Renater provides an SAML federation for higher education in France.
It is based on SAMLv2 but add some specific items like a WAYF service and a metadata bundle to list all SP and IDP from the federation.
Since LL::NG 2.0, you can register into Renater federation.
Configure LL::NG as SAML Service Provider with this documentation. You don't need to declare any IDP for the moment.
Configure SAML Discovery Protocol to redirect users on WAYF Service. The endpoint URL is https://discovery.renater.fr/renater/WAYF.
You now need to import IDP metadata in LL::NG configuration. Use the importMetadata
script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: https://services.renater.fr/federation/technique/metadata, for example:
/usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i "idp-renater" -s "sp-renater"
If you need too customize some settings of the script, copy it and edit configuration:
cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom vi /usr/share/lemonldap-ng/bin/importMetadataCustom
Set attributes (use the SAML Name, not FriendlyName) that are provided by IDPs, for example:
my $exportedAttributes = { 'cn' => '0;urn:oid:2.5.4.3', 'eduPersonPrincipalName' => '1;urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'givenName' => '0;urn:oid:2.5.4.42', 'sn' => '0;urn:oid:2.5.4.4', 'eduPersonAffiliation' => '0;urn:oid:1.3.6.1.4.1.5923.1.1.1.1', 'eduPersonPrimaryAffiliation' => '0;urn:oid:1.3.6.1.4.1.5923.1.1.1.5', 'mail' => '0;urn:oid:0.9.2342.19200300.100.1.3', 'supannListeRouge' => '0;urn:oid:1.3.6.1.4.1.7135.1.2.1.1', 'supannEtuCursusAnnee' => '0;rn:oid:1.3.6.1.4.1.5923.1.1.1.10', };
Adapt IDP options, for example:
my $idpOptions = { 'samlIDPMetaDataOptionsAdaptSessionUtime' => 0, 'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0, 'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0, 'samlIDPMetaDataOptionsCheckAudience' => 1, 'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1, 'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1, 'samlIDPMetaDataOptionsCheckTime' => 1, 'samlIDPMetaDataOptionsEncryptionMode' => 'none', 'samlIDPMetaDataOptionsForceAuthn' => 0, 'samlIDPMetaDataOptionsForceUTF8' => 1, 'samlIDPMetaDataOptionsIsPassive' => 0, 'samlIDPMetaDataOptionsNameIDFormat' => 'transient', 'samlIDPMetaDataOptionsRelayStateURL' => 0, 'samlIDPMetaDataOptionsSignSLOMessage' => -1, 'samlIDPMetaDataOptionsSignSSOMessage' => -1, 'samlIDPMetaDataOptionsStoreSAMLToken' => 0, 'samlIDPMetaDataOptionsUserAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', };
Go to https://federation.renater.fr/registry and register your SP.
Configure LL::NG as SAML Identity Provider with this documentation. You don't need to declare any SP for the moment.
You now need to import SP metadata in LL::NG configuration. Use the importMetadata
script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: https://services.renater.fr/federation/technique/metadata, for example:
/usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml -r -i "idp-renater" -s "sp-renater"
If you need too customize some settings of the script, copy it and edit configuration:
cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom vi /usr/share/lemonldap-ng/bin/importMetadataCustom
Adapt IDP options, for example:
my $spOptions = { 'samlSPMetaDataOptionsCheckSLOMessageSignature' => 1, 'samlSPMetaDataOptionsCheckSSOMessageSignature' => 1, 'samlSPMetaDataOptionsEnableIDPInitiatedURL' => 0, 'samlSPMetaDataOptionsEncryptionMode' => 'none', 'samlSPMetaDataOptionsForceUTF8' => 1, 'samlSPMetaDataOptionsNameIDFormat' => '', 'samlSPMetaDataOptionsNotOnOrAfterTimeout' => 72000, 'samlSPMetaDataOptionsOneTimeUse' => 0, 'samlSPMetaDataOptionsSessionNotOnOrAfterTimeout' => 72000, 'samlSPMetaDataOptionsSignSLOMessage' => 1, 'samlSPMetaDataOptionsSignSSOMessage' => 1 };
Go to https://federation.renater.fr/registry and register your IDP.