auth-saml-duosecurity.rst
160 lines
| 4.6 KiB
| text/x-rst
|
RstLexer
| r3290 | .. _config-saml-duosecurity-ref: | ||
| SAML 2.0 with Duo Security | |||
| -------------------------- | |||
| **This plugin is available only in EE Edition.** | |||
| |RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows | |||
| users to log-in to RhodeCode via SSO mechanism of external identity provider | |||
| such as Duo. The login can be triggered either by the external IDP, or internally | |||
| by clicking specific authentication button on the log-in page. | |||
| Configuration steps | |||
| ^^^^^^^^^^^^^^^^^^^ | |||
| To configure Duo Security SAML authentication, use the following steps: | |||
| 1. From the |RCE| interface, select | |||
| :menuselection:`Admin --> Authentication` | |||
| 2. Activate the `Duo Security` plugin and select :guilabel:`Save` | |||
| 3. Go to newly available menu option called `Duo Security` on the left side. | |||
| 4. Check the `enabled` check box in the plugin configuration section, | |||
| and fill in the required SAML information and :guilabel:`Save`, for more details, | |||
| see :ref:`config-saml-duosecurity` | |||
| .. _config-saml-duosecurity: | |||
| Example SAML Duo Security configuration | |||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |||
| r5505 | Example configuration for SAML 2.0 with Duo Security provider | ||
| Enabled | |||
| `True`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Enable or disable this authentication plugin. | |||
| Auth Cache TTL | |||
| `30`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Amount of seconds to cache the authentication and permissions check response call for this plugin. | |||
| Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |||
| Debug | |||
| `True`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |||
| Auth button name | |||
| `Azure Entra ID`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Alternative authentication display name. E.g AzureAuth, CorporateID etc. | |||
| Entity ID | |||
| `https://my-duo-gateway.com/dag/saml2/idp/metadata.php`: | |||
| .. note:: | |||
| Identity Provider entity/metadata URI. | |||
| E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php | |||
| SSO URL | |||
| `https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL | |||
| E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata | |||
| SLO URL | |||
| `https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL | |||
| E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint | |||
| r3290 | |||
| r5505 | x509cert | ||
| `<CERTIFICATE_STRING>`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Identity provider public x509 certificate. It will be converted to single-line format without headers. | |||
| Download the raw base64 encoded certificate from the Identity provider and paste it here. | |||
| SAML Signature | |||
| `sha-256`: | |||
| .. note:: | |||
| Type of Algorithm to use for verification of SAML signature on Identity provider side. | |||
| SAML Digest | |||
| `sha-256`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Type of Algorithm to use for verification of SAML digest on Identity provider side. | |||
| Service Provider Cert Dir | |||
| `/etc/rhodecode/conf/saml_ssl/`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Optional directory to store service provider certificate and private keys. | |||
| Expected certs for the SP should be stored in this folder as: | |||
| r5506 | |||
| * sp.key Private Key | |||
| * sp.crt Public cert | |||
| * sp_new.crt Future Public cert | |||
| r3290 | |||
| r5505 | Also you can use other cert to sign the metadata of the SP using the: | ||
| r5506 | |||
| * metadata.key | |||
| * metadata.crt | |||
| r5505 | |||
| Expected NameID Format | |||
| `nameid-format:emailAddress`: | |||
| .. note:: | |||
| The format that specifies how the NameID is sent to the service provider. | |||
| User ID Attribute | |||
| `PersonImmutableID`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |||
| Ensure this is returned from DuoSecurity for example via duo_username. | |||
| Username Attribute | |||
| `User.username`: | |||
| r3290 | |||
| r5505 | .. note:: | ||
| Username Attribute name. This defines which attribute in SAML response will map to a username. | |||
| r3290 | |||
| r5505 | Email Attribute | ||
| `User.email`: | |||
| .. note:: | |||
| Email Attribute name. This defines which attribute in SAML response will map to an email address. | |||
| r3290 | |||
| Below is example setup from DUO Administration page that can be used with above config. | |||
| .. image:: ../images/saml-duosecurity-service-provider-example.png | |||
| :alt: DUO Security SAML setup example | |||
| :scale: 50 % | |||
| Below is an example attribute mapping set for IDP provider required by the above config. | |||
| .. image:: ../images/saml-duosecurity-attributes-example.png | |||
| :alt: DUO Security SAML setup example | |||
| :scale: 50 % |
