Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
72:integration:saml [2019/06/12 08:41] – [Lessons Learned] sngr72:integration:saml [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Configure SAML Authentication ====== ====== Configure SAML Authentication ======
 +
 +[[:general:secadv-2019-01|Before you configure SAML, please assure you adhere to Security Advisory 2019-01]].
  
 SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system. SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system.
Line 40: Line 42:
         <service-provider         <service-provider
                         providerId="<yourStagesURL>"                         providerId="<yourStagesURL>"
-                        signatureKeyAlias="samlkeyalias" +                        signatureKeyAlias="samlkeyalias"> 
-     >+
         </service-provider>         </service-provider>
  
Line 61: Line 63:
  
   * EntityIdfromMetadata   * EntityIdfromMetadata
 +
   * SingleSignOnServiceLocationFromMetadata   * SingleSignOnServiceLocationFromMetadata
 +
   * DisplayName (alternative: FirstName, LastName)   * DisplayName (alternative: FirstName, LastName)
 +
   * EMailAddress   * EMailAddress
  
Line 76: Line 81:
                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         userFullnameTemplate="%firstname% %lastname%"                         userFullnameTemplate="%firstname% %lastname%"
-              >+      > 
 +            <!-- userFullnameTemplate is used to build the user's full name from multiple IDP attributes 
 +                 as defined below as <identity-provider-attribute name=.../>
 +                 In the example above the firstname and lastname attributes are concatenated speparated by a space. --> 
             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->
             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />
Line 137: Line 146:
         <identity-provider providerId="STAGES"/>         <identity-provider providerId="STAGES"/>
 </authentication> </authentication>
 +
 </code> </code>
  
 After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service. After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service.
 +
  
 ===== Generate the SAML SP metadata ===== ===== Generate the SAML SP metadata =====
Line 147: Line 158:
 The resulting XML file can be sent to the SAML IdP administrators and contains all information necessary to set up the trust relationship on the IdP side. After the SAML IdP has been configured with the SP metadata, users will be able to authenticate successfully with Stages through the SAML IdP. The resulting XML file can be sent to the SAML IdP administrators and contains all information necessary to set up the trust relationship on the IdP side. After the SAML IdP has been configured with the SP metadata, users will be able to authenticate successfully with Stages through the SAML IdP.
  
-===== Validated IdP Vendors =====+===== Configure the SAML Request Type =====
  
-Stages SAML has successfully been deployed with the following IdP servers:+The default binding type of the SAML Request is ''redirect''.
  
-  * Cisco Central Web Authentication (CWA) +Some IDPs do not work with that type and rather need a POST Request. This can only be found out on the IDP.
-  * Oracle Access Manager (OAM) +
-  * Shibboleth IdP+
  
-Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet.+This can be configured in the ''identity-provider''  section via
  
-===== Lessons Learned =====+<code> 
 +sendBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
 +</code>
  
-The default binding type of the SAML-Request is created as a redirect.+===== Validated IdP Vendors =====
  
-Some IDP (f.e. at Renault) doesn´t work with that type and rather need a POST-Request.+Stages SAML has successfully been deployed with the following IdP servers:
  
-This can be configured in the identity-provide section of the config.xml:+  * Cisco Central Web Authentication (CWA)
  
-<code> +  Oracle Access Manager (OAM)
-**sendBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"**+
  
-</code>+  * Shibboleth IdP
  
-There a re no easy options to fint it out, because the IDP only seems to deny the Request (without telling the concrete reason in the response). Only at IDP (→ mostly customer) the problem can be identified.+  * Active Directory Federation Services (ADFS) 
 + 
 +Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet.