Authentication | Users | Password |
---|---|---|
✔ | ✔ |
LL::NG can use SAML2 to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LL::NG acts like an SAML2 Service Provider (SP).
Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule.
For each IDP, you can configure attributes that are collected. Some can be mandatory, so if they are not returned by IDP, the session will not be opened.
Tip
LL::NG can also act as SAML IDP, that allows one to interconnect two LL::NG systems.
See SAML service configuration chapter.
Attention
Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn’t block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes *.
In Manager, go in :
General Parameters
> Advanced Parameters
> Security
>
Content Security Policy
> Form destination
In General Parameters
> Authentication modules
, set:
Tip
As passwords will not be managed by LL::NG, you can disable menu password module.
After configuring SAML Service, you can export metadata to your partner Identity Provider.
They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata. You can also use http://auth.example.com/saml/metadata/sp to have only SP related metadata.
In the Manager, select node SAML identity providers
and click on
Add SAML IDP
. The IDP name is asked, enter it and click OK.
You must register IDP metadata here. You can do it either by uploading the file, or get it from IDP metadata URL (this require a network link between your server and the IDP):
Tip
You can also edit the metadata directly in the textarea.
For each attribute, you can set:
SessionNotOnOrAfter
value found in authentication response. It
means that if the IDP propose to close session earlier than the
default LemonLDAP::NG timeout, the session _utime will be modified
so that session is erased at the date indicated by the IDP.These options override service signature options (see SAML service configuration).
Note
If no binding is defined, the default binding in IDP metadata will be used.
Used only if at least 2 SAML Identity Providers are declared
Tip
The chosen logo must be in Portal icons directory
(portal/static/common/
). You can set a custom icon by setting the
icon file name directly in the field and copy the logo file in portal
icons directory
For example, to preselect this IDP for users coming from 129.168.0.0/16 network
$ENV{REMOTE_ADDR} =~ /^192\.168/
To preselect this IDP when the MY_IDP
choice is selected
$_choice eq "MY_IDP"