##// END OF EJS Templates
deps: bumped zope.interface==7.1.1
deps: bumped zope.interface==7.1.1

File last commit:

r5506:b08d803a default
r5595:e7e5db4e default
Show More
auth-saml-duosecurity.rst
160 lines | 4.6 KiB | text/x-rst | RstLexer
/ docs / auth / auth-saml-duosecurity.rst
docs: added SAML documentation....
r3290 .. _config-saml-duosecurity-ref:
SAML 2.0 with Duo Security
--------------------------
**This plugin is available only in EE Edition.**
|RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows
users to log-in to RhodeCode via SSO mechanism of external identity provider
such as Duo. The login can be triggered either by the external IDP, or internally
by clicking specific authentication button on the log-in page.
Configuration steps
^^^^^^^^^^^^^^^^^^^
To configure Duo Security SAML authentication, use the following steps:
1. From the |RCE| interface, select
:menuselection:`Admin --> Authentication`
2. Activate the `Duo Security` plugin and select :guilabel:`Save`
3. Go to newly available menu option called `Duo Security` on the left side.
4. Check the `enabled` check box in the plugin configuration section,
and fill in the required SAML information and :guilabel:`Save`, for more details,
see :ref:`config-saml-duosecurity`
.. _config-saml-duosecurity:
Example SAML Duo Security configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 Example configuration for SAML 2.0 with Duo Security provider
Enabled
`True`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Enable or disable this authentication plugin.
Auth Cache TTL
`30`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Amount of seconds to cache the authentication and permissions check response call for this plugin.
Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
Debug
`True`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
Auth button name
`Azure Entra ID`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Alternative authentication display name. E.g AzureAuth, CorporateID etc.
Entity ID
`https://my-duo-gateway.com/dag/saml2/idp/metadata.php`:
.. note::
Identity Provider entity/metadata URI.
E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php
SSO URL
`https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata
SLO URL
`https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 x509cert
`<CERTIFICATE_STRING>`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Identity provider public x509 certificate. It will be converted to single-line format without headers.
Download the raw base64 encoded certificate from the Identity provider and paste it here.
SAML Signature
`sha-256`:
.. note::
Type of Algorithm to use for verification of SAML signature on Identity provider side.
SAML Digest
`sha-256`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Type of Algorithm to use for verification of SAML digest on Identity provider side.
Service Provider Cert Dir
`/etc/rhodecode/conf/saml_ssl/`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Optional directory to store service provider certificate and private keys.
Expected certs for the SP should be stored in this folder as:
fix(docs): fixed rst error
r5506
* sp.key Private Key
* sp.crt Public cert
* sp_new.crt Future Public cert
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 Also you can use other cert to sign the metadata of the SP using the:
fix(docs): fixed rst error
r5506
* metadata.key
* metadata.crt
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505
Expected NameID Format
`nameid-format:emailAddress`:
.. note::
The format that specifies how the NameID is sent to the service provider.
User ID Attribute
`PersonImmutableID`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
Ensure this is returned from DuoSecurity for example via duo_username.
Username Attribute
`User.username`:
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 .. note::
Username Attribute name. This defines which attribute in SAML response will map to a username.
docs: added SAML documentation....
r3290
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 Email Attribute
`User.email`:
.. note::
Email Attribute name. This defines which attribute in SAML response will map to an email address.
docs: added SAML documentation....
r3290
Below is example setup from DUO Administration page that can be used with above config.
.. image:: ../images/saml-duosecurity-service-provider-example.png
:alt: DUO Security SAML setup example
:scale: 50 %
Below is an example attribute mapping set for IDP provider required by the above config.
.. image:: ../images/saml-duosecurity-attributes-example.png
:alt: DUO Security SAML setup example
:scale: 50 %