Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
72:integration:saml [2018/10/25 18:01] emr72:integration:saml [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Configure SAML Authentication ====== ====== Configure SAML Authentication ======
 +
 +[[:general:secadv-2019-01|Before you configure SAML, please assure you adhere to Security Advisory 2019-01]].
  
 SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system. SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system.
Line 39: Line 41:
  
         <service-provider         <service-provider
-                        providerId="//<yourStagesURL>//+                        providerId="<yourStagesURL>" 
-                        signatureKeyAlias="samlkeyalias" +                        signatureKeyAlias="samlkeyalias"> 
-  >+
         </service-provider>         </service-provider>
  
Line 58: Line 60:
 The most reliable way to configure the SAML Identity Provider (IdP) is to ask the access management team for the IdP metadata. The most reliable way to configure the SAML Identity Provider (IdP) is to ask the access management team for the IdP metadata.
  
-From this metadata, you will be able to derive the parameters for the following configuration:+From this metadata, you will be able to derive the parameters 
 + 
 +  * EntityIdfromMetadata 
 + 
 +  * SingleSignOnServiceLocationFromMetadata 
 + 
 +  * DisplayName (alternative: FirstName, LastName) 
 + 
 +  * EMailAddress 
 + 
 +for the following configuration:
  
 <code> <code>
Line 65: Line 77:
  
         <identity-provider         <identity-provider
-                        providerId="//<EntityIDfromMetadata>//+                        providerId="<EntityIDfromMetadata>" 
-                        providerUrl="//<SingleSignOnServiceLocationFromMetadata>//"+                        providerUrl="<SingleSignOnServiceLocationFromMetadata>"
                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         userFullnameTemplate="%firstname% %lastname%"                         userFullnameTemplate="%firstname% %lastname%"
-                  >+      > 
 +            <!-- userFullnameTemplate is used to build the user's full name from multiple IDP attributes 
 +                 as defined below as <identity-provider-attribute name=.../>
 +                 In the example above the firstname and lastname attributes are concatenated speparated by a space. --> 
             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->
             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />
  
             <!-- either "fullname" or "firstname" and "lastname" need to be defined -->             <!-- either "fullname" or "firstname" and "lastname" need to be defined -->
-            <!--<identity-provider-attribute name="fullname" id="//<DisplayName>//" />--> +            <!--<identity-provider-attribute name="fullname" id="<DisplayName>" />--> 
-            <identity-provider-attribute name="firstname" id="//<FirstName>//" /> +            <identity-provider-attribute name="firstname" id="<FirstName>" /> 
-            <identity-provider-attribute name="lastname" id="//<LastName>//" />+            <identity-provider-attribute name="lastname" id="<LastName>" />
  
-            <identity-provider-attribute name="email" id="//<EMailAddress>//" />+            <identity-provider-attribute name="email" id="<EMailAddress>" />
  
             <!-- This matches if the SAML assertion contains a SAML attribute "Organization" with value "External" -->             <!-- This matches if the SAML assertion contains a SAML attribute "Organization" with value "External" -->
Line 110: Line 126:
 MIIDCTCC... MIIDCTCC...
  
-   //<Insert the X509Certificate "signing" key from the metadata here>//+   <Insert the X509Certificate "signing" key from the metadata here>
  
 ...Qwgf5bXby+ug== ...Qwgf5bXby+ug==
Line 130: Line 146:
         <identity-provider providerId="STAGES"/>         <identity-provider providerId="STAGES"/>
 </authentication> </authentication>
 +
 </code> </code>
  
 After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service. After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service.
 +
 +
 ===== Generate the SAML SP metadata ===== ===== Generate the SAML SP metadata =====
  
-After configuring the SAML SP, you can download the SAML SP metadata directly by navigating to the URL ''[[http://<yourstages|http://<yourstages]]>/rest/saml/metadata''+After configuring the SAML SP, you can download the SAML SP metadata directly by navigating to the URL ''[[http://<yourstages|http://<yourstages]]>/stages/rest/saml/metadata''
  
 The resulting XML file can be sent to the SAML IdP administrators and contains all information necessary to set up the trust relationship on the IdP side. After the SAML IdP has been configured with the SP metadata, users will be able to authenticate successfully with Stages through the SAML IdP. The resulting XML file can be sent to the SAML IdP administrators and contains all information necessary to set up the trust relationship on the IdP side. After the SAML IdP has been configured with the SP metadata, users will be able to authenticate successfully with Stages through the SAML IdP.
 +
 +===== Configure the SAML Request Type =====
 +
 +The default binding type of the SAML Request is ''redirect''.
 +
 +Some IDPs do not work with that type and rather need a POST Request. This can only be found out on the IDP.
 +
 +This can be configured in the ''identity-provider''  section via
 +
 +<code>
 +sendBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 +</code>
  
 ===== Validated IdP Vendors ===== ===== Validated IdP Vendors =====
  
-The following IdP servers have been tested sucessfully with Stages SAML:+Stages SAML has successfully been deployed with the following IdP servers:
  
   * Cisco Central Web Authentication (CWA)   * Cisco Central Web Authentication (CWA)
 +
 +  * Oracle Access Manager (OAM)
 +
   * Shibboleth IdP   * Shibboleth IdP
 +
 +  * Active Directory Federation Services (ADFS)
  
 Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet. Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet.