<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" /> <title>Lemonldap::NG documentation: 4.5-SAML-authentication-backend.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <style type="text/css"> /*<![CDATA[*/ body{ background: #ddd; font-family: sans-serif; font-size: 11pt; padding: 0 50px; } div.main-content{ padding: 10px; background: #fff; border: 2px #ccc solid; } a{ text-decoration: none; } p.footer{ text-align: center; margin: 5px 0 0 0; } .heading-1{ text-align: center; color: orange; font-variant: small-caps; font-size: 20pt; } .heading-1-1{ color: orange; font-size: 14pt; border-bottom: 2px #ccc solid; } pre{ background: #eee; border: 2px #ccc solid; padding: 5px; border-left: 10px #ccc solid; } ul.star li{ list-style-type: square; } /*]]>*/ </style> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id="HSAMLauthenticationbackend">SAML authentication backend</span></h2> <p class="paragraph"></p> <ul> <li><a href="#HPresentation">Presentation</a></li> <li> <a href="#HTechnicalrequirements">Technical requirements</a> <ul> <li><a href="#HLasso">Lasso</a></li> <li><a href="#HApacherewriterules">Apache rewrite rules</a></li> <li><a href="#HSAML2IDP">SAML2 IDP</a></li> <li><a href="#HPublic2Fprivatekey">Public/private key</a></li> </ul> </li> <li> <a href="#HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</a> <ul> <li><a href="#HAuthenticationandUserDB">Authentication and UserDB</a></li> <li> <a href="#HSAML2Service">SAML2 Service</a> <ul> <li><a href="#HNodeSAML2Service">Node SAML 2 Service</a></li> <li><a href="#HNodeOrganization">Node Organization</a></li> <li> <a href="#HNodeServiceProvider">Node Service Provider</a> <ul> <li><a href="#HNodeSingleLogout">Node SingleLogout</a></li> <li><a href="#HNodeAssertionConsumer">Node Assertion Consumer</a></li> <li><a href="#HNodeNameIDFormat">Node NameID Format</a></li> </ul> </li> <li><a href="#HNodeIdentityProvider">Node Identity Provider</a></li> </ul> </li> <li> <a href="#HIdentityProviderregistration">Identity Provider registration</a> <ul> <li><a href="#HMetadataXML">Metadata XML</a></li> <li><a href="#HNodeExportedattributes">Node Exported attributes</a></li> <li><a href="#HNodeOptions">Node Options</a></li> </ul> </li> </ul> </li> <li><a href="#HPartnerIDPconfiguration">Partner IDP configuration</a></li> </ul><strong class="strong">Since LemonLDAP::NG 1.0</strong> <h3 class="heading-1-1"><span id="HPresentation">Presentation</span></h3> <p class="paragraph"></p>LemonLDAP::NG can used SAML2 authentication to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2 Service Provider (SP). <p class="paragraph"></p>Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule. <p class="paragraph"></p>For each IDP, you can configure attributes that are asked. Some can be mandatory, so if they are not givn by IDP, the session will not open. <h3 class="heading-1-1"><span id="HTechnicalrequirements">Technical requirements</span></h3> <h4 class="heading-1-1-1"><span id="HLasso">Lasso</span></h4> <p class="paragraph"></p>SAML2 implementation is based on <span class= "wikiexternallink"><a href="http://lasso.entrouvert.org">Lasso</a></span>. You will need a very recent version of Lasso (>= 2.2.91). <p class="paragraph"></p>For lucky Debian users, there are packages available here: <span class="wikiexternallink"><a href= "http://deb.entrouvert.org/">http://deb.entrouvert.org/</a></span>. <p class="paragraph"></p>You will only need to install liblasso3-perl package: <div class="code"> <pre> $ sudo apt-get install liblasso3-perl </pre> </div> <h4 class="heading-1-1-1"><span id="HApacherewriterules">Apache rewrite rules</span></h4><br /> <br /> Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in <strong class="strong">etc/portal-apache2.conf</strong>: <div class="code"> <pre> <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^/saml/metadata /metadata.pl RewriteRule ^/saml/.* /index.pl </IfModule> </pre> </div> <h4 class="heading-1-1-1"><span id="HSAML2IDP">SAML2 IDP</span></h4> <p class="paragraph"></p>Of course you need an SAML2 IDP. If you don't have one, you can check: <ul class="star"> <li><span class="wikiexternallink"><a href= "http://authentic.labs.libre-entreprise.org/">Authentic</a></span></li> <li><span class="wikiexternallink"><a href= "https://rnd.feide.no/simplesamlphp">simpleSAMLphp</a></span></li> </ul> <h4 class="heading-1-1-1"><span id="HPublic2Fprivatekey">Public/private key</span></h4> <p class="paragraph"></p>Since SAML2 use a lot a signature and encoding, you need to generate a public/private key pair. <p class="paragraph"></p>You can do this with openssl: <div class="code"> <pre> $ openssl genrsa -out private_key.pem 1024 $ openssl rsa -pubout -in private_key.pem -out public_key.pem </pre> </div> <h3 class="heading-1-1"><span id= "HLemonLDAP3A3ANGconfiguration">LemonLDAP::NG configuration</span></h3> <p class="paragraph"></p>All configuration can be done with LemonLDAP::NG Manager. Connect to it first (by default <span class= "wikiexternallink"><a href= "http://manager.example.com">http://manager.example.com</a></span>). <h4 class="heading-1-1-1"><span id= "HAuthenticationandUserDB">Authentication and UserDB</span></h4> <p class="paragraph"></p>In General Parameters > Authentication, set: <ul class="star"> <li>Users database type: SAML</li> <li>Authentication module: SAML</li> </ul>As passwords will not be managed by LL::NG, you can also go in General Parameters > Portal : <ul class="star"> <li>Display reset password: 0</li> <li>Display password change: 0</li> </ul> <h4 class="heading-1-1-1"><span id="HSAML2Service">SAML2 Service</span></h4> <p class="paragraph"></p>This is where you configure SAML2 settings for LemonLDAP::NG service. These settings will be used to build metadata that will be shared with identity providers. <h5 class="heading-1-1-1-1"><span id="HNodeSAML2Service">Node SAML 2 Service</span></h5> <ul class="star"> <li>Entity Identifier: your EntityID, often use as metadata URL, by default <span class="nobr"><a href= "http://auth.example.com/saml/metadata.">http://auth.example.com/saml/metadata.</a></span> Change this value to fit your portal URL.</li> <li>Private key: load your private key file. This will not be published in metadata.</li> </ul> <h5 class="heading-1-1-1-1"><span id="HNodeOrganization">Node Organization</span></h5> <ul class="star"> <li>Display Name: will be displayed on IDP, this is often your society name</li> <li>Name: internal name</li> <li>URL: URL of your society</li> </ul> <h5 class="heading-1-1-1-1"><span id="HNodeServiceProvider">Node Service Provider</span></h5> <ul class="star"> <li>Signed Authentication Request: set to On to require signed authentication request. Off by default.</li> <li>Signing Key: load your public key file.</li> </ul> <h6 class="heading-1-1-1-1-1"><span id="HNodeSingleLogout">Node SingleLogout</span></h6> <p class="paragraph"></p>For each binding you can set: <ul class="star"> <li>Location: Access Point for SLO request. Change this value to fit your portal URL.</li> <li>Response Location: Access Point for SLO response. Change this value to fit your portal URL.</li> </ul> <h6 class="heading-1-1-1-1-1"><span id="HNodeAssertionConsumer">Node Assertion Consumer</span></h6> <p class="paragraph"></p>For each binding you can set: <ul class="star"> <li>Default: will this binding be used by default for authentication response</li> <li>Location: Access Point for SSO request and response. Change this value to fit your portal URL.</li> </ul> <h6 class="heading-1-1-1-1-1"><span id="HNodeNameIDFormat">Node NameID Format</span></h6> <p class="paragraph"></p>For each NameID Format, you can activate and deactivate it in metadata. The first will be chosen by default if no NameID Format is set in authentication request. <h5 class="heading-1-1-1-1"><span id="HNodeIdentityProvider">Node Identity Provider</span></h5> <p class="paragraph"></p>Not used here. <h4 class="heading-1-1-1"><span id= "HIdentityProviderregistration">Identity Provider registration</span></h4> <p class="paragraph"></p>Now you have to register partner IDP. For that, select node Identity Providers and click on New metadatas. <p class="paragraph"></p>The IDP name is asked, enter it and click OK. <h5 class="heading-1-1-1-1"><span id="HMetadataXML">Metadata XML</span></h5> <p class="paragraph"></p>You must register IDP metadata here. You can do it either by uploading the file, or with IDP metadata URL. <h5 class="heading-1-1-1-1"><span id="HNodeExportedattributes">Node Exported attributes</span></h5> <p class="paragraph"></p>For each attribute, you can set: <ul class="star"> <li>Key name: name of the key in LemonLDAP::NG session (for example "uid" will then be used as $uid in access rules)</li> <li>Mandatory : if set to "On", then session will not open if this attribure is not given by IDP.</li> <li>Name : SAML attribute name.</li> <li>Friendly Name: optional, SAML attribute friendly name.</li> <li>Format: optional, SAML attribute format.</li> </ul> <h5 class="heading-1-1-1-1"><span id="HNodeOptions">Node Options</span></h5> <ul class="star"> <li>NameID format: force NameID format here (email, persitent, transient, etc.). If no value, will use first NameID Format activated in metadata.</li> <li>Force authentication: set ForceAuthn flag in authentication request</li> <li>Allow proxied authentication: allow an authentication response to be issued from another IDP that the one we register (proxy IDP). If you disallow this, you should also disallow direct login form IDP, because proxy restiction is set in authentication requests.</li> <li>SSO binding: force binding to use for SSO (http-redirect, http-post, etc.)</li> <li>SLO binding: force binding to use for SLO (http-redirect, http-post, etc.)</li> <li>Resolution rule: Perl expression that will be evaluate to know if this IDP is the default for the connected user. You can use for example $ENV{ to get user's IP.</li> <li>Allow login from IDP: allow a user to connect directly from an IDP link. In this case, authentication is not a response to an issued authentication request, and we have less control on conditions.</li> </ul> <h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP configuration</span></h3> <p class="paragraph"></p>You have to give LemonLDAP::NG metadata to your partner. After previous steps, metadata can be viewed at Entity Identifier URL (by default <span class="nobr"><a href= "http://auth.example.com/saml/metadata/">http://auth.example.com/saml/metadata/</a></span>) </div> <p class="footer"><a href="index.html">Index</a></p> </body> </html>