From 49905d47596fee134e39731e252b4aa1f7fa0f7f Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Wed, 30 Dec 2020 16:34:17 +0100 Subject: [PATCH 1/2] Remove debug log --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm | 1 - 1 file changed, 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm index 310cce745..a12ae3ea0 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm @@ -1912,7 +1912,6 @@ sub sloServer { ] ); my $res = $self->p->process($req); - $self->logger->debug("MAXBES Process retuned $res"); if ( $res eq PE_REDIRECT ) { From 726b327bda3fde1c7d3d5e1f287af6fb4fb22b6d Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Fri, 1 Jan 2021 20:54:23 +0100 Subject: [PATCH 2/2] Update doc (#2385) --- doc/sources/admin/authchoice.rst | 8 +++++++- doc/sources/admin/authopenidconnect.rst | 10 +++++++--- doc/sources/admin/ssocookie.rst | 4 ++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/doc/sources/admin/authchoice.rst b/doc/sources/admin/authchoice.rst index 70e4a273f..a7758b931 100644 --- a/doc/sources/admin/authchoice.rst +++ b/doc/sources/admin/authchoice.rst @@ -75,6 +75,12 @@ Define here: $env->{urldc} =~ /test1\.example\.com/ +.. note:: + + Federated authentication need pdata cookie. + SameSite cookie value must be set to "Lax" or "None". + See :doc:`SSO cookie parameters` + .. note:: Authentication request to an another URL than Portal URL can lead @@ -100,7 +106,7 @@ Define here: .. tip:: You can also override some LLNG parameters for each chain. See - :doc:`Parameter list` to have the key names to use + :doc:`Parameters list` to have the key names to use .. |image0| image:: /documentation/manager-choice.png :class: align-center diff --git a/doc/sources/admin/authopenidconnect.rst b/doc/sources/admin/authopenidconnect.rst index 9e9f10a2f..ae8d03e82 100644 --- a/doc/sources/admin/authopenidconnect.rst +++ b/doc/sources/admin/authopenidconnect.rst @@ -56,7 +56,7 @@ Google France Connect .. attention:: - OpenID-Connect specification isn't finished for logout + OpenID-Connect specification is not finished for logout propagation. So logout initiated by relaying-party will be forward to OpenID-Connect provider but logout initiated by the provider (or another RP) will not be propagated. LLNG will implement this when spec will be @@ -127,7 +127,9 @@ parameter, for example: .. attention:: If you use the :doc:`choice backend`, you - need to add the choice parameter in redirect URL + need to add the choice parameter in redirect URL or + set SameSite cookie value to "Lax" or "None". + See :doc:`SSO cookie parameters` After registration, the OP must give you a client ID and a client secret, that will be used to configure the OP in LL::NG. @@ -148,6 +150,8 @@ The OP should publish its metadata in a JSON file (see for example `Google metadata `__). Copy the content of this file in the textarea. +Portal discovery document can be found here: +https://#portal#/.well-known/openid-configuration If no metadata is available, you need to write them in the textarea. Mandatory fields are: @@ -217,7 +221,7 @@ Options - **Client ID**: Client ID given by OP - **Client secret**: Client secret given by OP - **Store ID token**: Allows one to store the ID token (JWT) inside - user session. Don't enable it unless you need to replay this token + user session. Do not enable it unless you need to replay this token on an application, or if you need the id_token_hint parameter when using logout. diff --git a/doc/sources/admin/ssocookie.rst b/doc/sources/admin/ssocookie.rst index 81cc4410b..88be5a1a0 100644 --- a/doc/sources/admin/ssocookie.rst +++ b/doc/sources/admin/ssocookie.rst @@ -38,8 +38,8 @@ To edit SSO cookie parameters, go in Manager, ``General Parameters`` > expiration time and use a session cookie. - **Cookie SameSite value**: the value of the SameSite cookie attribute. By default, LemonLDAP::NG will set it to "Lax" in most cases, and "None" if you - use SAML. Using "None" requres Secured Cookies, and accessing applications - over HTTPS on most web browsers. + use federated authentiication like SAML or OIdC. Using "None" requires Secured Cookies, + and accessing applications over HTTPS on most web browsers. .. danger::