dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0d47bd9d20
lemonldap-ng/doc/pages/documentation/1.9/idpsaml.html
Clément Oudot 1b3063f271 Move documentation from 2.0 to 1.9
2015-12-18 09:46:34 +00:00

266 lines
14 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="saml_identity_provider">SAML Identity Provider</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "SAML Identity Provider" [1-38] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can act as an <abbr title="Security Assertion Markup Language">SAML</abbr> 2.0 Identity Provider, that can allow to federate <abbr title="LemonLDAP::NG">LL::NG</abbr> with:
</p>
<ul>
<li class="level1"><div class="li"> Another <abbr title="LemonLDAP::NG">LL::NG</abbr> system configured with <a href="../../documentation/1.9/authsaml.html" class="wikilink1" title="documentation:1.9:authsaml">SAML authentication</a></div>
</li>
<li class="level1"><div class="li"> Any <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider, for example:</div>
</li>
</ul>
</div>
<div class="plugin_include_content" id="plugin_include__documentation:1.9:applications">
<div class="level2">
<p>
<p><div class="noteclassic">This requires to configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as an <span class="curid"><a href="../../documentation/1.9/idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML Identity Provider</a></span>.
</div></p>
</p>
<div class="table sectionedit3"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Zimbra </th><th class="col2 centeralign"> SAP </th><th class="col3 centeralign"> Cornerstone </th><th class="col4 centeralign"> SalesForce </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/googleapps.html" class="media" title="documentation:1.9:applications:googleapps"><img src="../../../media/applications/googleapps_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" class="media" title="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" rel="nofollow"><img src="../../../media/applications/zimbra_logo.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" class="media" title="http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" rel="nofollow"><img src="../../../media/applications/saplogo.gif" class="media" title="SAP" alt="SAP" /></a> </td><td class="col3 centeralign"> <a href="../../documentation/1.9/applications/cornerstone.html" class="media" title="documentation:1.9:applications:cornerstone"><img src="../../../media/applications/csod_logo.png" class="media" alt="" /></a> </td><td class="col4 centeralign"> <a href="../../documentation/1.9/applications/salesforce.html" class="media" title="documentation:1.9:applications:salesforce"><img src="../../../media/applications/salesforce-logo.jpg" class="medialeft" align="left" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [2693-3238] -->
</div>
</div>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Presentation" [39-323] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [324-350] -->
<h3 class="sectionedit5" id="saml_service">SAML Service</h3>
<div class="level3">
<p>
See <a href="../../documentation/1.9/samlservice.html" class="wikilink1" title="documentation:1.9:samlservice">SAML service</a> configuration chapter.
</p>
</div>
<!-- EDIT5 SECTION "SAML Service" [351-431] -->
<h3 class="sectionedit6" id="issuerdb">IssuerDB</h3>
<div class="level3">
<p>
Go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> and configure:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: set to <code>On</code>.</div>
</li>
<li class="level1"><div class="li"> <strong>Path</strong>: keep <code>^/saml/</code> unless you have change <abbr title="Security Assertion Markup Language">SAML</abbr> end points suffix in <a href="../../documentation/1.9/samlservice.html" class="wikilink1" title="documentation:1.9:samlservice">SAML service configuration</a>.</div>
</li>
<li class="level1"><div class="li"> <strong>Use rule</strong>: a rule to allow user to use this module, set to <code>1</code> to always allow.</div>
</li>
</ul>
<p>
<p><div class="notetip">
For example, to allow only users with a strong authentication level:
</p>
<pre class="code">$authenticationLevel &gt; 2</pre>
<p>
</div></p>
</p>
</div>
<!-- EDIT6 SECTION "IssuerDB" [432-907] -->
<h3 class="sectionedit7" id="register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</h3>
<div class="level3">
<p>
After configuring <abbr title="Security Assertion Markup Language">SAML</abbr> Service, you can export metadata to your partner Service Provider.
</p>
<p>
They are available at the EntityID <abbr title="Uniform Resource Locator">URL</abbr>, by default: <a href="http://auth.example.com/saml/metadata" class="urlextern" title="http://auth.example.com/saml/metadata" rel="nofollow">http://auth.example.com/saml/metadata</a>.
</p>
</div>
<!-- EDIT7 SECTION "Register LemonLDAP::NG on partner Service Provider" [908-1152] -->
<h3 class="sectionedit8" id="register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</h3>
<div class="level3">
<p>
In the Manager, select node <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and click on New service provider:
</p>
<p>
<a href="/_detail/documentation/manager-saml-sp-new.png?id=documentation%3A1.9%3Aidpsaml" class="media" title="documentation:manager-saml-sp-new.png"><img src="../../../media/documentation/manager-saml-sp-new.png" class="mediacenter" alt="" /></a>
</p>
<p>
The SP name is asked, enter it and click OK.
</p>
<p>
Now you have access to the SP parameters list.
</p>
</div>
<h4 id="metadata">Metadata</h4>
<div class="level4">
<p>
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata <abbr title="Uniform Resource Locator">URL</abbr> (this require a network link between your server and the SP).
</p>
<p>
<p><div class="notetip">You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
</div></p>
</p>
</div>
<h4 id="exported_attributes">Exported attributes</h4>
<div class="level4">
<p>
For each attribute, you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Key name</strong>: name of the key in LemonLDAP::NG session</div>
</li>
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
</li>
<li class="level1"><div class="li"> <strong>Name</strong>: <abbr title="Security Assertion Markup Language">SAML</abbr> attribute name.</div>
</li>
<li class="level1"><div class="li"> <strong>Friendly Name</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute friendly name.</div>
</li>
<li class="level1"><div class="li"> <strong>Format</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute format.</div>
</li>
</ul>
</div>
<h4 id="options">Options</h4>
<div class="level4">
</div>
<h5 id="authentication_response">Authentication response</h5>
<div class="level5">
<ul>
<li class="level1"><div class="li"> <strong>Default NameID format</strong>: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.</div>
</li>
<li class="level1"><div class="li"> <strong>Force NameID session key</strong>: if empty, the NameID mapping defined in <a href="../../documentation/1.9/samlservice.html" class="wikilink1" title="documentation:1.9:samlservice">SAML service</a> configuration will be used. You can force here another session key that will be used as NameID content.</div>
</li>
<li class="level1"><div class="li"> <strong>One Time Use</strong>: set the OneTimeUse flag in authentication response (<code>&lt;Condtions&gt;</code>).</div>
</li>
<li class="level1"><div class="li"> <strong>sessionNotOnOrAfter duration</strong>: Time in seconds, added to authentication time, to define sessionNotOnOrAfter value in <abbr title="Security Assertion Markup Language">SAML</abbr> response (<code>&lt;AuthnStatement&gt;</code>):</div>
</li>
</ul>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;saml:AuthnStatement</span> <span class="re0">AuthnInstant</span>=<span class="st0">&quot;2014-07-21T11:47:08Z&quot;</span></span>
<span class="sc3"> <span class="re0">SessionIndex</span>=<span class="st0">&quot;loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q==&quot;</span></span>
<span class="sc3"> <span class="re0">SessionNotOnOrAfter</span>=<span class="st0">&quot;2014-07-21T15:47:08Z&quot;</span><span class="re2">&gt;</span></span></pre>
<ul>
<li class="level1"><div class="li"> <strong>notOnOrAfter duration</strong>: Time in seconds, added to authentication time, to define notOnOrAfter value in <abbr title="Security Assertion Markup Language">SAML</abbr> response (<code>&lt;Condtions&gt;</code> and <code>&lt;SubjectConfirmationData&gt;</code>):</div>
</li>
</ul>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;saml:SubjectConfirmationData</span> <span class="re0">NotOnOrAfter</span>=<span class="st0">&quot;2014-07-21T12:47:08Z&quot;</span></span>
<span class="sc3"> <span class="re0">Recipient</span>=<span class="st0">&quot;http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp&quot;</span></span>
<span class="sc3"> <span class="re0">InResponseTo</span>=<span class="st0">&quot;_3cfa896ab05730ac81f413e1e13cc42aa529eceea1&quot;</span><span class="re2">/&gt;</span></span></pre>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;saml:Conditions</span> <span class="re0">NotBefore</span>=<span class="st0">&quot;2014-07-21T11:46:08Z&quot;</span></span>
<span class="sc3"> <span class="re0">NotOnOrAfter</span>=<span class="st0">&quot;2014-07-21T12:48:08Z&quot;</span><span class="re2">&gt;</span></span></pre>
<p>
<p><div class="noteimportant">There is a time tolerance of 60 seconds in <code>&lt;Conditions&gt;</code>
</div></p>
</p>
</div>
<h5 id="signature">Signature</h5>
<div class="level5">
<p>
These options override service signature options (see <a href="../../documentation/1.9/samlservice.html#general_options" class="wikilink1" title="documentation:1.9:samlservice">SAML service configuration</a>).
</p>
<ul>
<li class="level1"><div class="li"> <strong>Sign <abbr title="Single Sign On">SSO</abbr> message</strong>: sign <abbr title="Single Sign On">SSO</abbr> message</div>
</li>
<li class="level1"><div class="li"> <strong>Check <abbr title="Single Sign On">SSO</abbr> message signature</strong>: check <abbr title="Single Sign On">SSO</abbr> message signature</div>
</li>
<li class="level1"><div class="li"> <strong>Sign SLO message</strong>: sign SLO message</div>
</li>
<li class="level1"><div class="li"> <strong>Check SLO message signature</strong>: check SLO message signature</div>
</li>
</ul>
</div>
<h5 id="security">Security</h5>
<div class="level5">
<ul>
<li class="level1"><div class="li"> <strong>Encryption mode</strong>: set the encryption mode for this IDP (None, NameID or Assertion).</div>
</li>
<li class="level1"><div class="li"> <strong>Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr></strong>: set to <code>On</code> to enable IDP Initiated <abbr title="Uniform Resource Locator">URL</abbr> on this SP.</div>
</li>
</ul>
<p>
<p><div class="notetip">
The IDP Initiated <abbr title="Uniform Resource Locator">URL</abbr> is the <abbr title="Single Sign On">SSO</abbr> <abbr title="Security Assertion Markup Language">SAML</abbr> <abbr title="Uniform Resource Locator">URL</abbr> with GET parameters:
</p>
<ul>
<li class="level1"><div class="li"> IDPInitiated: 1</div>
</li>
<li class="level1"><div class="li"> One of:</div>
<ul>
<li class="level2"><div class="li"> sp: SP entity ID</div>
</li>
<li class="level2"><div class="li"> spConfKey: SP configuration key</div>
</li>
</ul>
</li>
</ul>
<p>
For example: <a href="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&amp;spConfKey=simplesamlphp" class="urlextern" title="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&amp;spConfKey=simplesamlphp" rel="nofollow">http://auth.example.com/saml/singleSignOn?IDPInitiated=1&amp;spConfKey=simplesamlphp</a>
</div></p>
</p>
</div>
</div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue View Git Blame Copy Permalink