<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
<title>Lemonldap::NG documentation:
4.5-SAML-authentication-backend.html</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<style type="text/css">
/*<![CDATA[*/
body{
background: #ddd;
font-family: sans-serif;
font-size: 11pt;
padding: 0 50px;
}
div.main-content{
padding: 10px;
background: #fff;
border: 2px #ccc solid;
}
a{
text-decoration: none;
}
p.footer{
text-align: center;
margin: 5px 0 0 0;
}
.heading-1{
text-align: center;
color: orange;
font-variant: small-caps;
font-size: 20pt;
}
.heading-1-1{
color: orange;
font-size: 14pt;
border-bottom: 2px #ccc solid;
}
pre{
background: #eee;
border: 2px #ccc solid;
padding: 5px;
border-left: 10px #ccc solid;
}
ul.star li{
list-style-type: square;
}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HSAMLauthenticationbackend">SAML
authentication backend</span></h2>
<p class="paragraph"></p>
<ul>
<li><a href="#HPresentation">Presentation</a></li>
<li>
<a href="#HTechnicalrequirements">Technical requirements</a>
<ul>
<li><a href="#HLasso">Lasso</a></li>
<li><a href="#HApacherewriterules">Apache rewrite rules</a></li>
<li><a href="#HSAML2IDP">SAML2 IDP</a></li>
<li><a href="#HPublic2Fprivatekey">Public/private key</a></li>
</ul>
</li>
<li>
<a href="#HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG
configuration</a>
<ul>
<li><a href="#HAuthenticationandUserDB">Authentication and
UserDB</a></li>
<li>
<a href="#HSAML2Service">SAML2 Service</a>
<ul>
<li><a href="#HNodeSAML2Service">Node SAML 2 Service</a></li>
<li><a href="#HNodeOrganization">Node Organization</a></li>
<li>
<a href="#HNodeServiceProvider">Node Service Provider</a>
<ul>
<li><a href="#HNodeSingleLogout">Node SingleLogout</a></li>
<li><a href="#HNodeAssertionConsumer">Node Assertion
Consumer</a></li>
<li><a href="#HNodeNameIDFormat">Node NameID Format</a></li>
</ul>
</li>
<li><a href="#HNodeIdentityProvider">Node Identity
Provider</a></li>
</ul>
</li>
<li>
<a href="#HIdentityProviderregistration">Identity Provider
registration</a>
<ul>
<li><a href="#HMetadataXML">Metadata XML</a></li>
<li><a href="#HNodeExportedattributes">Node Exported
attributes</a></li>
<li><a href="#HNodeOptions">Node Options</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#HPartnerIDPconfiguration">Partner IDP
configuration</a></li>
</ul><strong class="strong">Since LemonLDAP::NG 1.0</strong>
<h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3>
<p class="paragraph"></p>LemonLDAP::NG can used SAML2 authentication to
get user identity and grab some attributes defined in user profile on its
Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2
Service Provider (SP).
<p class="paragraph"></p>Several IDPs are allowed, in this case the user
will choose the IDP he wants. You can preselect IDP with an IDP resolution
rule.
<p class="paragraph"></p>For each IDP, you can configure attributes that
are asked. Some can be mandatory, so if they are not givn by IDP, the
session will not open.
<h3 class="heading-1-1"><span id="HTechnicalrequirements">Technical
requirements</span></h3>
<h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4>
<p class="paragraph"></p>SAML2 implementation is based on <span class=
"wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>.
You will need a very recent version of Lasso (>= 2.2.91).
<p class="paragraph"></p>For lucky Debian users, there are packages
available here: <span class="wikiexternallink"><a href=
"http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>.
<p class="paragraph"></p>You will only need to install liblasso3-perl
package:
<div class="code">
<pre>
$ sudo apt-get install liblasso3-perl
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite
rules</span></h4><br />
<br />
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are
activated in <strong class="strong">etc/portal-apache2.conf</strong>:
<div class="code">
<pre>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/saml/metadata /metadata.pl
RewriteRule ^/saml/.* /index.pl
</IfModule>
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HSAML2IDP">SAML2 IDP</span></h4>
<p class="paragraph"></p>Of course you need an SAML2 IDP. If you don't
have one, you can check:
<ul class="star">
<li><span class="wikiexternallink"><a href=
"http://authentic.labs.libre-entreprise.org/">Authentic</a></span></li>
<li><span class="wikiexternallink"><a href=
"https://rnd.feide.no/simplesamlphp">simpleSAMLphp</a></span></li>
</ul>
<h4 class="heading-1-1-1"><span id="HPublic2Fprivatekey">Public/private
key</span></h4>
<p class="paragraph"></p>Since SAML2 use a lot a signature and encoding,
you need to generate a public/private key pair.
<p class="paragraph"></p>You can do this with openssl:
<div class="code">
<pre>
$ openssl genrsa -out private_key.pem 1024
$ openssl rsa -pubout -in private_key.pem -out public_key.pem
</pre>
</div>
<h3 class="heading-1-1"><span id=
"HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</span></h3>
<p class="paragraph"></p>All configuration can be done with LemonLDAP::NG
Manager. Connect to it first (by default <span class=
"wikiexternallink"><a href=
"http://manager.example.com">http://manager.example.com</a></span>).
<h4 class="heading-1-1-1"><span id=
"HAuthenticationandUserDB">Authentication and UserDB</span></h4>
<p class="paragraph"></p>In General Parameters > Authentication, set:
<ul class="star">
<li>Users database type: SAML</li>
<li>Authentication module: SAML</li>
</ul>As passwords will not be managed by LL::NG, you can also go in
General Parameters > Portal :
<ul class="star">
<li>Display reset password: 0</li>
<li>Display password change: 0</li>
</ul>
<h4 class="heading-1-1-1"><span id="HSAML2Service">SAML2
Service</span></h4>
<p class="paragraph"></p>This is where you configure SAML2 settings for
LemonLDAP::NG service. These settings will be used to build metadata that
will be shared with identity providers.
<h5 class="heading-1-1-1-1"><span id="HNodeSAML2Service">Node SAML 2
Service</span></h5>
<ul class="star">
<li>Entity Identifier: your EntityID, often use as metadata URL, by
default <span class="nobr"><a href=
"http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span>
Change this value to fit your portal URL.</li>
<li>Private key: load your private key file. This will not be published
in metadata.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeOrganization">Node
Organization</span></h5>
<ul class="star">
<li>Display Name: will be displayed on IDP, this is often your society
name</li>
<li>Name: internal name</li>
<li>URL: URL of your society</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeServiceProvider">Node Service
Provider</span></h5>
<ul class="star">
<li>Signed Authentication Request: set to On to require signed
authentication request. Off by default.</li>
<li>Signing Key: load your public key file.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeSingleLogout">Node
SingleLogout</span></h6>
<p class="paragraph"></p>For each binding you can set:
<ul class="star">
<li>Location: Access Point for SLO request. Change this value to fit
your portal URL.</li>
<li>Response Location: Access Point for SLO response. Change this value
to fit your portal URL.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeAssertionConsumer">Node
Assertion Consumer</span></h6>
<p class="paragraph"></p>For each binding you can set:
<ul class="star">
<li>Default: will this binding be used by default for authentication
response</li>
<li>Location: Access Point for SSO request and response. Change this
value to fit your portal URL.</li>
</ul>
<h6 class="heading-1-1-1-1-1"><span id="HNodeNameIDFormat">Node NameID
Format</span></h6>
<p class="paragraph"></p>For each NameID Format, you can activate and
deactivate it in metadata. The first will be chosen by default if no
NameID Format is set in authentication request.
<h5 class="heading-1-1-1-1"><span id="HNodeIdentityProvider">Node Identity
Provider</span></h5>
<p class="paragraph"></p>Not used here.
<h4 class="heading-1-1-1"><span id=
"HIdentityProviderregistration">Identity Provider registration</span></h4>
<p class="paragraph"></p>Now you have to register partner IDP. For that,
select node Identity Providers and click on New metadatas.
<p class="paragraph"></p>The IDP name is asked, enter it and click OK.
<h5 class="heading-1-1-1-1"><span id="HMetadataXML">Metadata
XML</span></h5>
<p class="paragraph"></p>You must register IDP metadata here. You can do
it either by uploading the file, or with IDP metadata URL.
<h5 class="heading-1-1-1-1"><span id="HNodeExportedattributes">Node
Exported attributes</span></h5>
<p class="paragraph"></p>For each attribute, you can set:
<ul class="star">
<li>Key name: name of the key in LemonLDAP::NG session (for example
"uid" will then be used as $uid in access rules)</li>
<li>Mandatory : if set to "On", then session will not open if this
attribure is not given by IDP.</li>
<li>Name : SAML attribute name.</li>
<li>Friendly Name: optional, SAML attribute friendly name.</li>
<li>Format: optional, SAML attribute format.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HNodeOptions">Node
Options</span></h5>
<ul class="star">
<li>NameID format: force NameID format here (email, persitent,
transient, etc.). If no value, will use first NameID Format activated in
metadata.</li>
<li>Force authentication: set ForceAuthn flag in authentication
request</li>
<li>Allow proxied authentication: allow an authentication response to be
issued from another IDP that the one we register (proxy IDP). If you
disallow this, you should also disallow direct login form IDP, because
proxy restiction is set in authentication requests.</li>
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
etc.)</li>
<li>SLO binding: force binding to use for SLO (http-redirect, http-post,
etc.)</li>
<li>Resolution rule: Perl expression that will be evaluate to know if
this IDP is the default for the connected user. You can use for example
$ENV{ to get user's IP.</li>
<li>Allow login from IDP: allow a user to connect directly from an IDP
link. In this case, authentication is not a response to an issued
authentication request, and we have less control on conditions.</li>
</ul>
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
configuration</span></h3>
<p class="paragraph"></p>You have to give LemonLDAP::NG metadata to your
partner. After previous steps, metadata can be viewed at Entity Identifier
URL (by default <span class="nobr"><a href=
"http://auth.example.com/saml/metadata/">http://auth.example.com/saml/metadata/</a></span>)
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>
