LL::NG can act as an SAML 2.0 Identity Provider, that can allow one to federate LL::NG with:
See SAML service configuration chapter.
Go in General Parameters
» Issuer modules
» SAML
and
configure:
On
.^/saml/
unless you have change SAML end points
suffix in SAML service configuration.1
to always allow.Tip
For example, to allow only users with a strong authentication level:
$authenticationLevel > 2
After configuring SAML Service, you can export metadata to your partner Service Provider.
They are available at the Metadata URL, by default: http://auth.example.com/saml/metadata.
You can also use http://auth.example.com/saml/metadata/idp to have only IDP related metadata.
In both cases, the entityID of the LemonLDAP::NG server is http://auth.example.com/saml/metadata
In the Manager, select node SAML service providers and click on
Add SAML SP
.
The SP name is asked, enter it and click OK.
Now you have access to the SP parameters list.
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).
Tip
You can also edit the metadata directly in the textarea
For each attribute, you can set:
<Condtions>
).<AuthnStatement>
):<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
SessionNotOnOrAfter="2014-07-21T15:47:08Z">
<Condtions>
and <SubjectConfirmationData>
):<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>
<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
NotOnOrAfter="2014-07-21T12:48:08Z">
Attention
There is a time tolerance of 60 seconds in
<Conditions>
These options override service signature options (see SAML service configuration).
On
to enable IDP Initiated URL on this SP.You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
The following environment variables are available in SAML access rules and macros:
$env->{llng_saml_sp}
: entityID of the SAML service$env->{llng_saml_spconfkey}
: configuration key of the SAML serviceNew in version 2.0.10.
$env->{llng_saml_acs}
: AssertionConsumerServiceURL, if specified in the AuthnRequestThe IDP Initiated URL is the SSO SAML URL with GET parameters:
IDPInitiated
: 1
sp
: Service Provider entity IDspConfKey
: Service Provider configuration keyFor example: http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp
sp
or spConfKey
:spDest
: URL of Service Provider’s AssertionConsumerServiceThe URL specified in spDest
must be present in the Service Provider metadata registered in LemonLDAP::NG. This is only useful if your Service Provider is reachable over multiple URLs.
Using both Issuer::SAML and Auth::SAML on the same LLNG may have some side-effects on single-logout.