auth-saml-duosecurity.rst
158 lines
| 4.6 KiB
| text/x-rst
|
RstLexer
r3290 | .. _config-saml-duosecurity-ref: | ||
SAML 2.0 with Duo Security | |||
-------------------------- | |||
**This plugin is available only in EE Edition.** | |||
|RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows | |||
users to log-in to RhodeCode via SSO mechanism of external identity provider | |||
such as Duo. The login can be triggered either by the external IDP, or internally | |||
by clicking specific authentication button on the log-in page. | |||
Configuration steps | |||
^^^^^^^^^^^^^^^^^^^ | |||
To configure Duo Security SAML authentication, use the following steps: | |||
1. From the |RCE| interface, select | |||
:menuselection:`Admin --> Authentication` | |||
2. Activate the `Duo Security` plugin and select :guilabel:`Save` | |||
3. Go to newly available menu option called `Duo Security` on the left side. | |||
4. Check the `enabled` check box in the plugin configuration section, | |||
and fill in the required SAML information and :guilabel:`Save`, for more details, | |||
see :ref:`config-saml-duosecurity` | |||
.. _config-saml-duosecurity: | |||
Example SAML Duo Security configuration | |||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
r5505 | Example configuration for SAML 2.0 with Duo Security provider | ||
Enabled | |||
`True`: | |||
r3290 | |||
r5505 | .. note:: | ||
Enable or disable this authentication plugin. | |||
Auth Cache TTL | |||
`30`: | |||
r3290 | |||
r5505 | .. note:: | ||
Amount of seconds to cache the authentication and permissions check response call for this plugin. | |||
Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |||
Debug | |||
`True`: | |||
r3290 | |||
r5505 | .. note:: | ||
Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |||
Auth button name | |||
`Azure Entra ID`: | |||
r3290 | |||
r5505 | .. note:: | ||
Alternative authentication display name. E.g AzureAuth, CorporateID etc. | |||
Entity ID | |||
`https://my-duo-gateway.com/dag/saml2/idp/metadata.php`: | |||
.. note:: | |||
Identity Provider entity/metadata URI. | |||
E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php | |||
SSO URL | |||
`https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`: | |||
r3290 | |||
r5505 | .. note:: | ||
SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL | |||
E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata | |||
SLO URL | |||
`https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`: | |||
r3290 | |||
r5505 | .. note:: | ||
SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL | |||
E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint | |||
r3290 | |||
r5505 | x509cert | ||
`<CERTIFICATE_STRING>`: | |||
r3290 | |||
r5505 | .. note:: | ||
Identity provider public x509 certificate. It will be converted to single-line format without headers. | |||
Download the raw base64 encoded certificate from the Identity provider and paste it here. | |||
SAML Signature | |||
`sha-256`: | |||
.. note:: | |||
Type of Algorithm to use for verification of SAML signature on Identity provider side. | |||
SAML Digest | |||
`sha-256`: | |||
r3290 | |||
r5505 | .. note:: | ||
Type of Algorithm to use for verification of SAML digest on Identity provider side. | |||
Service Provider Cert Dir | |||
`/etc/rhodecode/conf/saml_ssl/`: | |||
r3290 | |||
r5505 | .. note:: | ||
Optional directory to store service provider certificate and private keys. | |||
Expected certs for the SP should be stored in this folder as: | |||
* sp.key Private Key | |||
* sp.crt Public cert | |||
* sp_new.crt Future Public cert | |||
r3290 | |||
r5505 | Also you can use other cert to sign the metadata of the SP using the: | ||
* metadata.key | |||
* metadata.crt | |||
Expected NameID Format | |||
`nameid-format:emailAddress`: | |||
.. note:: | |||
The format that specifies how the NameID is sent to the service provider. | |||
User ID Attribute | |||
`PersonImmutableID`: | |||
r3290 | |||
r5505 | .. note:: | ||
User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |||
Ensure this is returned from DuoSecurity for example via duo_username. | |||
Username Attribute | |||
`User.username`: | |||
r3290 | |||
r5505 | .. note:: | ||
Username Attribute name. This defines which attribute in SAML response will map to a username. | |||
r3290 | |||
r5505 | Email Attribute | ||
`User.email`: | |||
.. note:: | |||
Email Attribute name. This defines which attribute in SAML response will map to an email address. | |||
r3290 | |||
Below is example setup from DUO Administration page that can be used with above config. | |||
.. image:: ../images/saml-duosecurity-service-provider-example.png | |||
:alt: DUO Security SAML setup example | |||
:scale: 50 % | |||
Below is an example attribute mapping set for IDP provider required by the above config. | |||
.. image:: ../images/saml-duosecurity-attributes-example.png | |||
:alt: DUO Security SAML setup example | |||
:scale: 50 % |