CornerStone On Demand (CSOD) allows to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
To work with LL::NG it requires:
You should have configured LL::NG as an SAML Identity Provider,
Now we will add CSOD as a new SAML Service Provider:
New service provider
.Email
in Options
» Authentication Response
» Default NameID format
Metadata
, and unprotect the field to paste the following value:<md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> Base64 encoded CSOD certificate </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompanyid.csod.com/samldefault.aspx" index="1" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> </SPSSODescriptor> </md:EntityDescriptor>
AssertionConsumerService
markup, parameter Location
) into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup
CSOD needs two things to configure LL::NG as an IDP: * Certificate * SAML assertion
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download this file
):
After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.
Then use openssl to generate an auto-signed certificate:
openssl req -new -key lemonldap-ng-priv.key -out cert.csr openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You need to use the IDP initiated feature of LL::NG. Just call this URL:
https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com