SAML Identity Provider

Presentation

LL::NG can act as an SAML 2.0 Identity Provider, that can allow to federate LL::NG with:

Another LL::NG system configured with SAML authentication
Any SAML Service Provider, for example:

This requires to configure LL::NG as an SAML Identity Provider.

Google Apps	Zimbra	SAP	Cornerstone	SalesForce

Configuration

SAML Service

See SAML service configuration chapter.

IssuerDB

Go in General Parameters » Issuer modules » SAML and configure:

Activation: set to On.
Path: keep ^/saml/ unless you have change SAML end points suffix in SAML service configuration.
Use rule: a rule to allow user to use this module, set to 1 to always allow.

For example, to allow only users with a strong authentication level:

$authenticationLevel > 2

Register LemonLDAP::NG on partner Service Provider

After configuring SAML Service, you can export metadata to your partner Service Provider.

They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata.

Register partner Service Provider on LemonLDAP::NG

In the Manager, select node SAML service providers and click on New service provider:

The SP name is asked, enter it and click OK.

Now you have access to the SP parameters list.

Metadata

You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).

You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.

Exported attributes

For each attribute, you can set:

Key name: name of the key in LemonLDAP::NG session
Mandatory: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.
Name: SAML attribute name.
Friendly Name: optional, SAML attribute friendly name.
Format: optional, SAML attribute format.

Options

Authentication response

Default NameID format: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.
Force NameID session key: if empty, the NameID mapping defined in SAML service configuration will be used. You can force here another session key that will be used as NameID content.
One Time Use: set the OneTimeUse flag in authentication response (<Condtions>).
sessionNotOnOrAfter duration: Time in seconds, added to authentication time, to define sessionNotOnOrAfter value in SAML response (<AuthnStatement>):

<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
  SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
  SessionNotOnOrAfter="2014-07-21T15:47:08Z">

notOnOrAfter duration: Time in seconds, added to authentication time, to define notOnOrAfter value in SAML response (<Condtions> and <SubjectConfirmationData>):

<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
  Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
  InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>

<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
  NotOnOrAfter="2014-07-21T12:48:08Z">

There is a time tolerance of 60 seconds in <Conditions>

Signature

These options override service signature options (see SAML service configuration).

Sign SSO message: sign SSO message
Check SSO message signature: check SSO message signature
Sign SLO message: sign SLO message
Check SLO message signature: check SLO message signature

Security

Encryption mode: set the encryption mode for this IDP (None, NameID or Assertion).
Enable use of IDP initiated URL: set to On to enable IDP Initiated URL on this SP.

The IDP Initiated URL is the SSO SAML URL with GET parameters:

IDPInitiated: 1
One of:
- sp: SP entity ID
- spConfKey: SP configuration key

For example: http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp