dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0546303dac
lemonldap-ng/doc/pages/documentation/current/samlservice.html
Xavier 39c968b215 Update doc
2019-09-23 22:41:16 +02:00

602 lines
28 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:samlservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,samlservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="samlservice.html"/>
<link rel="contents" href="samlservice.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:samlservice","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#prerequisites">Prerequisites</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#lasso">Lasso</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#debianubuntu">Debian/Ubuntu</a></div></li>
<li class="level3"><div class="li"><a href="#rhelcentosfedora">RHEL/CentOS/Fedora</a></div></li>
<li class="level3"><div class="li"><a href="#other">Other</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#service_configuration">Service configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#entry_identifier">Entry Identifier</a></div></li>
<li class="level2"><div class="li"><a href="#security_parameters">Security parameters</a></div></li>
<li class="level2"><div class="li"><a href="#nameid_formats">NameID formats</a></div></li>
<li class="level2"><div class="li"><a href="#authentication_contexts">Authentication contexts</a></div></li>
<li class="level2"><div class="li"><a href="#organization">Organization</a></div></li>
<li class="level2"><div class="li"><a href="#service_provider">Service Provider</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#general_options">General options</a></div></li>
<li class="level3"><div class="li"><a href="#single_logout">Single Logout</a></div></li>
<li class="level3"><div class="li"><a href="#assertion_consumer">Assertion Consumer</a></div></li>
<li class="level3"><div class="li"><a href="#artifact_resolution">Artifact Resolution</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#identity_provider">Identity Provider</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#general_parameters">General parameters</a></div></li>
<li class="level3"><div class="li"><a href="#single_sign_on">Single Sign On</a></div></li>
<li class="level3"><div class="li"><a href="#single_logout1">Single Logout</a></div></li>
<li class="level3"><div class="li"><a href="#artifact_resolution1">Artifact Resolution</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#attribute_authority">Attribute Authority</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#attribute_service">Attribute Service</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#advanced">Advanced</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#saml_sessions_module_name_and_options">SAML sessions module name and options</a></div></li>
<li class="level3"><div class="li"><a href="#common_domain_cookie">Common Domain Cookie</a></div></li>
<li class="level3"><div class="li"><a href="#discovery_protocol">Discovery Protocol</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="saml_service_configuration">SAML service configuration</h1>
<div class="level1">
<div class="noteclassic"><abbr title="Security Assertion Markup Language">SAML</abbr> service configuration is a common step to configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML SP</a> or <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML IDP</a>.
</div>
</div>
<!-- EDIT1 SECTION "SAML service configuration" [1-169] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
This documentation explains how configure <abbr title="Security Assertion Markup Language">SAML</abbr> service in <abbr title="LemonLDAP::NG">LL::NG</abbr>, in particular:
</p>
<ul>
<li class="level1"><div class="li"> Install prerequisites</div>
</li>
<li class="level1"><div class="li"> Import or generate security keys</div>
</li>
<li class="level1"><div class="li"> Set <abbr title="Security Assertion Markup Language">SAML</abbr> end points</div>
</li>
</ul>
<div class="noteimportant">Service configuration will be used to generate <abbr title="LemonLDAP::NG">LL::NG</abbr> <abbr title="Security Assertion Markup Language">SAML</abbr> metadata, that will be shared with other providers. It means that if you modify some settings here, you will have to share again the metadata with other providers. In other words, take the time to configure this part before sharing metadata.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [170-689] -->
<h2 class="sectionedit3" id="prerequisites">Prerequisites</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Prerequisites" [690-716] -->
<h3 class="sectionedit4" id="lasso">Lasso</h3>
<div class="level3">
<p>
<a href="documentation/lasso.png_documentation_2.0_samlservice.html" class="media" title="documentation:lasso.png"><img src="documentation/lasso.png" class="mediacenter" alt="" /></a>
</p>
<p>
SAML2 implementation is based on <a href="http://lasso.entrouvert.org" class="urlextern" title="http://lasso.entrouvert.org" rel="nofollow">Lasso</a>. You will need a very recent version of Lasso (&gt;= 2.6.0).
</p>
</div>
<h4 id="debianubuntu">Debian/Ubuntu</h4>
<div class="level4">
<p>
You can use official Debian packages or those available here: <a href="http://deb.entrouvert.org/" class="urlextern" title="http://deb.entrouvert.org/" rel="nofollow">http://deb.entrouvert.org/</a>.
</p>
<div class="notetip">We recommend Lasso 2.6 for the SHA256 support, so use the stretch-testing repository of deb.entrouvert.org.
</div>
<p>
You will only need to install liblasso-perl package:
</p>
<pre class="code">sudo apt-get install liblasso-perl</pre>
</div>
<h4 id="rhelcentosfedora">RHEL/CentOS/Fedora</h4>
<div class="level4">
<p>
RPMs are available in <abbr title="LemonLDAP::NG">LL::NG</abbr> RPM &quot;extras&quot; repository (see <a href="installrpm.html#yum_repository" class="wikilink1" title="documentation:2.0:installrpm">yum_repository</a>)
</p>
<p>
Then install lasso and lasso-perl packages:
</p>
<pre class="code">yum install lasso lasso-perl</pre>
<div class="noteimportant">Only 64bits package are available.
</div>
</div>
<h4 id="other">Other</h4>
<div class="level4">
<p>
<a href="http://lasso.entrouvert.org/download/" class="urlextern" title="http://lasso.entrouvert.org/download/" rel="nofollow">Download the Lasso tarball</a> and compile it on your system.
</p>
</div>
<!-- EDIT4 SECTION "Lasso" [717-1628] -->
<h2 class="sectionedit5" id="service_configuration">Service configuration</h2>
<div class="level2">
<p>
Go in Manager and click on <code><abbr title="Security Assertion Markup Language">SAML</abbr> 2 Service</code> node.
</p>
<div class="notetip">You can use #PORTAL# in values to replace the portal <abbr title="Uniform Resource Locator">URL</abbr>.
</div>
</div>
<!-- EDIT5 SECTION "Service configuration" [1629-1792] -->
<h3 class="sectionedit6" id="entry_identifier">Entry Identifier</h3>
<div class="level3">
<p>
Your EntityID, often use as metadata <abbr title="Uniform Resource Locator">URL</abbr>, by default #PORTAL#/saml/metadata.
</p>
<div class="noteclassic">The value will be use in metadata main markup:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;EntityDescriptor</span> <span class="re0">entityID</span>=<span class="st0">&quot;http://auth.example.com/saml/metadata&quot;</span><span class="re2">&gt;</span></span>
...
<span class="sc3"><span class="re1">&lt;/EntityDescriptor<span class="re2">&gt;</span></span></span></pre>
</div>
</div>
<!-- EDIT6 SECTION "Entry Identifier" [1793-2074] -->
<h3 class="sectionedit7" id="security_parameters">Security parameters</h3>
<div class="level3">
<p>
You can define keys for <abbr title="Security Assertion Markup Language">SAML</abbr> message signature and encryption. If no encryption keys are defined, signature keys are used for signature and encryption.
</p>
<p>
To define keys, you can:
</p>
<ul>
<li class="level1"><div class="li"> import your own private and public keys (<code>Replace by file</code> input)</div>
</li>
<li class="level1"><div class="li"> generate new public and private keys (<code>New keys</code> button)</div>
</li>
</ul>
<div class="notetip">You can enter a password to protect private key with a password. It will be prompted if you generate keys, else you can set it in the <code>Private key password</code>.
</div>
<p>
<img src="documentation/manager-saml-signature.png" class="mediacenter" alt="" />
</p>
<p>
You can import a certificate containing the public key instead the raw public key. However, certificate will not be really validated by other <abbr title="Security Assertion Markup Language">SAML</abbr> components (expiration date, common name, etc.), but will just be a public key wrapper.
</p>
<div class="notetip">You can easily generate a certificate to replace your public key by saving the private key in a file, and use <code>openssl</code> commands to issue a self-signed certificate:
<pre class="code">$ openssl req -new -key private.key -out cert.pem -x509 -days 3650</pre>
</div><ul>
<li class="level1"><div class="li"> <strong>Use certificate in response</strong>: Certificate will be sent inside <abbr title="Security Assertion Markup Language">SAML</abbr> responses.</div>
</li>
<li class="level1"><div class="li"> <strong>Signature method</strong>: set the signature algorithm</div>
</li>
</ul>
<div class="noteimportant">Default value is RSA SHA1 for compatibility purpose but we recommend to use RSA SHA256. This requires to test all partners to check their compatibility.
</div>
</div>
<!-- EDIT7 SECTION "Security parameters" [2075-3475] -->
<h3 class="sectionedit8" id="nameid_formats">NameID formats</h3>
<div class="level3">
<p>
<abbr title="Security Assertion Markup Language">SAML</abbr> can use different NameID formats. The NameID is the main user identifier, carried in <abbr title="Security Assertion Markup Language">SAML</abbr> messages. You can configure here which field of <abbr title="LemonLDAP::NG">LL::NG</abbr> session will be associated to a NameID format.
</p>
<div class="noteclassic">This parameter is used by <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML IDP</a> to fill the NameID in authentication responses.
</div>
<p>
Customizable NameID formats are:
</p>
<ul>
<li class="level1"><div class="li"> Email</div>
</li>
<li class="level1"><div class="li"> X509</div>
</li>
<li class="level1"><div class="li"> Windows</div>
</li>
<li class="level1"><div class="li"> Kerberos</div>
</li>
</ul>
<div class="notetip">For example, if you are using <a href="authldap.html" class="wikilink1" title="documentation:2.0:authldap">AD as authentication backend</a>, you can use sAMAccountName for the Windows NameID format.
</div>
<p>
Other NameID formats are automatically managed:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Transient</strong>: NameID is generated</div>
</li>
<li class="level1"><div class="li"> <strong>Persistent</strong>: NameID is restored from previous sessions</div>
</li>
<li class="level1"><div class="li"> <strong>Undefined</strong>: Default NameID format is used</div>
</li>
</ul>
</div>
<!-- EDIT8 SECTION "NameID formats" [3476-4234] -->
<h3 class="sectionedit9" id="authentication_contexts">Authentication contexts</h3>
<div class="level3">
<p>
Each <abbr title="LemonLDAP::NG">LL::NG</abbr> authentication module has an authentication level, which can be associated to an <a href="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf" class="urlextern" title="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf" rel="nofollow">SAML authentication context</a>.
</p>
<div class="noteclassic">This parameter is used by <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML IDP</a> to fill the authentication context in authentication responses. It will use the authentication level registered in user session to match the <abbr title="Security Assertion Markup Language">SAML</abbr> authentication context. It is also used by <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML SP</a> to fill the authentication level in user session, based on authentication response authentication context.
</div>
<p>
Customizable NameID formats are:
</p>
<ul>
<li class="level1"><div class="li"> Password</div>
</li>
<li class="level1"><div class="li"> Password protected transport</div>
</li>
<li class="level1"><div class="li"> TLS client</div>
</li>
<li class="level1"><div class="li"> Kerberos</div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "Authentication contexts" [4235-4958] -->
<h3 class="sectionedit10" id="organization">Organization</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Organization metadata section:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;Organization<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;OrganizationName</span> <span class="re0">xml:lang</span>=<span class="st0">&quot;en&quot;</span><span class="re2">&gt;</span></span>Example<span class="sc3"><span class="re1">&lt;/OrganizationName<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;OrganizationDisplayName</span> <span class="re0">xml:lang</span>=<span class="st0">&quot;en&quot;</span><span class="re2">&gt;</span></span>Example<span class="sc3"><span class="re1">&lt;/OrganizationDisplayName<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;OrganizationURL</span> <span class="re0">xml:lang</span>=<span class="st0">&quot;en&quot;</span><span class="re2">&gt;</span></span>http://www.example.com<span class="sc3"><span class="re1">&lt;/OrganizationURL<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/Organization<span class="re2">&gt;</span></span></span></pre>
</div><ul>
<li class="level1"><div class="li"> <strong>Display Name</strong>: should be displayed on IDP, this is often your society name</div>
</li>
<li class="level1"><div class="li"> <strong>Name</strong>: internal name</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> of your society</div>
</li>
</ul>
</div>
<!-- EDIT10 SECTION "Organization" [4959-5470] -->
<h3 class="sectionedit11" id="service_provider">Service Provider</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Service Provider metadata section:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;SPSSODescriptor<span class="re2">&gt;</span></span></span>
...
<span class="sc3"><span class="re1">&lt;/SPSSODescriptor<span class="re2">&gt;</span></span></span></pre>
</div>
</div>
<h4 id="general_options">General options</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Signed Authentication Request</strong>: set to On to always sign authentication request.</div>
</li>
<li class="level1"><div class="li"> <strong>Want Assertions Signed</strong>: set to On to require that received assertions are signed.</div>
</li>
</ul>
<div class="notetip">These options can then be overridden for each Identity Provider.
</div>
</div>
<h4 id="single_logout">Single Logout</h4>
<div class="level4">
<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for SLO request.</div>
</li>
<li class="level1"><div class="li"> <strong>Response Location</strong>: Access Point for SLO response.</div>
</li>
</ul>
<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Redirect</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
<li class="level1"><div class="li"> HTTP SOAP</div>
</li>
</ul>
</div>
<h4 id="assertion_consumer">Assertion Consumer</h4>
<div class="level4">
<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Default</strong>: will this binding be used by default for authentication response.</div>
</li>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for <abbr title="Single Sign On">SSO</abbr> request and response.</div>
</li>
</ul>
<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Artifact</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
</ul>
</div>
<h4 id="artifact_resolution">Artifact Resolution</h4>
<div class="level4">
<p>
The only authorized binding is SOAP. This should be set as Default.
</p>
</div>
<!-- EDIT11 SECTION "Service Provider" [5471-6525] -->
<h3 class="sectionedit12" id="identity_provider">Identity Provider</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Service Provider metadata section:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;IDPSSODescriptor<span class="re2">&gt;</span></span></span>
...
<span class="sc3"><span class="re1">&lt;/IDPSSODescriptor<span class="re2">&gt;</span></span></span></pre>
</div>
</div>
<h4 id="general_parameters">General parameters</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Want Authentication Request Signed</strong>: set to On to require that received authentication request are signed.</div>
</li>
</ul>
<div class="notetip">This option can then be overridden for each Service Provider.
</div>
</div>
<h4 id="single_sign_on">Single Sign On</h4>
<div class="level4">
<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for <abbr title="Single Sign On">SSO</abbr> request.</div>
</li>
<li class="level1"><div class="li"> <strong>Response Location</strong>: Access Point for <abbr title="Single Sign On">SSO</abbr> response.</div>
</li>
</ul>
<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Redirect</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
<li class="level1"><div class="li"> HTTP Artifact</div>
</li>
</ul>
</div>
<h4 id="single_logout1">Single Logout</h4>
<div class="level4">
<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for SLO request.</div>
</li>
<li class="level2"><div class="li"> <strong>Response Location</strong>: Access Point for SLO response.</div>
</li>
</ul>
<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Redirect</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
<li class="level1"><div class="li"> HTTP SOAP</div>
</li>
</ul>
</div>
<h4 id="artifact_resolution1">Artifact Resolution</h4>
<div class="level4">
<p>
The only authorized binding is SOAP. This should be set as Default.
</p>
</div>
<!-- EDIT12 SECTION "Identity Provider" [6526-7500] -->
<h3 class="sectionedit13" id="attribute_authority">Attribute Authority</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Attribute Authority metadata section
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;AttributeAuthorityDescriptor<span class="re2">&gt;</span></span></span>
...
<span class="sc3"><span class="re1">&lt;/AttributeAuthorityDescriptor<span class="re2">&gt;</span></span></span></pre>
</div>
</div>
<h4 id="attribute_service">Attribute Service</h4>
<div class="level4">
<p>
This is the only service to configure, and it accept only the SOAP binding.
</p>
<p>
Response Location should be empty, as SOAP responses are directly returned (synchronous binding).
</p>
</div>
<!-- EDIT13 SECTION "Attribute Authority" [7501-7912] -->
<h3 class="sectionedit14" id="advanced">Advanced</h3>
<div class="level3">
<p>
These parameters are not mandatory to run <abbr title="Security Assertion Markup Language">SAML</abbr> service, but can help to customize it:
</p>
<ul>
<li class="level1"><div class="li"> <strong>IDP resolution cookie name</strong>: by default, it&#039;s the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie name suffixed by <code>idp</code>, for example: <code>lemonldapidp</code>.</div>
</li>
<li class="level1"><div class="li"> <strong>UTF8 metadata conversion</strong>: set to On to force partner&#039;s metadata conversion.</div>
</li>
<li class="level1"><div class="li"> <strong>RelayState session timeout</strong>: timeout for RelayState sessions. By default, the RelayState session is deleted when it is read. This timeout allows one to purge sessions of lost RelayState.</div>
</li>
<li class="level1"><div class="li"> <strong>Use specific query_string method</strong>: the CGI query_string method may break invalid <abbr title="Uniform Resource Locator">URL</abbr> encoded signatures (issued for example by ADFS). This option allows one to use a specific method to extract query string, that should be compliant with non standard <abbr title="Uniform Resource Locator">URL</abbr> encoded parameters.</div>
</li>
<li class="level1"><div class="li"> <strong>Override Entity ID when acting as IDP</strong>: By default, <abbr title="Security Assertion Markup Language">SAML</abbr> entityID is the same for SP and IDP roles. Some federations (like <a href="renater.html" class="wikilink1" title="documentation:2.0:renater">Renater</a>) can require a different entityID for IDP. In this case, you can fill here the IDP entityID, for example: <code><a href="https://auth.example.com/saml/metadata/idp" class="urlextern" title="https://auth.example.com/saml/metadata/idp" rel="nofollow">https://auth.example.com/saml/metadata/idp</a></code>.</div>
</li>
</ul>
</div>
<h4 id="saml_sessions_module_name_and_options">SAML sessions module name and options</h4>
<div class="level4">
<p>
By default, the main session module is used to store <abbr title="Security Assertion Markup Language">SAML</abbr> temporary data (like relay-states), but <abbr title="Security Assertion Markup Language">SAML</abbr> sessions need to use a session module compatible with the <a href="documentation/features.html#session_restrictions" class="wikilink1" title="documentation:features">sessions restrictions feature</a>.
</p>
<p>
This is not the case of <a href="memcachedsessionbackend.html" class="wikilink1" title="documentation:2.0:memcachedsessionbackend">Memcached</a> for example. In this case, you can choose a different module to manage <abbr title="Security Assertion Markup Language">SAML</abbr> sessions.
</p>
<div class="notetip">You can also choose a different session module to split <abbr title="Single Sign On">SSO</abbr> sessions and <abbr title="Security Assertion Markup Language">SAML</abbr> sessions.
</div>
</div>
<h4 id="common_domain_cookie">Common Domain Cookie</h4>
<div class="level4">
<p>
The common domain is used by <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML SP</a> to find an Identity Provider for the user, and by <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML IDP</a> to register itself in user&#039;s IDP list.
</p>
<p>
Configuration parameters are:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: Set to On to enable Common Domain Cookie support.</div>
</li>
<li class="level1"><div class="li"> <strong>Common domain</strong>: Name of the common domain (where common cookie is available).</div>
</li>
<li class="level1"><div class="li"> <strong>Reader <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> used by <abbr title="Security Assertion Markup Language">SAML</abbr> SP to read the cookie. Leave blank to deactivate the feature.</div>
</li>
<li class="level1"><div class="li"> <strong>Writer <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> used by <abbr title="Security Assertion Markup Language">SAML</abbr> IDP to write the cookie. Leave blank to deactivate the feature.</div>
</li>
</ul>
</div>
<h4 id="discovery_protocol">Discovery Protocol</h4>
<div class="level4">
<div class="noteclassic">Discovery Protocol is also know as <a href="http://www.switch.ch/aai/support/tools/wayf.html" class="urlextern" title="http://www.switch.ch/aai/support/tools/wayf.html" rel="nofollow">WAYF Service</a>. More information can be found in the specification: <a href="https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf" class="urlextern" title="https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf" rel="nofollow">sstc-saml-idp-discovery-cs-01.pdf</a>.
</div>
<p>
When Discovery Protocol is enabled, the <abbr title="LemonLDAP::NG">LL::NG</abbr> IDP list is no more used. Instead user is redirected on the discovery service and is redirected back to <abbr title="LemonLDAP::NG">LL::NG</abbr> with the chosen IDP.
</p>
<div class="noteimportant">If the chosen IDP is not registered in <abbr title="LemonLDAP::NG">LL::NG</abbr>, user will be redirected to discovery service again.
</div>
<p>
Configuration parameters are:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: Set to On to enable Discovery Protocol support.</div>
</li>
<li class="level1"><div class="li"> <strong>EndPoint <abbr title="Uniform Resource Locator">URL</abbr></strong>: Discovery service page</div>
</li>
<li class="level1"><div class="li"> <strong>Policy</strong>: Set a value here if you don&#039;t want to use the default policy (<code>urn:oasis:names:tc:<abbr title="Security Assertion Markup Language">SAML</abbr>:profiles:<abbr title="Single Sign On">SSO</abbr>:idp-discovery-protocol:single</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Is passive</strong>: Enable this option to avoid user interaction on discovery service page</div>
</li>
</ul>
</div>
<!-- EDIT14 SECTION "Advanced" [7913-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink