rhodecode-enterprise-ce Files · docs/auth/auth-saml-azure.rst

auth: updated saml docs, and re-order info on plugin details for easier setup

super-admin - - Load All Authors

File last commit:

r5505:3fc95e3b default


                r5505:3fc95e3b

default

Download file

             auth-saml-azure.rst
        
                    158 lines
            
             | 4.4 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / auth / auth-saml-azure.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        super-admin
    
auth: updated saml docs, and re-order info on plugin details for easier setup

              r5505
            
      .. _config-saml-azure-ref:

      SAML 2.0 with Azure Entra ID

      ----------------------------

      **This plugin is available only in EE Edition.**

      |RCE| supports SAML 2.0 Authentication with Azure Entra ID provider. This allows

      users to log-in to RhodeCode via SSO mechanism of external identity provider

      such as Azure AD. The login can be triggered either by the external IDP, or internally

      by clicking specific authentication button on the log-in page.

      Configuration steps

      ^^^^^^^^^^^^^^^^^^^

      To configure Duo Security SAML authentication, use the following steps:

      1. From the |RCE| interface, select

         :menuselection:`Admin --> Authentication`

      2. Activate the `Azure Entra ID` plugin and select :guilabel:`Save`

      3. Go to newly available menu option called `Azure Entra ID` on the left side.

      4. Check the `enabled` check box in the plugin configuration section,

         and fill in the required SAML information and :guilabel:`Save`, for more details,

         see :ref:`config-saml-azure`

      .. _config-saml-azure:

      Example SAML Azure Entra ID configuration

      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

      Example configuration for SAML 2.0 with Azure Entra ID provider

      Enabled

          `True`:

          .. note::

            Enable or disable this authentication plugin.

      Auth Cache TTL

          `30`:

          .. note::

            Amount of seconds to cache the authentication and permissions check response call for this plugin.

            Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).

      Debug

          `True`:

          .. note::

            Enable or disable debug mode that shows SAML errors in the RhodeCode logs.

      Auth button name

          `Azure Entra ID`:

          .. note::

            Alternative authentication display name. E.g AzureAuth, CorporateID etc.

      Entity ID

          `https://sts.windows.net/APP_ID/`:

          .. note::

            Identity Provider entity/metadata URI. Known as "Microsoft Entra Identifier"

            E.g. https://sts.windows.net/abcd-c655-dcee-aab7-abcd/

      SSO URL

          `https://login.microsoftonline.com/APP_ID/saml2`:

          .. note::

            SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL

            E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2

      SLO URL

          `https://login.microsoftonline.com/APP_ID/saml2`:

          .. note::

            SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL

            E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2

      x509cert

          `<CERTIFICATE_STRING>`:

          .. note::

            Identity provider public x509 certificate. It will be converted to single-line format without headers.

            Download the raw base64 encoded certificate from the Identity provider and paste it here.

      SAML Signature

          `sha-256`:

          .. note::

            Type of Algorithm to use for verification of SAML signature on Identity provider side.

      SAML Digest

          `sha-256`:

          .. note::

            Type of Algorithm to use for verification of SAML digest on Identity provider side.

      Service Provider Cert Dir

          `/etc/rhodecode/conf/saml_ssl/`:

          .. note::

            Optional directory to store service provider certificate and private keys.

            Expected certs for the SP should be stored in this folder as:

             * sp.key     Private Key

             * sp.crt     Public cert

             * sp_new.crt Future Public cert

            Also you can use other cert to sign the metadata of the SP using the:

             * metadata.key

             * metadata.crt

      Expected NameID Format

          `nameid-format:emailAddress`:

          .. note::

            The format that specifies how the NameID is sent to the service provider.

      User ID Attribute

          `user.email`:

          .. note::

            User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.

            Ensure this is returned from DuoSecurity for example via duo_username.

      Username Attribute

          `user.username`:

          .. note::

            Username Attribute name. This defines which attribute in SAML response will map to a username.

      Email Attribute

          `user.email`:

          .. note::

            Email Attribute name. This defines which attribute in SAML response will map to an email address.

      Below is example setup from Azure Administration page that can be used with above config.

      .. image:: ../images/saml-azure-service-provider-example.png

         :alt: Azure SAML setup example

         :scale: 50 %

      Below is an example attribute mapping set for IDP provider required by the above config.

      .. image:: ../images/saml-azure-attributes-example.png

         :alt: Azure SAML setup example

         :scale: 50 %

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

super-admin auth: updated saml docs, and re-order info on plugin details for easier setup	r5505	.. _config-saml-azure-ref:


		SAML 2.0 with Azure Entra ID
		----------------------------

		This plugin is available only in EE Edition.

		\|RCE\| supports SAML 2.0 Authentication with Azure Entra ID provider. This allows
		users to log-in to RhodeCode via SSO mechanism of external identity provider
		such as Azure AD. The login can be triggered either by the external IDP, or internally
		by clicking specific authentication button on the log-in page.


		Configuration steps
		^^^^^^^^^^^^^^^^^^^

		To configure Duo Security SAML authentication, use the following steps:

		1. From the \|RCE\| interface, select
		:menuselection:`Admin --> Authentication`
		2. Activate the `Azure Entra ID` plugin and select :guilabel:`Save`
		3. Go to newly available menu option called `Azure Entra ID` on the left side.
		4. Check the `enabled` check box in the plugin configuration section,
		and fill in the required SAML information and :guilabel:`Save`, for more details,
		see :ref:`config-saml-azure`


		.. _config-saml-azure:


		Example SAML Azure Entra ID configuration
		^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

		Example configuration for SAML 2.0 with Azure Entra ID provider


		Enabled
		`True`:

		.. note::
		Enable or disable this authentication plugin.


		Auth Cache TTL
		`30`:

		.. note::
		Amount of seconds to cache the authentication and permissions check response call for this plugin.
		Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).

		Debug
		`True`:

		.. note::
		Enable or disable debug mode that shows SAML errors in the RhodeCode logs.


		Auth button name
		`Azure Entra ID`:

		.. note::
		Alternative authentication display name. E.g AzureAuth, CorporateID etc.


		Entity ID
		`https://sts.windows.net/APP_ID/`:

		.. note::
		Identity Provider entity/metadata URI. Known as "Microsoft Entra Identifier"
		E.g. https://sts.windows.net/abcd-c655-dcee-aab7-abcd/

		SSO URL
		`https://login.microsoftonline.com/APP_ID/saml2`:

		.. note::
		SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
		E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2

		SLO URL
		`https://login.microsoftonline.com/APP_ID/saml2`:

		.. note::
		SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
		E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2

		x509cert
		`<CERTIFICATE_STRING>`:

		.. note::
		Identity provider public x509 certificate. It will be converted to single-line format without headers.
		Download the raw base64 encoded certificate from the Identity provider and paste it here.

		SAML Signature
		`sha-256`:

		.. note::
		Type of Algorithm to use for verification of SAML signature on Identity provider side.

		SAML Digest
		`sha-256`:

		.. note::
		Type of Algorithm to use for verification of SAML digest on Identity provider side.

		Service Provider Cert Dir
		`/etc/rhodecode/conf/saml_ssl/`:

		.. note::
		Optional directory to store service provider certificate and private keys.
		Expected certs for the SP should be stored in this folder as:
		* sp.key Private Key
		* sp.crt Public cert
		* sp_new.crt Future Public cert

		Also you can use other cert to sign the metadata of the SP using the:
		* metadata.key
		* metadata.crt

		Expected NameID Format
		`nameid-format:emailAddress`:

		.. note::
		The format that specifies how the NameID is sent to the service provider.

		User ID Attribute
		`user.email`:

		.. note::
		User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
		Ensure this is returned from DuoSecurity for example via duo_username.

		Username Attribute
		`user.username`:

		.. note::
		Username Attribute name. This defines which attribute in SAML response will map to a username.

		Email Attribute
		`user.email`:

		.. note::
		Email Attribute name. This defines which attribute in SAML response will map to an email address.



		Below is example setup from Azure Administration page that can be used with above config.

		.. image:: ../images/saml-azure-service-provider-example.png
		:alt: Azure SAML setup example
		:scale: 50 %


		Below is an example attribute mapping set for IDP provider required by the above config.


		.. image:: ../images/saml-azure-attributes-example.png
		:alt: Azure SAML setup example
		:scale: 50 %