398 lines
13 KiB
HTML
398 lines
13 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta name="generator" content=
|
|
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
|
|
|
|
<title>Lemonldap::NG documentation:
|
|
4.5-SAML-authentication-backend.html</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
|
<style type="text/css">
|
|
/*<![CDATA[*/
|
|
body{
|
|
background: #ddd;
|
|
font-family: sans-serif;
|
|
font-size: 11pt;
|
|
padding: 0 50px;
|
|
}
|
|
div.main-content{
|
|
padding: 10px;
|
|
background: #fff;
|
|
border: 2px #ccc solid;
|
|
}
|
|
a{
|
|
text-decoration: none;
|
|
}
|
|
p.footer{
|
|
text-align: center;
|
|
margin: 5px 0 0 0;
|
|
}
|
|
.heading-1{
|
|
text-align: center;
|
|
color: orange;
|
|
font-variant: small-caps;
|
|
font-size: 20pt;
|
|
}
|
|
.heading-1-1{
|
|
color: orange;
|
|
font-size: 14pt;
|
|
border-bottom: 2px #ccc solid;
|
|
}
|
|
pre{
|
|
background: #eee;
|
|
border: 2px #ccc solid;
|
|
padding: 5px;
|
|
border-left: 10px #ccc solid;
|
|
}
|
|
ul.star li{
|
|
list-style-type: square;
|
|
}
|
|
/*]]>*/
|
|
</style>
|
|
</head>
|
|
|
|
<body>
|
|
<div class="main-content">
|
|
<h2 class="heading-1"><span id="HSAMLauthenticationbackend">SAML
|
|
authentication backend</span></h2>
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<ul>
|
|
<li><a href="#HPresentation">Presentation</a></li>
|
|
|
|
<li>
|
|
<a href="#HTechnicalrequirements">Technical requirements</a>
|
|
|
|
<ul>
|
|
<li><a href="#HLasso">Lasso</a></li>
|
|
|
|
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
|
|
|
|
<li><a href="#HSAML2IDP">SAML2 IDP</a></li>
|
|
|
|
<li><a href="#HPublic2Fprivatekey">Public/private key</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG
|
|
configuration</a>
|
|
|
|
<ul>
|
|
<li><a href="#HAuthenticationandUserDB">Authentication and
|
|
UserDB</a></li>
|
|
|
|
<li>
|
|
<a href="#HSAML2Service">SAML2 Service</a>
|
|
|
|
<ul>
|
|
<li><a href="#HNodeSAML2Service">Node SAML 2 Service</a></li>
|
|
|
|
<li><a href="#HNodeOrganization">Node Organization</a></li>
|
|
|
|
<li>
|
|
<a href="#HNodeServiceProvider">Node Service Provider</a>
|
|
|
|
<ul>
|
|
<li><a href="#HNodeSingleLogout">Node SingleLogout</a></li>
|
|
|
|
<li><a href="#HNodeAssertionConsumer">Node Assertion
|
|
Consumer</a></li>
|
|
|
|
<li><a href="#HNodeNameIDFormat">Node NameID Format</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li><a href="#HNodeIdentityProvider">Node Identity
|
|
Provider</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#HIdentityProviderregistration">Identity Provider
|
|
registration</a>
|
|
|
|
<ul>
|
|
<li><a href="#HMetadataXML">Metadata XML</a></li>
|
|
|
|
<li><a href="#HNodeExportedattributes">Node Exported
|
|
attributes</a></li>
|
|
|
|
<li><a href="#HNodeOptions">Node Options</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li><a href="#HPartnerIDPconfiguration">Partner IDP
|
|
configuration</a></li>
|
|
</ul><strong class="strong">Since LemonLDAP::NG 1.0</strong>
|
|
|
|
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
|
|
|
|
<p class="paragraph"></p>LemonLDAP::NG can used SAML2 authentication to
|
|
get user identity and grab some attributes defined in user profile on its
|
|
Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2
|
|
Service Provider (SP).
|
|
|
|
<p class="paragraph"></p>Several IDPs are allowed, in this case the user
|
|
will choose the IDP he wants. You can preselect IDP with an IDP resolution
|
|
rule.
|
|
|
|
<p class="paragraph"></p>For each IDP, you can configure attributes that
|
|
are asked. Some can be mandatory, so if they are not givn by IDP, the
|
|
session will not open.
|
|
|
|
<h3 class="heading-1-1"><span id="HTechnicalrequirements">Technical
|
|
requirements</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
|
|
|
|
<p class="paragraph"></p>SAML2 implementation is based on <span class=
|
|
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
|
|
You will need a very recent version of Lasso (>= 2.2.91).
|
|
|
|
<p class="paragraph"></p>For lucky Debian users, there are packages
|
|
available here: <span class="wikiexternallink"><a href=
|
|
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
|
|
|
|
<p class="paragraph"></p>You will only need to install liblasso3-perl
|
|
package:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
$ sudo apt-get install liblasso3-perl
|
|
</pre>
|
|
</div>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
|
|
rules</span></h4><br />
|
|
<br />
|
|
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
|
|
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteRule ^/saml/metadata /metadata.pl
|
|
RewriteRule ^/saml/.* /index.pl
|
|
</IfModule>
|
|
</pre>
|
|
</div>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HSAML2IDP">SAML2 IDP</span></h4>
|
|
|
|
<p class="paragraph"></p>Of course you need an SAML2 IDP. If you don't
|
|
have one, you can check:
|
|
|
|
<ul class="star">
|
|
<li><span class="wikiexternallink"><a href=
|
|
"http://authentic.labs.libre-entreprise.org/">Authentic</a></span></li>
|
|
|
|
<li><span class="wikiexternallink"><a href=
|
|
"https://rnd.feide.no/simplesamlphp">simpleSAMLphp</a></span></li>
|
|
</ul>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HPublic2Fprivatekey">Public/private
|
|
key</span></h4>
|
|
|
|
<p class="paragraph"></p>Since SAML2 use a lot a signature and encoding,
|
|
you need to generate a public/private key pair.
|
|
|
|
<p class="paragraph"></p>You can do this with openssl:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
$ openssl genrsa -out private_key.pem 1024
|
|
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id=
|
|
"HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</span></h3>
|
|
|
|
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
|
|
Manager. Connect to it first (by default <span class=
|
|
"wikiexternallink"><a href=
|
|
"http://manager.example.com">http://manager.example.com</a></span>).
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HAuthenticationandUserDB">Authentication and UserDB</span></h4>
|
|
|
|
<p class="paragraph"></p>In General Parameters > Authentication, set:
|
|
|
|
<ul class="star">
|
|
<li>Users database type: SAML</li>
|
|
|
|
<li>Authentication module: SAML</li>
|
|
</ul>As passwords will not be managed by LL::NG, you can also go in
|
|
General Parameters > Portal :
|
|
|
|
<ul class="star">
|
|
<li>Display reset password: 0</li>
|
|
|
|
<li>Display password change: 0</li>
|
|
</ul>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HSAML2Service">SAML2
|
|
Service</span></h4>
|
|
|
|
<p class="paragraph"></p>This is where you configure SAML2 settings for
|
|
LemonLDAP::NG service. These settings will be used to build metadata that
|
|
will be shared with identity providers.
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HNodeSAML2Service">Node SAML 2
|
|
Service</span></h5>
|
|
|
|
<ul class="star">
|
|
<li>Entity Identifier: your EntityID, often use as metadata URL, by
|
|
default <span class="nobr"><a href=
|
|
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
|
|
Change this value to fit your portal URL.</li>
|
|
|
|
<li>Private key: load your private key file. This will not be published
|
|
in metadata.</li>
|
|
</ul>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HNodeOrganization">Node
|
|
Organization</span></h5>
|
|
|
|
<ul class="star">
|
|
<li>Display Name: will be displayed on IDP, this is often your society
|
|
name</li>
|
|
|
|
<li>Name: internal name</li>
|
|
|
|
<li>URL: URL of your society</li>
|
|
</ul>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HNodeServiceProvider">Node Service
|
|
Provider</span></h5>
|
|
|
|
<ul class="star">
|
|
<li>Signed Authentication Request: set to On to require signed
|
|
authentication request. Off by default.</li>
|
|
|
|
<li>Signing Key: load your public key file.</li>
|
|
</ul>
|
|
|
|
<h6 class="heading-1-1-1-1-1"><span id="HNodeSingleLogout">Node
|
|
SingleLogout</span></h6>
|
|
|
|
<p class="paragraph"></p>For each binding you can set:
|
|
|
|
<ul class="star">
|
|
<li>Location: Access Point for SLO request. Change this value to fit
|
|
your portal URL.</li>
|
|
|
|
<li>Response Location: Access Point for SLO response. Change this value
|
|
to fit your portal URL.</li>
|
|
</ul>
|
|
|
|
<h6 class="heading-1-1-1-1-1"><span id="HNodeAssertionConsumer">Node
|
|
Assertion Consumer</span></h6>
|
|
|
|
<p class="paragraph"></p>For each binding you can set:
|
|
|
|
<ul class="star">
|
|
<li>Default: will this binding be used by default for authentication
|
|
response</li>
|
|
|
|
<li>Location: Access Point for SSO request and response. Change this
|
|
value to fit your portal URL.</li>
|
|
</ul>
|
|
|
|
<h6 class="heading-1-1-1-1-1"><span id="HNodeNameIDFormat">Node NameID
|
|
Format</span></h6>
|
|
|
|
<p class="paragraph"></p>For each NameID Format, you can activate and
|
|
deactivate it in metadata. The first will be chosen by default if no
|
|
NameID Format is set in authentication request.
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HNodeIdentityProvider">Node Identity
|
|
Provider</span></h5>
|
|
|
|
<p class="paragraph"></p>Not used here.
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HIdentityProviderregistration">Identity Provider registration</span></h4>
|
|
|
|
<p class="paragraph"></p>Now you have to register partner IDP. For that,
|
|
select node Identity Providers and click on New metadatas.
|
|
|
|
<p class="paragraph"></p>The IDP name is asked, enter it and click OK.
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HMetadataXML">Metadata
|
|
XML</span></h5>
|
|
|
|
<p class="paragraph"></p>You must register IDP metadata here. You can do
|
|
it either by uploading the file, or with IDP metadata URL.
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HNodeExportedattributes">Node
|
|
Exported attributes</span></h5>
|
|
|
|
<p class="paragraph"></p>For each attribute, you can set:
|
|
|
|
<ul class="star">
|
|
<li>Key name: name of the key in LemonLDAP::NG session (for example
|
|
"uid" will then be used as $uid in access rules)</li>
|
|
|
|
<li>Mandatory : if set to "On", then session will not open if this
|
|
attribure is not given by IDP.</li>
|
|
|
|
<li>Name : SAML attribute name.</li>
|
|
|
|
<li>Friendly Name: optional, SAML attribute friendly name.</li>
|
|
|
|
<li>Format: optional, SAML attribute format.</li>
|
|
</ul>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HNodeOptions">Node
|
|
Options</span></h5>
|
|
|
|
<ul class="star">
|
|
<li>NameID format: force NameID format here (email, persitent,
|
|
transient, etc.). If no value, will use first NameID Format activated in
|
|
metadata.</li>
|
|
|
|
<li>Force authentication: set ForceAuthn flag in authentication
|
|
request</li>
|
|
|
|
<li>Allow proxied authentication: allow an authentication response to be
|
|
issued from another IDP that the one we register (proxy IDP). If you
|
|
disallow this, you should also disallow direct login form IDP, because
|
|
proxy restiction is set in authentication requests.</li>
|
|
|
|
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
|
|
etc.)</li>
|
|
|
|
<li>SLO binding: force binding to use for SLO (http-redirect, http-post,
|
|
etc.)</li>
|
|
|
|
<li>Resolution rule: Perl expression that will be evaluate to know if
|
|
this IDP is the default for the connected user. You can use for example
|
|
$ENV{ to get user's IP.</li>
|
|
|
|
<li>Allow login from IDP: allow a user to connect directly from an IDP
|
|
link. In this case, authentication is not a response to an issued
|
|
authentication request, and we have less control on conditions.</li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
|
|
configuration</span></h3>
|
|
|
|
<p class="paragraph"></p>You have to give LemonLDAP::NG metadata to your
|
|
partner. After previous steps, metadata can be viewed at Entity Identifier
|
|
URL (by default <span class="nobr"><a href=
|
|
"http://auth.example.com/saml/metadata/">http://auth.example.com/saml/metadata/</a></span>)
|
|
</div>
|
|
|
|
<p class="footer"><a href="index.html">Index</a></p>
|
|
</body>
|
|
</html>
|