auth-saml-duosecurity.rst
104 lines
| 4.3 KiB
| text/x-rst
|
RstLexer
| r3290 | .. _config-saml-duosecurity-ref: | ||
| SAML 2.0 with Duo Security | |||
| -------------------------- | |||
| **This plugin is available only in EE Edition.** | |||
| |RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows | |||
| users to log-in to RhodeCode via SSO mechanism of external identity provider | |||
| such as Duo. The login can be triggered either by the external IDP, or internally | |||
| by clicking specific authentication button on the log-in page. | |||
| Configuration steps | |||
| ^^^^^^^^^^^^^^^^^^^ | |||
| To configure Duo Security SAML authentication, use the following steps: | |||
| 1. From the |RCE| interface, select | |||
| :menuselection:`Admin --> Authentication` | |||
| 2. Activate the `Duo Security` plugin and select :guilabel:`Save` | |||
| 3. Go to newly available menu option called `Duo Security` on the left side. | |||
| 4. Check the `enabled` check box in the plugin configuration section, | |||
| and fill in the required SAML information and :guilabel:`Save`, for more details, | |||
| see :ref:`config-saml-duosecurity` | |||
| .. _config-saml-duosecurity: | |||
| Example SAML Duo Security configuration | |||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
| Example configuration for SAML 2.0 with Duo Security provider:: | |||
| *option*: `enabled` => `True` | |||
| # Enable or disable this authentication plugin. | |||
| *option*: `cache_ttl` => `0` | |||
| # Amount of seconds to cache the authentication and permissions check response call for this plugin. | |||
| # Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |||
| *option*: `debug` => `True` | |||
| # Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |||
| *option*: `entity_id` => `http://rc-app.com/dag/saml2/idp/metadata.php` | |||
| # Identity Provider entity/metadata URI. | |||
| # E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php | |||
| *option*: `sso_service_url` => `http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=http://rc.local.pl/_admin/auth/duosecurity/saml-metadata` | |||
| # SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login | |||
| # E.g. https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id> | |||
| *option*: `slo_service_url` => `http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=http://rc-app.com/dag/module.php/duosecurity/logout.php` | |||
| # SLO (SingleLogout) endpoint URL of the IdP. | |||
| # E.g. https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=http://duo-gateway.com/_admin/saml/sign-out-endpoint | |||
| *option*: `x509cert` => `<CERTIFICATE_STRING>` | |||
| # Identity provider public x509 certificate. It will be converted to single-line format without headers | |||
| *option*: `name_id_format` => `sha-1` | |||
| # The format that specifies how the NameID is sent to the service provider. | |||
| *option*: `signature_algo` => `sha-256` | |||
| # Type of Algorithm to use for verification of SAML signature on Identity provider side | |||
| *option*: `digest_algo` => `sha-256` | |||
| # Type of Algorithm to use for verification of SAML digest on Identity provider side | |||
| *option*: `cert_dir` => `/etc/saml/` | |||
| # Optional directory to store service provider certificate and private keys. | |||
| # Expected certs for the SP should be stored in this folder as: | |||
| # * sp.key Private Key | |||
| # * sp.crt Public cert | |||
| # * sp_new.crt Future Public cert | |||
| # | |||
| # Also you can use other cert to sign the metadata of the SP using the: | |||
| # * metadata.key | |||
| # * metadata.crt | |||
| *option*: `user_id_attribute` => `PersonImmutableID` | |||
| # User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |||
| # Ensure this is returned from DuoSecurity for example via duo_username | |||
| *option*: `username_attribute` => `User.username` | |||
| # Username Attribute name. This defines which attribute in SAML response will map to an username. | |||
| *option*: `email_attribute` => `User.email` | |||
| # Email Attribute name. This defines which attribute in SAML response will map to an email address. | |||
| Below is example setup from DUO Administration page that can be used with above config. | |||
| .. image:: ../images/saml-duosecurity-service-provider-example.png | |||
| :alt: DUO Security SAML setup example | |||
| :scale: 50 % | |||
| Below is an example attribute mapping set for IDP provider required by the above config. | |||
| .. image:: ../images/saml-duosecurity-attributes-example.png | |||
| :alt: DUO Security SAML setup example | |||
| :scale: 50 % |
