291 lines
14 KiB
HTML
291 lines
14 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:idpsaml</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,idpsaml"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="idpsaml.html"/>
|
|
<link rel="contents" href="idpsaml.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:idpsaml","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#saml_service">SAML Service</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#issuerdb">IssuerDB</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#metadata">Metadata</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#exported_attributes">Exported attributes</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#known_issues">Known issues</a></div></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="saml_identity_provider">SAML Identity Provider</h1>
|
|
<div class="level1">
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "SAML Identity Provider" [1-38] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
<abbr title="LemonLDAP::NG">LL::NG</abbr> can act as an <abbr title="Security Assertion Markup Language">SAML</abbr> 2.0 Identity Provider, that can allow one to federate <abbr title="LemonLDAP::NG">LL::NG</abbr> with:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Another <abbr title="LemonLDAP::NG">LL::NG</abbr> system configured with <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML authentication</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Any <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [39-263] -->
|
|
<h2 class="sectionedit3" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Configuration" [264-290] -->
|
|
<h3 class="sectionedit4" id="saml_service">SAML Service</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
See <a href="samlservice.html" class="wikilink1" title="documentation:2.0:samlservice">SAML service</a> configuration chapter.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "SAML Service" [291-371] -->
|
|
<h3 class="sectionedit5" id="issuerdb">IssuerDB</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> and configure:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Activation</strong>: set to <code>On</code>.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Path</strong>: keep <code>^/saml/</code> unless you have change <abbr title="Security Assertion Markup Language">SAML</abbr> end points suffix in <a href="samlservice.html" class="wikilink1" title="documentation:2.0:samlservice">SAML service configuration</a>.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Use rule</strong>: a rule to allow user to use this module, set to <code>1</code> to always allow.</div>
|
|
</li>
|
|
</ul>
|
|
<div class="notetip">For example, to allow only users with a strong authentication level:
|
|
<pre class="code">$authenticationLevel > 2</pre>
|
|
|
|
</div>
|
|
</div>
|
|
<!-- EDIT5 SECTION "IssuerDB" [372-847] -->
|
|
<h3 class="sectionedit6" id="register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
After configuring <abbr title="Security Assertion Markup Language">SAML</abbr> Service, you can export metadata to your partner Service Provider.
|
|
</p>
|
|
|
|
<p>
|
|
They are available at the EntityID <abbr title="Uniform Resource Locator">URL</abbr>, by default: <a href="http://auth.example.com/saml/metadata" class="urlextern" title="http://auth.example.com/saml/metadata" rel="nofollow">http://auth.example.com/saml/metadata</a>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "Register LemonLDAP::NG on partner Service Provider" [848-1092] -->
|
|
<h3 class="sectionedit7" id="register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
In the Manager, select node <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and click on <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.
|
|
</p>
|
|
|
|
<p>
|
|
The SP name is asked, enter it and click OK.
|
|
</p>
|
|
|
|
<p>
|
|
Now you have access to the SP parameters list.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="metadata">Metadata</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata <abbr title="Uniform Resource Locator">URL</abbr> (this require a network link between your server and the SP).
|
|
</p>
|
|
|
|
<p>
|
|
<img src="documentation/manager-saml-metadata.png" class="mediacenter" alt="" />
|
|
</p>
|
|
<div class="notetip">You can also edit the metadata directly in the textarea
|
|
</div>
|
|
</div>
|
|
|
|
<h4 id="exported_attributes">Exported attributes</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
<img src="documentation/manager-saml-attributes.png" class="mediacenter" alt="" />
|
|
</p>
|
|
|
|
<p>
|
|
For each attribute, you can set:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Key name</strong>: name of the key in LemonLDAP::NG session</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Name</strong>: <abbr title="Security Assertion Markup Language">SAML</abbr> attribute name.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Friendly Name</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute friendly name.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Format</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute format.</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
|
|
<h4 id="options">Options</h4>
|
|
<div class="level4">
|
|
|
|
</div>
|
|
|
|
<h5 id="authentication_response">Authentication response</h5>
|
|
<div class="level5">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Default NameID format</strong>: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Force NameID session key</strong>: if empty, the NameID mapping defined in <a href="samlservice.html" class="wikilink1" title="documentation:2.0:samlservice">SAML service</a> configuration will be used. You can force here another session key that will be used as NameID content.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>One Time Use</strong>: set the OneTimeUse flag in authentication response (<code><Condtions></code>).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>sessionNotOnOrAfter duration</strong>: Time in seconds, added to authentication time, to define sessionNotOnOrAfter value in <abbr title="Security Assertion Markup Language">SAML</abbr> response (<code><AuthnStatement></code>):</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code file xml"><span class="sc3"><span class="re1"><saml:AuthnStatement</span> <span class="re0">AuthnInstant</span>=<span class="st0">"2014-07-21T11:47:08Z"</span></span>
|
|
<span class="sc3"> <span class="re0">SessionIndex</span>=<span class="st0">"loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="</span></span>
|
|
<span class="sc3"> <span class="re0">SessionNotOnOrAfter</span>=<span class="st0">"2014-07-21T15:47:08Z"</span><span class="re2">></span></span></pre>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>notOnOrAfter duration</strong>: Time in seconds, added to authentication time, to define notOnOrAfter value in <abbr title="Security Assertion Markup Language">SAML</abbr> response (<code><Condtions></code> and <code><SubjectConfirmationData></code>):</div>
|
|
</li>
|
|
</ul>
|
|
<pre class="code file xml"><span class="sc3"><span class="re1"><saml:SubjectConfirmationData</span> <span class="re0">NotOnOrAfter</span>=<span class="st0">"2014-07-21T12:47:08Z"</span></span>
|
|
<span class="sc3"> <span class="re0">Recipient</span>=<span class="st0">"http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"</span></span>
|
|
<span class="sc3"> <span class="re0">InResponseTo</span>=<span class="st0">"_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"</span><span class="re2">/></span></span></pre>
|
|
<pre class="code file xml"><span class="sc3"><span class="re1"><saml:Conditions</span> <span class="re0">NotBefore</span>=<span class="st0">"2014-07-21T11:46:08Z"</span></span>
|
|
<span class="sc3"> <span class="re0">NotOnOrAfter</span>=<span class="st0">"2014-07-21T12:48:08Z"</span><span class="re2">></span></span></pre>
|
|
<div class="noteimportant">There is a time tolerance of 60 seconds in <code><Conditions></code>
|
|
</div><ul>
|
|
<li class="level1"><div class="li"> <strong>Force UTF-8</strong>: Activate to force UTF-8 decoding of values in <abbr title="Security Assertion Markup Language">SAML</abbr> attributes. If set to 0, the value from the session is directly copied into <abbr title="Security Assertion Markup Language">SAML</abbr> attribute.</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
|
|
<h5 id="signature">Signature</h5>
|
|
<div class="level5">
|
|
|
|
<p>
|
|
These options override service signature options (see <a href="samlservice.html#general_options" class="wikilink1" title="documentation:2.0:samlservice">SAML service configuration</a>).
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Sign <abbr title="Single Sign On">SSO</abbr> message</strong>: sign <abbr title="Single Sign On">SSO</abbr> message</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Check <abbr title="Single Sign On">SSO</abbr> message signature</strong>: check <abbr title="Single Sign On">SSO</abbr> message signature</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Sign SLO message</strong>: sign SLO message</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Check SLO message signature</strong>: check SLO message signature</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
|
|
<h5 id="security">Security</h5>
|
|
<div class="level5">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Encryption mode</strong>: set the encryption mode for this IDP (None, NameID or Assertion).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr></strong>: set to <code>On</code> to enable IDP Initiated <abbr title="Uniform Resource Locator">URL</abbr> on this SP.</div>
|
|
</li>
|
|
</ul>
|
|
<div class="notetip">The IDP Initiated <abbr title="Uniform Resource Locator">URL</abbr> is the <abbr title="Single Sign On">SSO</abbr> <abbr title="Security Assertion Markup Language">SAML</abbr> <abbr title="Uniform Resource Locator">URL</abbr> with GET parameters:<ul>
|
|
<li class="level1"><div class="li"> IDPInitiated: 1</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> One of:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> sp: SP entity ID</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> spConfKey: SP configuration key</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
For example: <a href="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp" class="urlextern" title="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp" rel="nofollow">http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp</a>
|
|
</p>
|
|
|
|
</div>
|
|
</div>
|
|
<!-- EDIT7 SECTION "Register partner Service Provider on LemonLDAP::NG" [1093-4707] -->
|
|
<h2 class="sectionedit8" id="known_issues">Known issues</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Using both Issuer::<abbr title="Security Assertion Markup Language">SAML</abbr> and Auth::<abbr title="Security Assertion Markup Language">SAML</abbr> on the same LLNG may have some side-effects on single-logout.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT8 SECTION "Known issues" [4708-] --></div>
|
|
</body>
|
|
</html>
|