests.</li>
|
||||
|
||||
<li>Allow login from IDP: allow a user to connect directly from an IDP
|
||||
link. In this case, authentication is not a response to an issued
|
||||
authentication request, and we have less control on conditions.</li>
|
||||
<li><strong class="strong">Allow login from IDP</strong>: allow a user
|
||||
to connect directly from an IDP link. In this case, authentication is
|
||||
not a response to an issued authentication request, and we have less
|
||||
control on conditions.</li>
|
||||
|
||||
<li>Adapt session lifetime: session lifetime will be adapted from
|
||||
SessionNotOnOrAfter value found in authentication response. It means
|
||||
that if the IDP propose to close session earlier than the default
|
||||
LemonLDAP::NG timeout, the session _utime will be modified so that
|
||||
session is erased at the date indicated by the IDP.</li>
|
||||
|
||||
<li>Sign SSO message: sign SSO message</li>
|
||||
|
||||
<li>Check SSO message signature: check SSO message signature</li>
|
||||
|
||||
<li>Sign SLO message: sign SLO message</li>
|
||||
|
||||
<li>Check SLO message signature: check SLO message signature</li>
|
||||
|
||||
<li>Required authentication context: this context is set in
|
||||
authentication request, and then checked in authentication response. If
|
||||
authentication context in response is not the one requested, an error is
|
||||
raised.</li>
|
||||
<li><strong class="strong">Requested authentication context</strong>:
|
||||
this context is declared in authentication request. When receiving the
|
||||
request, the real authentication context will be mapped ton an internal
|
||||
authenticationLevel, that you can check to allow or deny session
|
||||
creation.</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
|
||||
configuration</span></h3>
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HSession">Session</span></h6>
|
||||
|
||||
<p class="paragraph"></p>You have to give LemonLDAP::NG metadata to your
|
||||
partner. After previous steps, metadata can be viewed at Entity Identifier
|
||||
URL (by default <span class="nobr"><a href=
|
||||
"http://auth.example.com/saml/metadata/">http://auth.example.com/saml/metadata/</a></span>)
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Adapt session lifetime</strong>: session
|
||||
lifetime will be adapted from SessionNotOnOrAfter value found in
|
||||
authentication response. It means that if the IDP propose to close
|
||||
session earlier than the default LemonLDAP::NG timeout, the session
|
||||
_utime will be modified so that session is erased at the date indicated
|
||||
by the IDP.</li>
|
||||
|
||||
<li><strong class="strong">Force UTF-8</strong>: this will force UTF-8
|
||||
conversion of attributes values collected from IDP.</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id=
|
||||
"HSignature">Signature</span></h6><br />
|
||||
<br />
|
||||
These options override service signature options (see <span class=
|
||||
"wikilink"><a href="SAMLService.html">SAML service
|
||||
configuration</a></span>).
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Sign SSO message</strong>: sign SSO
|
||||
message</li>
|
||||
|
||||
<li><strong class="strong">Check SSO message signature</strong>: check
|
||||
SSO message signature</li>
|
||||
|
||||
<li><strong class="strong">Sign SLO message</strong>: sign SLO
|
||||
message</li>
|
||||
|
||||
<li><strong class="strong">Check SLO message signature</strong>: check
|
||||
SLO message signature</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HBinding">Binding</span></h6>
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">SSO binding</strong>: force binding to use
|
||||
for SSO (http-redirect, http-post, etc.)</li>
|
||||
|
||||
<li><strong class="strong">SLO binding</strong>: force binding to use
|
||||
for SLO (http-redirect, http-post, etc.)</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HSecurity">Security</span></h6>
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Encryption mode</strong>: set the encryption
|
||||
mode for this IDP (None, NameID or Assertion).</li>
|
||||
|
||||
<li><strong class="strong">Check conditions</strong>: set to Off to
|
||||
disable conditions checking on authentication responses. Use with
|
||||
caution.</li>
|
||||
</ul>
|
||||
</div>
|
||||
|
||||
<p class="footer"><a href="index.html">Index</a></p>
|
||||
|
|
|
@ -51,9 +51,185 @@
|
|||
}
|
||||
/*]]>*/
|
||||
</style>
|
||||
<style type="text/css">
|
||||
/*<![CDATA[*/
|
||||
div.c1 {margin-left: 2em}
|
||||
/*]]>*/
|
||||
</style>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id="HSAMLIssuerBackend">SAML Issuer
|
||||
Backend</span></h2>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HSAMLService">SAML Service</a></li>
|
||||
|
||||
<li><a href="#HIssuerDB">IssuerDB</a></li>
|
||||
|
||||
<li><a href="#HRegisterLemonLDAP3A3ANGonpartnerServiceProvider">Register
|
||||
LemonLDAP::NG on partner Service Provider</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HRegisterpartnerServiceProvideronLemonLDAP3A3ANG">Register
|
||||
partner Service Provider on LemonLDAP::NG</a>
|
||||
|
||||
<div class="c1">
|
||||
<ul>
|
||||
<li><a href="#HMetadata">Metadata</a></li>
|
||||
|
||||
<li><a href="#HExportedattributes">Exported attributes</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HOptions">Options</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HAuthenticationresponse">Authentication
|
||||
response</a></li>
|
||||
|
||||
<li><a href="#HSignature">Signature</a></li>
|
||||
|
||||
<li><a href="#HSecurity">Security</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</li>
|
||||
</ul><strong class="strong">Since LemonLDAP::NG 1.0rc2</strong>
|
||||
|
||||
<h2 class="heading-1"><span id="HPresentation">Presentation</span></h2>
|
||||
|
||||
<h2 class="heading-1"><span id="HConfiguration">Configuration</span></h2>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HSAMLService">SAML Service</span></h3>
|
||||
|
||||
<p class="paragraph"></p>See <span class="wikilink"><a href=
|
||||
"SAMLService.html">SAML service configuration chapter</a></span>.
|
||||
|
||||
<h3 class="heading-1-1"><span id="HIssuerDB">IssuerDB</span></h3><br />
|
||||
<br />
|
||||
In General Parameters > Modules > Issuer module, select
|
||||
<strong class="strong">SAML v2</strong>.<br />
|
||||
<br />
|
||||
You can add an Issuer rule that will be checked to allow a user to use
|
||||
Issuer module. This can be helpful to prevent some users to use the SAML
|
||||
module. Set in in General Parameters > Advanced Parameters >
|
||||
Security > Issuer Activation Rule.<br />
|
||||
<br />
|
||||
For example, allow only users from "SAML" group:<br />
|
||||
<br />
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$groups =~ /SAML/
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HRegisterLemonLDAP3A3ANGonpartnerServiceProvider">Register LemonLDAP::NG
|
||||
on partner Service Provider</span></h3><br />
|
||||
<br />
|
||||
After configuring <span class="wikilink"><a href="SAMLService.html">SAML
|
||||
Service</a></span>, you can export metadata to your partner Service
|
||||
Provider. They are available at the EntityID URL, by default:
|
||||
<strong class="strong"><span class="nobr"><a href=
|
||||
"http://auth.example.com/saml/metadata">http://auth.example.com/saml/metadata</a></span></strong>.
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HRegisterpartnerServiceProvideronLemonLDAP3A3ANG">Register partner
|
||||
Service Provider on LemonLDAP::NG</span></h3><br />
|
||||
<br />
|
||||
In the Manager, select node Servce Providers and click on New
|
||||
metadatas:<br />
|
||||
<br />
|
||||
<img src="manager-saml-sp-new.png" alt="manager-saml-sp-new.png" /><br />
|
||||
<br />
|
||||
The SP name is asked, enter it and click OK.<br />
|
||||
<br />
|
||||
Now you have access to the SP parameters list.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HMetadata">Metadata</span></h5><br />
|
||||
<br />
|
||||
You must register SP metadata here. You can do it either by uploading the
|
||||
file, or get it from SP metadata URL (this require a network link between
|
||||
your server and the SP).<br />
|
||||
<br />
|
||||
You can also copy/paste the metadata: just click on the <strong class=
|
||||
"strong">Edit</strong> button. When the text is pasted, click on the
|
||||
<strong class="strong">Apply</strong> button to keep the value.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HExportedattributes">Exported
|
||||
attributes</span></h5><br />
|
||||
<br />
|
||||
For each attribute, you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Key name</strong>: name of the key in
|
||||
LemonLDAP::NG session</li>
|
||||
|
||||
<li><strong class="strong">Mandatory</strong>: if set to "On", then this
|
||||
attribute will be sent in authentication response. Else it just will be
|
||||
sent trough an attribute response, if explicitely requested in an
|
||||
attribute request.</li>
|
||||
|
||||
<li><strong class="strong">Name</strong>: SAML attribute name.</li>
|
||||
|
||||
<li><strong class="strong">Friendly Name</strong>: optional, SAML
|
||||
attribute friendly name.</li>
|
||||
|
||||
<li><strong class="strong">Format</strong>: optional, SAML attribute
|
||||
format.</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HOptions">Options</span></h5>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id=
|
||||
"HAuthenticationresponse">Authentication response</span></h6>
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Default NameID format</strong>: if no NameID
|
||||
format is requested, or the NameID format <strong class=
|
||||
"strong">undefined</strong>, this NameID format will be used. If no
|
||||
value, the default NameID format is <strong class=
|
||||
"strong">Email</strong>.</li>
|
||||
|
||||
<li><strong class="strong">One Time Use</strong>: set the OneTimeUse
|
||||
flag in authentication response.</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id=
|
||||
"HSignature">Signature</span></h6><br />
|
||||
<br />
|
||||
These options override service signature options (see <span class=
|
||||
"wikilink"><a href="SAMLService.html">SAML service
|
||||
configuration</a></span>).
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Sign SSO message</strong>: sign SSO
|
||||
message</li>
|
||||
|
||||
<li><strong class="strong">Check SSO message signature</strong>: check
|
||||
SSO message signature</li>
|
||||
|
||||
<li><strong class="strong">Sign SLO message</strong>: sign SLO
|
||||
message</li>
|
||||
|
||||
<li><strong class="strong">Check SLO message signature</strong>: check
|
||||
SLO message signature</li>
|
||||
</ul>
|
||||
|
||||
<h6 class="heading-1-1-1-1-1"><span id="HSecurity">Security</span></h6>
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Encryption mode</strong>: set the encryption
|
||||
mode for this IDP (None, NameID or Assertion).</li>
|
||||
</ul>
|
||||
</div>
|
||||
|
||||
<p class="footer"><a href="index.html">Index</a></p>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -132,7 +132,7 @@
|
|||
<p class="paragraph"></p>Choose for example <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://zimbra.example.com/zimbrasso">http://zimbra.example.com/zimbrasso</a></span>
|
||||
as SSO URL and set in in application menu.
|
||||
as SSO URL and set it in application menu.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HConfigureZimbravirtualhostinApache">Configure Zimbra virtual host in
|
||||
|
|
|
@ -60,6 +60,9 @@
|
|||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HRC3A9gionBasseNormandie">Région
|
||||
Basse-Normandie</a></li>
|
||||
|
||||
<li><a href="#HGendarmerieNationale">Gendarmerie Nationale</a></li>
|
||||
|
||||
<li><a href=
|
||||
|
@ -71,6 +74,45 @@
|
|||
<li><a href="#HSGS">SGS</a></li>
|
||||
</ul>They use LemonLDAP::NG:
|
||||
|
||||
<h3 class="heading-1-1"><span id="HRC3A9gionBasseNormandie">Région
|
||||
Basse-Normandie</span></h3>
|
||||
|
||||
<ul class="star">
|
||||
<li>Nb users: ~1800</li>
|
||||
|
||||
<li>Nb protected applications: ~10</li>
|
||||
|
||||
<li>Authentication portal: <span class="nobr"><a href=
|
||||
"https://www.portail.crbn.fr">https://www.portail.crbn.fr</a></span></li>
|
||||
|
||||
<li>Applications: Outlook Web Access, ...</li>
|
||||
</ul>Some screenshots:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<table class="wiki-table" cellpadding="0" cellspacing="0" border="0">
|
||||
<tr>
|
||||
<th>Authentication portal</th>
|
||||
|
||||
<th>Application List</th>
|
||||
</tr>
|
||||
|
||||
<tr class="table-odd">
|
||||
<td><img src="rbn-portal-300px.png" alt="rbn-portal-300px.png" /></td>
|
||||
|
||||
<td><img src="/xwiki/bin/download/NG/References/rbn-applis-300px.png"
|
||||
alt="rbn-applis-300px.png" /></td>
|
||||
</tr>
|
||||
|
||||
<tr class="table-even">
|
||||
<td>Zoom: <a href=
|
||||
"/xwiki/bin/download/NG/References/rbn-portal.png"></a>rbn-portal.png</td>
|
||||
|
||||
<td>Zoom: <a href=
|
||||
"/xwiki/bin/download/NG/References/rbn-applis.png"></a>rbn-applis.png</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HGendarmerieNationale">Gendarmerie
|
||||
Nationale</span></h3>
|
||||
|
||||
|
@ -81,6 +123,8 @@
|
|||
<li>Nb users: 105.000</li>
|
||||
|
||||
<li>Nb protected applications: ~100</li>
|
||||
|
||||
<li>Applications: Sympa, MediaWiki, ...</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
|
@ -93,6 +137,9 @@
|
|||
<li>Nb users: ~500</li>
|
||||
|
||||
<li>Nb protected applications: ~10</li>
|
||||
|
||||
<li>Authentication portal: <span class="nobr"><a href=
|
||||
"https://websso.dmz.bpi.fr/">https://websso.dmz.bpi.fr/</a></span></li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HLINAGORAGroup">LINAGORA
|
||||
|
@ -101,14 +148,15 @@
|
|||
<p class="paragraph"></p><img src="linagora_logo.png" alt=
|
||||
"linagora_logo.png" />
|
||||
|
||||
<p class="paragraph"></p>They use LemonLDAP::NG to secure their intranet.
|
||||
Protected softwares are Dotclear, GLPI, OBM, Alfresco, and other specific
|
||||
tools.
|
||||
|
||||
<ul class="star">
|
||||
<li>Nb users: ~150</li>
|
||||
|
||||
<li>Nb protected applications: ~5</li>
|
||||
|
||||
<li>Authentication portal: <span class="nobr"><a href=
|
||||
"https://auth.linagora.com/">https://auth.linagora.com/</a></span></li>
|
||||
|
||||
<li>Applications: Wordpress, GLPI, OBM, Dokuwiki, ...</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HSGS">SGS</span></h3>
|
||||
|
|
502
build/lemonldap-ng/doc/SAML-Service.html
Normal file
|
@ -0,0 +1,502 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 25 March 2009), see www.w3.org" />
|
||||
|
||||
<title>Lemonldap::NG documentation: SAML-Service.html</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
<style type="text/css">
|
||||
/*<![CDATA[*/
|
||||
body{
|
||||
background: #ddd;
|
||||
font-family: sans-serif;
|
||||
font-size: 11pt;
|
||||
padding: 0 50px;
|
||||
}
|
||||
div.main-content{
|
||||
padding: 10px;
|
||||
background: #fff;
|
||||
border: 2px #ccc solid;
|
||||
}
|
||||
a{
|
||||
text-decoration: none;
|
||||
}
|
||||
p.footer{
|
||||
text-align: center;
|
||||
margin: 5px 0 0 0;
|
||||
}
|
||||
.heading-1{
|
||||
text-align: center;
|
||||
color: orange;
|
||||
font-variant: small-caps;
|
||||
font-size: 20pt;
|
||||
}
|
||||
.heading-1-1{
|
||||
color: orange;
|
||||
font-size: 14pt;
|
||||
border-bottom: 2px #ccc solid;
|
||||
}
|
||||
pre{
|
||||
background: #eee;
|
||||
border: 2px #ccc solid;
|
||||
padding: 5px;
|
||||
border-left: 10px #ccc solid;
|
||||
}
|
||||
ul.star li{
|
||||
list-style-type: square;
|
||||
}
|
||||
/*]]>*/
|
||||
</style>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id="HSAMLserviceconfiguration">SAML service
|
||||
configuration</span></h2>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HPresentation">Presentation</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HPrerequisites">Prerequisites</a>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HLasso">Lasso</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HDebian2FUbuntu">Debian/Ubuntu</a></li>
|
||||
|
||||
<li><a href="#HRHEL2FCentOS2FFedora">RHEL/CentOS/Fedora</a></li>
|
||||
|
||||
<li><a href="#HOther">Other</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HServiceconfiguration">Service configuration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HEntryIdentifier">Entry Identifier</a></li>
|
||||
|
||||
<li><a href="#HSecurityparameters">Security parameters</a></li>
|
||||
|
||||
<li><a href="#HNameIDformats">NameID formats</a></li>
|
||||
|
||||
<li><a href="#HOrganization">Organization</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HServiceProvider">Service Provider</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HGeneraloptions">General options</a></li>
|
||||
|
||||
<li><a href="#HSingleLogout">Single Logout</a></li>
|
||||
|
||||
<li><a href="#HAssertionConsumer">Assertion Consumer</a></li>
|
||||
|
||||
<li><a href="#HArtifactResolution">Artifact Resolution</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HIdentityProvider">Identity Provider</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HGeneralparameters">General parameters</a></li>
|
||||
|
||||
<li><a href="#HSingleSignOn">Single Sign On</a></li>
|
||||
|
||||
<li><a href="#HSingleLogout-1">Single Logout</a></li>
|
||||
|
||||
<li><a href="#HArtifactResolution-1">Artifact
|
||||
Resolution</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HAttributeAuthority">Attribute Authority</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HAttributeService">Attribute Service</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HAdvanced">Advanced</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
|
||||
|
||||
<p class="paragraph"></p>This documentation explains how configure SAML
|
||||
service in LemonLDAP::NG, in particular:
|
||||
|
||||
<ul class="star">
|
||||
<li>Install prerequisites</li>
|
||||
|
||||
<li>Import or generation security keys</li>
|
||||
|
||||
<li>Set SAML end points</li>
|
||||
</ul>Service configuration will be used to generate LemonLDAP::NG SAML
|
||||
metadata, that will be shared with other providers. It means that if you
|
||||
modify some settings here, you will have to share again the metadata with
|
||||
other providers. In other words, take the time to configure this part
|
||||
before sharing metadata.
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HPrerequisites">Prerequisites</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
|
||||
|
||||
<p class="paragraph"></p>SAML2 implementation is based on <span class=
|
||||
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
|
||||
You will need a very recent version of Lasso (>= 2.3.0).
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HDebian2FUbuntu">Debian/Ubuntu</span></h5>
|
||||
|
||||
<p class="paragraph"></p>There are packages available here: <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
|
||||
|
||||
<p class="paragraph"></p>You will only need to install liblasso3-perl
|
||||
package:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ sudo apt-get install liblasso3-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HRHEL2FCentOS2FFedora">RHEL/CentOS/Fedora</span></h5><br />
|
||||
<br />
|
||||
Packages should be available soon.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HOther">Other</span></h5><br />
|
||||
<br />
|
||||
Download the Lasso tarball and compile it on your system
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
|
||||
rules</span></h4><br />
|
||||
<br />
|
||||
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
|
||||
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
<IfModule mod_rewrite.c>
|
||||
RewriteEngine On
|
||||
RewriteRule ^/saml/metadata /metadata.pl
|
||||
RewriteRule ^/saml/.* /index.pl
|
||||
</IfModule>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HServiceconfiguration">Service
|
||||
configuration</span></h3>
|
||||
|
||||
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
|
||||
Manager. Connect to it first (by default <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://manager.example.com">http://manager.example.com</a></span>). The
|
||||
service configuration is done into the node <strong class="strong">SAML 2
|
||||
Service</strong>.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HEntryIdentifier">Entry
|
||||
Identifier</span></h4><br />
|
||||
<br />
|
||||
Your EntityID, often use as metadata URL, by default <span class=
|
||||
"nobr"><a href=
|
||||
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
|
||||
Change this value to fit your portal URL, for example:<br />
|
||||
<br />
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
<span class="nobr"><a href=
|
||||
"http://auth.mycompany.com/saml/metadata">http://auth.mycompany.com/saml/metadata</a></span>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HSecurityparameters">Security
|
||||
parameters</span></h4><br />
|
||||
<br />
|
||||
This section concerns public and private keys, mandatory to exchange SAML
|
||||
messages with other providers. You have two options:
|
||||
|
||||
<ul class="star">
|
||||
<li>use your own keys generated from your PKI</li>
|
||||
|
||||
<li>generate keys from configuration interface</li>
|
||||
</ul><strong class="strong">Warning</strong>: private keys are not
|
||||
published in metadata, but they are stored in configuration backend.<br />
|
||||
<br />
|
||||
You can set keys for signing and encryption. Keys for signing are
|
||||
mandatory, but if no keys are defined for encryption, keys for signing
|
||||
will be used.<br />
|
||||
<br />
|
||||
Private keys can be protected by a password: in this case, set the
|
||||
password in the private key password field.<br />
|
||||
<br />
|
||||
Public key can be a raw public key or a certificate containing the public
|
||||
key.<br />
|
||||
<br />
|
||||
If you want to generate key from the interface, click on <strong class=
|
||||
"strong">Private key</strong>, and the on <strong class=
|
||||
"strong">Generate</strong>:<br />
|
||||
<br />
|
||||
<img src="manager-saml-private-key.png" alt=
|
||||
"manager-saml-private-key.png" /><br />
|
||||
<br />
|
||||
A password will be prompted. Leave blank if you don't want to protect the
|
||||
private key with a password.<br />
|
||||
<br />
|
||||
The private and public are then generated in <strong class="strong">Public
|
||||
key</strong> and <strong class="strong">Private key</strong> fields.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HNameIDformats">NameID
|
||||
formats</span></h4><br />
|
||||
<br />
|
||||
<img src="manager-saml-namid-formats.png" alt=
|
||||
"manager-saml-namid-formats.png" /><br />
|
||||
<br />
|
||||
SAML can use differents NameID formats. The NameID is the main user
|
||||
identifier, carried in SAML messages. You can configure here which field
|
||||
of LemonLDAP::NG session will be associated to a NameID format.<br />
|
||||
<br />
|
||||
Customizable NameID formats are:
|
||||
|
||||
<ul class="star">
|
||||
<li>Email</li>
|
||||
|
||||
<li>X509</li>
|
||||
|
||||
<li>Windows</li>
|
||||
|
||||
<li>Kerberos</li>
|
||||
</ul>For example, if you are using AD as authentication backend, you can
|
||||
use sAMAccountName for the Windows NameID format.<br />
|
||||
<br />
|
||||
Other NameID formats are automatically managed:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Transient</strong>: NameID is generated</li>
|
||||
|
||||
<li><strong class="strong">Persistent</strong>: NameID is restored from
|
||||
previous sessions</li>
|
||||
|
||||
<li><strong class="strong">Undefined</strong>: Default NameID format is
|
||||
used (see <span class="wikilink"><a href=
|
||||
"4.8-SAML-issuer-backend.html">issuer SAML
|
||||
configuration</a></span>)</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HOrganization">Organization</span></h4><br />
|
||||
<br />
|
||||
This concerns all parameters for the Organization metadata section:
|
||||
<Organization></Organization>.
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Display Name</strong>: should be displayed on
|
||||
IDP, this is often your society name</li>
|
||||
|
||||
<li><strong class="strong">Name</strong>: internal name</li>
|
||||
|
||||
<li><strong class="strong">URL</strong>: URL of your society</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HServiceProvider">Service
|
||||
Provider</span></h4><br />
|
||||
<br />
|
||||
This concerns all parameters for the Service Provider metadata section:
|
||||
<SPSSODescriptor></SPSSODescriptor>.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HGeneraloptions">General
|
||||
options</span></h5>
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Signed Authentication Request</strong>: set
|
||||
to On to always sign authentication request.</li>
|
||||
|
||||
<li><strong class="strong">Want Assertions Signed</strong>: set to On to
|
||||
require that received assertions are signed.</li>
|
||||
</ul>These options can then be overridden for each Identity Provider, see
|
||||
<span class="wikilink"><a href="4.8-SAML-issuer-backend.html">issuer SAML
|
||||
configuration</a></span>.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HSingleLogout">Single
|
||||
Logout</span></h5><br />
|
||||
<br />
|
||||
For each binding you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Location</strong>: Access Point for SLO
|
||||
request. Change this value to fit your portal URL.</li>
|
||||
|
||||
<li><strong class="strong">Response Location</strong>: Access Point for
|
||||
SLO response. Change this value to fit your portal URL.</li>
|
||||
</ul><img src="manager-saml-service-sp-slo.png" alt=
|
||||
"manager-saml-service-sp-slo.png" /><br />
|
||||
<br />
|
||||
Available bindings are:
|
||||
|
||||
<ul class="star">
|
||||
<li>HTTP Redirect</li>
|
||||
|
||||
<li>HTTP POST</li>
|
||||
|
||||
<li>HTTP SOAP</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HAssertionConsumer">Assertion
|
||||
Consumer</span></h5><br />
|
||||
<br />
|
||||
For each binding you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Default</strong>: will this binding be used
|
||||
by default for authentication response</li>
|
||||
|
||||
<li><strong class="strong">Location</strong>: Access Point for SSO
|
||||
request and response. Change this value to fit your portal URL.</li>
|
||||
</ul><img src="manager-saml-service-sp-ac.png" alt=
|
||||
"manager-saml-service-sp-ac.png" /><br />
|
||||
<br />
|
||||
Available bindings are:
|
||||
|
||||
<ul class="star">
|
||||
<li>HTTP Artifact</li>
|
||||
|
||||
<li>HTTP Redirect</li>
|
||||
|
||||
<li>HTTP POST</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HArtifactResolution">Artifact
|
||||
Resolution</span></h5><br />
|
||||
<br />
|
||||
The only authorized binding is SOAP. This should be set as Default.
|
||||
Location has to be adapted to fit your portal URL.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HIdentityProvider">Identity
|
||||
Provider</span></h4><br />
|
||||
<br />
|
||||
This concerns all parameters for the Service Provider metadata section:
|
||||
<IDPSSODescriptor></IDPSSODescriptor>.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
|
||||
parameters</span></h5>
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Want Authentication Request Signed</strong>:
|
||||
set to On to require that received authentication request are
|
||||
signed.</li>
|
||||
</ul>This option can then be overridden for each serivec Provider, see
|
||||
<span class="wikilink"><a href="4.5-SAML-authentication-backend.html">SAML
|
||||
authentication configuration</a></span>.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HSingleSignOn">Single Sign
|
||||
On</span></h5><br />
|
||||
<br />
|
||||
For each binding you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Location</strong>: Access Point for SSO
|
||||
request. Change this value to fit your portal URL.</li>
|
||||
|
||||
<li><strong class="strong">Response Location</strong>: Access Point for
|
||||
SSO response. Change this value to fit your portal URL.</li>
|
||||
</ul>Available bindings are:
|
||||
|
||||
<ul class="star">
|
||||
<li>HTTP Redirect</li>
|
||||
|
||||
<li>HTTP POST</li>
|
||||
|
||||
<li>HTTP Artifact</li>
|
||||
|
||||
<li>HTTP SOAP</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HSingleLogout">Single
|
||||
Logout</span></h5><br />
|
||||
<br />
|
||||
For each binding you can set:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">Location</strong>: Access Point for SLO
|
||||
request. Change this value to fit your portal URL.</li>
|
||||
|
||||
<li><strong class="strong">Response Location</strong>: Access Point for
|
||||
SLO response. Change this value to fit your portal URL.</li>
|
||||
</ul>Available bindings are:
|
||||
|
||||
<ul class="star">
|
||||
<li>HTTP Redirect</li>
|
||||
|
||||
<li>HTTP POST</li>
|
||||
|
||||
<li>HTTP SOAP</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HArtifactResolution">Artifact
|
||||
Resolution</span></h5><br />
|
||||
<br />
|
||||
The only authorized binding is SOAP. This should be set as Default.
|
||||
Location has to be adapted to fit your portal URL.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HAttributeAuthority">Attribute
|
||||
Authority</span></h4><br />
|
||||
<br />
|
||||
This concerns all parameters for the Attribute Authority metadata section:
|
||||
<AttributeAuthorityDescriptor></AttributeAuthorityDescriptor>.
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HAttributeService">Attribute
|
||||
Service</span></h5><br />
|
||||
<br />
|
||||
This is the only service to configure, and it accept only the SOAP
|
||||
binding.<br />
|
||||
<br />
|
||||
Location has to be adapted to fit your portal URL. Response Location
|
||||
should be empty, as SOAP responses are directly returned (synchronous
|
||||
binding).
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HAdvanced">Advanced</span></h4><br />
|
||||
<br />
|
||||
These parameters are not mandatory to run SAML service, but can help to
|
||||
customize it:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">IDP resolution cookie name</strong>: by
|
||||
default, it's the LemonLDAP::NG cookie name suffixed by 'idp', for
|
||||
example: 'lemonldapidp'.</li>
|
||||
|
||||
<li><strong class="strong">UTF8 metadata conversion</strong>: set to On
|
||||
to convert partner's metadata, in cas of the carry special
|
||||
characters.</li>
|
||||
|
||||
<li><strong class="strong">SAML sessions module name and
|
||||
options</strong>: by default, the main session module is used to store
|
||||
SAML temporary data (like relaystates), but SAML sessions need to use a
|
||||
module compatible with the searchOn functions. This is not the case of
|
||||
Memcached for example. In this case, you can choose a different module
|
||||
to manage SAML sessions.</li>
|
||||
</ul>
|
||||
</div>
|
||||
|
||||
<p class="footer"><a href="index.html">Index</a></p>
|
||||
</body>
|
||||
</html>
|
|
@ -123,6 +123,7 @@
|
|||
<li><a href="6-Errors-fr.html">6 Errors (FR)</a></li>
|
||||
<li><a href="6-References.html">6 References</a></li>
|
||||
<li><a href="6-Roadmap.html">6 Roadmap</a></li>
|
||||
<li><a href="SAML-Service.html">SAML Service</a></li>
|
||||
</ul>
|
||||
</div>
|
||||
<p class="footer">Find the latest version of the documentation on <a href="http://wiki.lemonldap.ow2.org">LemonLDAP::NG Wiki</a> !</p>
|
||||
|
|
BIN
build/lemonldap-ng/doc/manager-saml-idp-attribute.png
Normal file
After Width: | Height: | Size: 12 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-idp-metadata.png
Normal file
After Width: | Height: | Size: 34 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-idp-new.png
Normal file
After Width: | Height: | Size: 35 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-namid-formats.png
Normal file
After Width: | Height: | Size: 5.2 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-private-key.png
Normal file
After Width: | Height: | Size: 14 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-service-sp-ac.png
Normal file
After Width: | Height: | Size: 16 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-service-sp-slo.png
Normal file
After Width: | Height: | Size: 18 KiB |
BIN
build/lemonldap-ng/doc/manager-saml-sp-new.png
Normal file
After Width: | Height: | Size: 29 KiB |
BIN
build/lemonldap-ng/doc/rbn-portal-300px.png
Normal file
After Width: | Height: | Size: 26 KiB |
|
@ -184,6 +184,8 @@ my $docs = {
|
|||
'6-References.html',
|
||||
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/Accounting' =>
|
||||
'6-Accounting.html',
|
||||
'http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/SAMLService' =>
|
||||
'SAML-Service.html',
|
||||
};
|
||||
|
||||
my %imgs;
|
||||
|
@ -376,6 +378,7 @@ s#/xwiki/bin/view/NG/DocAppBasicAuthentication#5-Appli-HTTP-Basic-Authentication
|
|||
s#/xwiki/bin/view/NG/Roadmap#6-Roadmap.html#g;
|
||||
s#/xwiki/bin/view/NG/References#6-References.html#g;
|
||||
s#/xwiki/bin/view/NG/Accounting#6-Accounting.html#g;
|
||||
s#/xwiki/bin/view/NG/SAMLService#SAMLService.html#g;
|
||||
|
||||
# Remove pages not yet created
|
||||
s#<li><a class=\"wikicreatelink\".*##g;
|
||||
|
|