auth-saml-onelogin.rst
158 lines
| 4.5 KiB
| text/x-rst
|
RstLexer
| r3290 | .. _config-saml-onelogin-ref: | ||
| SAML 2.0 with One Login | |||
| ----------------------- | |||
| **This plugin is available only in EE Edition.** | |||
| |RCE| supports SAML 2.0 Authentication with OneLogin provider. This allows | |||
| users to log-in to RhodeCode via SSO mechanism of external identity provider | |||
| such as OneLogin. The login can be triggered either by the external IDP, or internally | |||
| by clicking specific authentication button on the log-in page. | |||
| Configuration steps | |||
| ^^^^^^^^^^^^^^^^^^^ | |||
| To configure OneLogin SAML authentication, use the following steps: | |||
| 1. From the |RCE| interface, select | |||
| :menuselection:`Admin --> Authentication` | |||
| 2. Activate the `OneLogin` plugin and select :guilabel:`Save` | |||
| 3. Go to newly available menu option called `OneLogin` on the left side. | |||
| 4. Check the `enabled` check box in the plugin configuration section, | |||
| and fill in the required SAML information and :guilabel:`Save`, for more details, | |||
| see :ref:`config-saml-onelogin` | |||
| .. _config-saml-onelogin: | |||
| Example SAML OneLogin configuration | |||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
| r5505 | Example configuration for SAML 2.0 with OneLogin provider | ||
| Enabled | |||
| `True`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Enable or disable this authentication plugin. | |||
| Auth Cache TTL | |||
| `30`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Amount of seconds to cache the authentication and permissions check response call for this plugin. | |||
| Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |||
| Debug | |||
| `True`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |||
| Auth button name | |||
| `Azure Entra ID`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Alternative authentication display name. E.g AzureAuth, CorporateID etc. | |||
| Entity ID | |||
| `https://app.onelogin.com/saml/metadata/<onelogin_connector_id>`: | |||
| .. note:: | |||
| Identity Provider entity/metadata URI. | |||
| E.g. https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | |||
| SSO URL | |||
| `https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL | |||
| E.g. https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id> | |||
| SLO URL | |||
| `https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL | |||
| E.g. https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id> | |||
| r3290 | |||
| r5505 | x509cert | ||
| `<CERTIFICATE_STRING>`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Identity provider public x509 certificate. It will be converted to single-line format without headers. | |||
| Download the raw base64 encoded certificate from the Identity provider and paste it here. | |||
| SAML Signature | |||
| `sha-256`: | |||
| .. note:: | |||
| Type of Algorithm to use for verification of SAML signature on Identity provider side. | |||
| SAML Digest | |||
| `sha-256`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Type of Algorithm to use for verification of SAML digest on Identity provider side. | |||
| Service Provider Cert Dir | |||
| `/etc/rhodecode/conf/saml_ssl/`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Optional directory to store service provider certificate and private keys. | |||
| Expected certs for the SP should be stored in this folder as: | |||
| * sp.key Private Key | |||
| * sp.crt Public cert | |||
| * sp_new.crt Future Public cert | |||
| r3290 | |||
| r5505 | Also you can use other cert to sign the metadata of the SP using the: | ||
| * metadata.key | |||
| * metadata.crt | |||
| Expected NameID Format | |||
| `nameid-format:emailAddress`: | |||
| .. note:: | |||
| The format that specifies how the NameID is sent to the service provider. | |||
| User ID Attribute | |||
| `PersonImmutableID`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |||
| Ensure this is returned from DuoSecurity for example via duo_username. | |||
| Username Attribute | |||
| `User.username`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Username Attribute name. This defines which attribute in SAML response will map to a username. | |||
| r3290 | |||
| r5505 | Email Attribute | ||
| `User.email`: | |||
| .. note:: | |||
| Email Attribute name. This defines which attribute in SAML response will map to an email address. | |||
| r3290 | |||
| Below is example setup that can be used with OneLogin SAML authentication that can be used with above config.. | |||
| .. image:: ../images/saml-onelogin-config-example.png | |||
| :alt: OneLogin SAML setup example | |||
| :scale: 50 % | |||
| Below is an example attribute mapping set for IDP provider required by the above config. | |||
| .. image:: ../images/saml-onelogin-attributes-example.png | |||
| :alt: OneLogin SAML setup example | |||
| :scale: 50 % |
