Table of Contents


Authentication Users Password


LL::NG can use SAML2 to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LL::NG acts like an SAML2 Service Provider (SP).

Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule.

For each IDP, you can configure attributes that are collected. Some can be mandatory, so if they are not returned by IDP, the session will not open.

LL::NG can also act as SAML IDP, that allows one to interconnect two LL::NG systems.


SAML Service

See SAML service configuration chapter.

Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes *.

In Manager, go in :

General Parameters > Advanced Parameters > Security > Content Security Policy > Form destination

Authentication and UserDB

In General Parameters > Authentication modules, set:

As passwords will not be managed by LL::NG, you can disable menu password module.

Register LemonLDAP::NG on partner Identity Provider

After configuring SAML Service, you can export metadata to your partner Identity Provider.

They are available at the EntityID URL, by default: You can also use to have only SP related metadata.

Register partner Identity Provider on LemonLDAP::NG

In the Manager, select node SAML identity providers and click on Add SAML IDP. The IDP name is asked, enter it and click OK.


You must register IDP metadata here. You can do it either by uploading the file, or get it from IDP metadata URL (this require a network link between your server and the IDP):

You can also edit the metadata directly in the textarea

Exported attributes

For each attribute, you can set:


General options

For example, to preselect this IDP for users coming from network and member of "admin" group:

$ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/
Authentication request

These options override service signature options (see SAML service configuration).

If no binding defined, the default binding in IDP metadata will be used.

Used only if you have more than 1 SAML Identity Provider declared

The chosen logo must be in Portal icons directory (portal/static/common/). You can set a custom icon by setting the icon file name directly in the field and copy the logo file in portal icons directory