Show More
@@ -0,0 +1,159 b'' | |||
|
1 | .. _config-saml-azure-ref: | |
|
2 | ||
|
3 | ||
|
4 | SAML 2.0 with Azure Entra ID | |
|
5 | ---------------------------- | |
|
6 | ||
|
7 | **This plugin is available only in EE Edition.** | |
|
8 | ||
|
9 | |RCE| supports SAML 2.0 Authentication with Azure Entra ID provider. This allows | |
|
10 | users to log-in to RhodeCode via SSO mechanism of external identity provider | |
|
11 | such as Azure AD. The login can be triggered either by the external IDP, or internally | |
|
12 | by clicking specific authentication button on the log-in page. | |
|
13 | ||
|
14 | ||
|
15 | Configuration steps | |
|
16 | ^^^^^^^^^^^^^^^^^^^ | |
|
17 | ||
|
18 | To configure Duo Security SAML authentication, use the following steps: | |
|
19 | ||
|
20 | 1. From the |RCE| interface, select | |
|
21 | :menuselection:`Admin --> Authentication` | |
|
22 | 2. Activate the `Azure Entra ID` plugin and select :guilabel:`Save` | |
|
23 | 3. Go to newly available menu option called `Azure Entra ID` on the left side. | |
|
24 | 4. Check the `enabled` check box in the plugin configuration section, | |
|
25 | and fill in the required SAML information and :guilabel:`Save`, for more details, | |
|
26 | see :ref:`config-saml-azure` | |
|
27 | ||
|
28 | ||
|
29 | .. _config-saml-azure: | |
|
30 | ||
|
31 | ||
|
32 | Example SAML Azure Entra ID configuration | |
|
33 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
|
34 | ||
|
35 | Example configuration for SAML 2.0 with Azure Entra ID provider | |
|
36 | ||
|
37 | ||
|
38 | Enabled | |
|
39 | `True`: | |
|
40 | ||
|
41 | .. note:: | |
|
42 | Enable or disable this authentication plugin. | |
|
43 | ||
|
44 | ||
|
45 | Auth Cache TTL | |
|
46 | `30`: | |
|
47 | ||
|
48 | .. note:: | |
|
49 | Amount of seconds to cache the authentication and permissions check response call for this plugin. | |
|
50 | Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |
|
51 | ||
|
52 | Debug | |
|
53 | `True`: | |
|
54 | ||
|
55 | .. note:: | |
|
56 | Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |
|
57 | ||
|
58 | ||
|
59 | Auth button name | |
|
60 | `Azure Entra ID`: | |
|
61 | ||
|
62 | .. note:: | |
|
63 | Alternative authentication display name. E.g AzureAuth, CorporateID etc. | |
|
64 | ||
|
65 | ||
|
66 | Entity ID | |
|
67 | `https://sts.windows.net/APP_ID/`: | |
|
68 | ||
|
69 | .. note:: | |
|
70 | Identity Provider entity/metadata URI. Known as "Microsoft Entra Identifier" | |
|
71 | E.g. https://sts.windows.net/abcd-c655-dcee-aab7-abcd/ | |
|
72 | ||
|
73 | SSO URL | |
|
74 | `https://login.microsoftonline.com/APP_ID/saml2`: | |
|
75 | ||
|
76 | .. note:: | |
|
77 | SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL | |
|
78 | E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2 | |
|
79 | ||
|
80 | SLO URL | |
|
81 | `https://login.microsoftonline.com/APP_ID/saml2`: | |
|
82 | ||
|
83 | .. note:: | |
|
84 | SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL | |
|
85 | E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2 | |
|
86 | ||
|
87 | x509cert | |
|
88 | `<CERTIFICATE_STRING>`: | |
|
89 | ||
|
90 | .. note:: | |
|
91 | Identity provider public x509 certificate. It will be converted to single-line format without headers. | |
|
92 | Download the raw base64 encoded certificate from the Identity provider and paste it here. | |
|
93 | ||
|
94 | SAML Signature | |
|
95 | `sha-256`: | |
|
96 | ||
|
97 | .. note:: | |
|
98 | Type of Algorithm to use for verification of SAML signature on Identity provider side. | |
|
99 | ||
|
100 | SAML Digest | |
|
101 | `sha-256`: | |
|
102 | ||
|
103 | .. note:: | |
|
104 | Type of Algorithm to use for verification of SAML digest on Identity provider side. | |
|
105 | ||
|
106 | Service Provider Cert Dir | |
|
107 | `/etc/rhodecode/conf/saml_ssl/`: | |
|
108 | ||
|
109 | .. note:: | |
|
110 | Optional directory to store service provider certificate and private keys. | |
|
111 | Expected certs for the SP should be stored in this folder as: | |
|
112 | * sp.key Private Key | |
|
113 | * sp.crt Public cert | |
|
114 | * sp_new.crt Future Public cert | |
|
115 | ||
|
116 | Also you can use other cert to sign the metadata of the SP using the: | |
|
117 | * metadata.key | |
|
118 | * metadata.crt | |
|
119 | ||
|
120 | Expected NameID Format | |
|
121 | `nameid-format:emailAddress`: | |
|
122 | ||
|
123 | .. note:: | |
|
124 | The format that specifies how the NameID is sent to the service provider. | |
|
125 | ||
|
126 | User ID Attribute | |
|
127 | `user.email`: | |
|
128 | ||
|
129 | .. note:: | |
|
130 | User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |
|
131 | Ensure this is returned from DuoSecurity for example via duo_username. | |
|
132 | ||
|
133 | Username Attribute | |
|
134 | `user.username`: | |
|
135 | ||
|
136 | .. note:: | |
|
137 | Username Attribute name. This defines which attribute in SAML response will map to a username. | |
|
138 | ||
|
139 | Email Attribute | |
|
140 | `user.email`: | |
|
141 | ||
|
142 | .. note:: | |
|
143 | Email Attribute name. This defines which attribute in SAML response will map to an email address. | |
|
144 | ||
|
145 | ||
|
146 | ||
|
147 | Below is example setup from Azure Administration page that can be used with above config. | |
|
148 | ||
|
149 | .. image:: ../images/saml-azure-service-provider-example.png | |
|
150 | :alt: Azure SAML setup example | |
|
151 | :scale: 50 % | |
|
152 | ||
|
153 | ||
|
154 | Below is an example attribute mapping set for IDP provider required by the above config. | |
|
155 | ||
|
156 | ||
|
157 | .. image:: ../images/saml-azure-attributes-example.png | |
|
158 | :alt: Azure SAML setup example | |
|
159 | :scale: 50 % No newline at end of file |
@@ -4,15 +4,30 b' WORKDIR /project' | |||
|
4 | 4 | |
|
5 | 5 | RUN apt-get update \ |
|
6 | 6 | && apt-get install --no-install-recommends --yes \ |
|
7 |
|
|
|
8 |
|
|
|
9 |
|
|
|
10 | imagemagick \ | |
|
11 |
|
|
|
7 | curl \ | |
|
8 | zip \ | |
|
9 | graphviz \ | |
|
10 | dvipng \ | |
|
11 | imagemagick \ | |
|
12 | make \ | |
|
13 | latexmk \ | |
|
14 | texlive-latex-recommended \ | |
|
15 | texlive-latex-extra \ | |
|
16 | texlive-xetex \ | |
|
17 | fonts-freefont-otf \ | |
|
18 | texlive-fonts-recommended \ | |
|
19 | texlive-lang-greek \ | |
|
20 | tex-gyre \ | |
|
12 | 21 | && apt-get autoremove \ |
|
13 | 22 | && apt-get clean \ |
|
14 | 23 | && rm -rf /var/lib/apt/lists/* |
|
15 | 24 | |
|
25 | RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \ | |
|
26 | unzip awscliv2.zip && \ | |
|
27 | ./aws/install && \ | |
|
28 | rm -rf ./aws && \ | |
|
29 | rm awscliv2.zip | |
|
30 | ||
|
16 | 31 | RUN \ |
|
17 | 32 | python3 -m pip install --no-cache-dir --upgrade pip && \ |
|
18 | 33 | python3 -m pip install --no-cache-dir Sphinx Pillow |
@@ -13,7 +13,7 b' This method simply enables SAML authenti' | |||
|
13 | 13 | From the server RhodeCode Enterprise is running run ishell on the instance which we |
|
14 | 14 | want to apply the SAML migration:: |
|
15 | 15 | |
|
16 | rccontrol ishell enterprise-1 | |
|
16 | ./rcstack cli ishell | |
|
17 | 17 | |
|
18 | 18 | Follow these steps to enable SAML authentication for multiple users. |
|
19 | 19 | |
@@ -46,6 +46,8 b' From available options pick only one and' | |||
|
46 | 46 | |
|
47 | 47 | # for Duo Security |
|
48 | 48 | In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin |
|
49 | # for Azure Entra | |
|
50 | In [2]: from rc_auth_plugins.auth_azure import RhodeCodeAuthPlugin | |
|
49 | 51 | # for OneLogin |
|
50 | 52 | In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin |
|
51 | 53 | # generic SAML plugin |
@@ -62,13 +64,13 b' Enter in the ishell prompt' | |||
|
62 | 64 | ...: attrs = saml2user.get(user.user_id) |
|
63 | 65 | ...: provider = RhodeCodeAuthPlugin.uid |
|
64 | 66 | ...: if existing_identity: |
|
65 |
...: print('Identity for user `{ |
|
|
67 | ...: print(f'Identity for user `{user.username}` already exists, skipping') | |
|
66 | 68 | ...: continue |
|
67 | 69 | ...: if attrs: |
|
68 | 70 | ...: external_id = attrs['id'] |
|
69 | 71 | ...: new_external_identity = ExternalIdentity() |
|
70 | 72 | ...: new_external_identity.external_id = external_id |
|
71 |
...: new_external_identity.external_username = '{ |
|
|
73 | ...: new_external_identity.external_username = f'{user.username}-saml-{user.user_id}' | |
|
72 | 74 | ...: new_external_identity.provider_name = provider |
|
73 | 75 | ...: new_external_identity.local_user_id = user.user_id |
|
74 | 76 | ...: new_external_identity.access_token = '' |
@@ -76,7 +78,7 b' Enter in the ishell prompt' | |||
|
76 | 78 | ...: new_external_identity.alt_token = '' |
|
77 | 79 | ...: Session().add(ex_identity) |
|
78 | 80 | ...: Session().commit() |
|
79 |
...: print('Set user `{ |
|
|
81 | ...: print(f'Set user `{user.username}` external identity bound to ExternalID:{external_id}') | |
|
80 | 82 | |
|
81 | 83 | .. note:: |
|
82 | 84 |
@@ -32,62 +32,116 b' 4. Check the `enabled` check box in the ' | |||
|
32 | 32 | Example SAML Duo Security configuration |
|
33 | 33 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
34 | 34 | |
|
35 |
Example configuration for SAML 2.0 with Duo Security provider |
|
|
35 | Example configuration for SAML 2.0 with Duo Security provider | |
|
36 | ||
|
37 | ||
|
38 | Enabled | |
|
39 | `True`: | |
|
36 | 40 | |
|
37 | *option*: `enabled` => `True` | |
|
38 |
|
|
|
41 | .. note:: | |
|
42 | Enable or disable this authentication plugin. | |
|
43 | ||
|
44 | ||
|
45 | Auth Cache TTL | |
|
46 | `30`: | |
|
39 | 47 | |
|
40 | *option*: `cache_ttl` => `0` | |
|
41 |
|
|
|
42 |
|
|
|
48 | .. note:: | |
|
49 | Amount of seconds to cache the authentication and permissions check response call for this plugin. | |
|
50 | Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |
|
51 | ||
|
52 | Debug | |
|
53 | `True`: | |
|
43 | 54 | |
|
44 | *option*: `debug` => `True` | |
|
45 |
|
|
|
55 | .. note:: | |
|
56 | Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |
|
57 | ||
|
58 | ||
|
59 | Auth button name | |
|
60 | `Azure Entra ID`: | |
|
46 | 61 | |
|
47 | *option*: `entity_id` => `http://rc-app.com/dag/saml2/idp/metadata.php` | |
|
48 | # Identity Provider entity/metadata URI. | |
|
49 | # E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php | |
|
62 | .. note:: | |
|
63 | Alternative authentication display name. E.g AzureAuth, CorporateID etc. | |
|
64 | ||
|
65 | ||
|
66 | Entity ID | |
|
67 | `https://my-duo-gateway.com/dag/saml2/idp/metadata.php`: | |
|
68 | ||
|
69 | .. note:: | |
|
70 | Identity Provider entity/metadata URI. | |
|
71 | E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php | |
|
72 | ||
|
73 | SSO URL | |
|
74 | `https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`: | |
|
50 | 75 | |
|
51 | *option*: `sso_service_url` => `http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=http://rc.local.pl/_admin/auth/duosecurity/saml-metadata` | |
|
52 |
|
|
|
53 |
|
|
|
76 | .. note:: | |
|
77 | SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL | |
|
78 | E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata | |
|
79 | ||
|
80 | SLO URL | |
|
81 | `https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`: | |
|
54 | 82 | |
|
55 | *option*: `slo_service_url` => `http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=http://rc-app.com/dag/module.php/duosecurity/logout.php` | |
|
56 |
|
|
|
57 |
|
|
|
83 | .. note:: | |
|
84 | SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL | |
|
85 | E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint | |
|
58 | 86 | |
|
59 | *option*: `x509cert` => `<CERTIFICATE_STRING>` | |
|
60 | # Identity provider public x509 certificate. It will be converted to single-line format without headers | |
|
87 | x509cert | |
|
88 | `<CERTIFICATE_STRING>`: | |
|
61 | 89 | |
|
62 | *option*: `name_id_format` => `sha-1` | |
|
63 | # The format that specifies how the NameID is sent to the service provider. | |
|
90 | .. note:: | |
|
91 | Identity provider public x509 certificate. It will be converted to single-line format without headers. | |
|
92 | Download the raw base64 encoded certificate from the Identity provider and paste it here. | |
|
93 | ||
|
94 | SAML Signature | |
|
95 | `sha-256`: | |
|
96 | ||
|
97 | .. note:: | |
|
98 | Type of Algorithm to use for verification of SAML signature on Identity provider side. | |
|
99 | ||
|
100 | SAML Digest | |
|
101 | `sha-256`: | |
|
64 | 102 | |
|
65 | *option*: `signature_algo` => `sha-256` | |
|
66 |
|
|
|
103 | .. note:: | |
|
104 | Type of Algorithm to use for verification of SAML digest on Identity provider side. | |
|
105 | ||
|
106 | Service Provider Cert Dir | |
|
107 | `/etc/rhodecode/conf/saml_ssl/`: | |
|
67 | 108 | |
|
68 | *option*: `digest_algo` => `sha-256` | |
|
69 | # Type of Algorithm to use for verification of SAML digest on Identity provider side | |
|
109 | .. note:: | |
|
110 | Optional directory to store service provider certificate and private keys. | |
|
111 | Expected certs for the SP should be stored in this folder as: | |
|
112 | * sp.key Private Key | |
|
113 | * sp.crt Public cert | |
|
114 | * sp_new.crt Future Public cert | |
|
70 | 115 | |
|
71 | *option*: `cert_dir` => `/etc/saml/` | |
|
72 | # Optional directory to store service provider certificate and private keys. | |
|
73 | # Expected certs for the SP should be stored in this folder as: | |
|
74 | # * sp.key Private Key | |
|
75 | # * sp.crt Public cert | |
|
76 | # * sp_new.crt Future Public cert | |
|
77 | # | |
|
78 | # Also you can use other cert to sign the metadata of the SP using the: | |
|
79 | # * metadata.key | |
|
80 | # * metadata.crt | |
|
116 | Also you can use other cert to sign the metadata of the SP using the: | |
|
117 | * metadata.key | |
|
118 | * metadata.crt | |
|
119 | ||
|
120 | Expected NameID Format | |
|
121 | `nameid-format:emailAddress`: | |
|
122 | ||
|
123 | .. note:: | |
|
124 | The format that specifies how the NameID is sent to the service provider. | |
|
125 | ||
|
126 | User ID Attribute | |
|
127 | `PersonImmutableID`: | |
|
81 | 128 | |
|
82 | *option*: `user_id_attribute` => `PersonImmutableID` | |
|
83 |
|
|
|
84 |
|
|
|
129 | .. note:: | |
|
130 | User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |
|
131 | Ensure this is returned from DuoSecurity for example via duo_username. | |
|
132 | ||
|
133 | Username Attribute | |
|
134 | `User.username`: | |
|
85 | 135 | |
|
86 | *option*: `username_attribute` => `User.username` | |
|
87 |
|
|
|
136 | .. note:: | |
|
137 | Username Attribute name. This defines which attribute in SAML response will map to a username. | |
|
88 | 138 | |
|
89 | *option*: `email_attribute` => `User.email` | |
|
90 | # Email Attribute name. This defines which attribute in SAML response will map to an email address. | |
|
139 | Email Attribute | |
|
140 | `User.email`: | |
|
141 | ||
|
142 | .. note:: | |
|
143 | Email Attribute name. This defines which attribute in SAML response will map to an email address. | |
|
144 | ||
|
91 | 145 | |
|
92 | 146 | |
|
93 | 147 | Below is example setup from DUO Administration page that can be used with above config. |
@@ -15,5 +15,6 b' Please check for reference two example p' | |||
|
15 | 15 | |
|
16 | 16 | auth-saml-duosecurity |
|
17 | 17 | auth-saml-onelogin |
|
18 | auth-saml-azure | |
|
18 | 19 | auth-saml-bulk-enroll-users |
|
19 | 20 |
@@ -32,62 +32,115 b' 4. Check the `enabled` check box in the ' | |||
|
32 | 32 | Example SAML OneLogin configuration |
|
33 | 33 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
|
34 | 34 | |
|
35 |
Example configuration for SAML 2.0 with OneLogin provider |
|
|
35 | Example configuration for SAML 2.0 with OneLogin provider | |
|
36 | ||
|
37 | ||
|
38 | Enabled | |
|
39 | `True`: | |
|
36 | 40 | |
|
37 | *option*: `enabled` => `True` | |
|
38 |
|
|
|
41 | .. note:: | |
|
42 | Enable or disable this authentication plugin. | |
|
43 | ||
|
44 | ||
|
45 | Auth Cache TTL | |
|
46 | `30`: | |
|
39 | 47 | |
|
40 | *option*: `cache_ttl` => `0` | |
|
41 |
|
|
|
42 |
|
|
|
48 | .. note:: | |
|
49 | Amount of seconds to cache the authentication and permissions check response call for this plugin. | |
|
50 | Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled). | |
|
51 | ||
|
52 | Debug | |
|
53 | `True`: | |
|
43 | 54 | |
|
44 | *option*: `debug` => `True` | |
|
45 |
|
|
|
55 | .. note:: | |
|
56 | Enable or disable debug mode that shows SAML errors in the RhodeCode logs. | |
|
57 | ||
|
58 | ||
|
59 | Auth button name | |
|
60 | `Azure Entra ID`: | |
|
46 | 61 | |
|
47 | *option*: `entity_id` => `https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` | |
|
48 | # Identity Provider entity/metadata URI. | |
|
49 | # E.g. https://app.onelogin.com/saml/metadata/<onelogin_connector_id> | |
|
62 | .. note:: | |
|
63 | Alternative authentication display name. E.g AzureAuth, CorporateID etc. | |
|
64 | ||
|
65 | ||
|
66 | Entity ID | |
|
67 | `https://app.onelogin.com/saml/metadata/<onelogin_connector_id>`: | |
|
68 | ||
|
69 | .. note:: | |
|
70 | Identity Provider entity/metadata URI. | |
|
71 | E.g. https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | |
|
72 | ||
|
73 | SSO URL | |
|
74 | `https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>`: | |
|
50 | 75 | |
|
51 | *option*: `sso_service_url` => `https://customer-domain.onelogin.com/trust/saml2/http-post/sso/xxxxxx` | |
|
52 |
|
|
|
53 |
|
|
|
76 | .. note:: | |
|
77 | SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL | |
|
78 | E.g. https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id> | |
|
79 | ||
|
80 | SLO URL | |
|
81 | `https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>`: | |
|
54 | 82 | |
|
55 | *option*: `slo_service_url` => `https://customer-domain.onelogin.com/trust/saml2/http-redirect/slo/xxxxxx` | |
|
56 |
|
|
|
57 |
|
|
|
83 | .. note:: | |
|
84 | SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL | |
|
85 | E.g. https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id> | |
|
58 | 86 | |
|
59 | *option*: `x509cert` => `<CERTIFICATE_STRING>` | |
|
60 | # Identity provider public x509 certificate. It will be converted to single-line format without headers | |
|
87 | x509cert | |
|
88 | `<CERTIFICATE_STRING>`: | |
|
61 | 89 | |
|
62 | *option*: `name_id_format` => `sha-1` | |
|
63 | # The format that specifies how the NameID is sent to the service provider. | |
|
90 | .. note:: | |
|
91 | Identity provider public x509 certificate. It will be converted to single-line format without headers. | |
|
92 | Download the raw base64 encoded certificate from the Identity provider and paste it here. | |
|
93 | ||
|
94 | SAML Signature | |
|
95 | `sha-256`: | |
|
96 | ||
|
97 | .. note:: | |
|
98 | Type of Algorithm to use for verification of SAML signature on Identity provider side. | |
|
99 | ||
|
100 | SAML Digest | |
|
101 | `sha-256`: | |
|
64 | 102 | |
|
65 | *option*: `signature_algo` => `sha-256` | |
|
66 |
|
|
|
103 | .. note:: | |
|
104 | Type of Algorithm to use for verification of SAML digest on Identity provider side. | |
|
105 | ||
|
106 | Service Provider Cert Dir | |
|
107 | `/etc/rhodecode/conf/saml_ssl/`: | |
|
67 | 108 | |
|
68 | *option*: `digest_algo` => `sha-256` | |
|
69 | # Type of Algorithm to use for verification of SAML digest on Identity provider side | |
|
109 | .. note:: | |
|
110 | Optional directory to store service provider certificate and private keys. | |
|
111 | Expected certs for the SP should be stored in this folder as: | |
|
112 | * sp.key Private Key | |
|
113 | * sp.crt Public cert | |
|
114 | * sp_new.crt Future Public cert | |
|
70 | 115 | |
|
71 | *option*: `cert_dir` => `/etc/saml/` | |
|
72 | # Optional directory to store service provider certificate and private keys. | |
|
73 | # Expected certs for the SP should be stored in this folder as: | |
|
74 | # * sp.key Private Key | |
|
75 | # * sp.crt Public cert | |
|
76 | # * sp_new.crt Future Public cert | |
|
77 | # | |
|
78 | # Also you can use other cert to sign the metadata of the SP using the: | |
|
79 | # * metadata.key | |
|
80 | # * metadata.crt | |
|
116 | Also you can use other cert to sign the metadata of the SP using the: | |
|
117 | * metadata.key | |
|
118 | * metadata.crt | |
|
119 | ||
|
120 | Expected NameID Format | |
|
121 | `nameid-format:emailAddress`: | |
|
122 | ||
|
123 | .. note:: | |
|
124 | The format that specifies how the NameID is sent to the service provider. | |
|
125 | ||
|
126 | User ID Attribute | |
|
127 | `PersonImmutableID`: | |
|
81 | 128 | |
|
82 | *option*: `user_id_attribute` => `PersonImmutableID` | |
|
83 |
|
|
|
84 |
|
|
|
129 | .. note:: | |
|
130 | User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. | |
|
131 | Ensure this is returned from DuoSecurity for example via duo_username. | |
|
132 | ||
|
133 | Username Attribute | |
|
134 | `User.username`: | |
|
85 | 135 | |
|
86 | *option*: `username_attribute` => `User.username` | |
|
87 |
|
|
|
136 | .. note:: | |
|
137 | Username Attribute name. This defines which attribute in SAML response will map to a username. | |
|
88 | 138 | |
|
89 | *option*: `email_attribute` => `User.email` | |
|
90 | # Email Attribute name. This defines which attribute in SAML response will map to an email address. | |
|
139 | Email Attribute | |
|
140 | `User.email`: | |
|
141 | ||
|
142 | .. note:: | |
|
143 | Email Attribute name. This defines which attribute in SAML response will map to an email address. | |
|
91 | 144 | |
|
92 | 145 | |
|
93 | 146 |
@@ -29,6 +29,7 b' administrator greater control over how u' | |||
|
29 | 29 | auth-saml-generic |
|
30 | 30 | auth-saml-onelogin |
|
31 | 31 | auth-saml-duosecurity |
|
32 | auth-saml-azure | |
|
32 | 33 | auth-crowd |
|
33 | 34 | auth-pam |
|
34 | 35 | ssh-connection |
@@ -52,6 +52,7 b' class AuthnRootResource(AuthnResourceBas' | |||
|
52 | 52 | """ |
|
53 | 53 | This is the root traversal resource object for the authentication settings. |
|
54 | 54 | """ |
|
55 | is_root = True | |
|
55 | 56 | |
|
56 | 57 | def __init__(self): |
|
57 | 58 | self._store = collections.OrderedDict() |
@@ -26,8 +26,13 b'' | |||
|
26 | 26 | <div class="sidebar"> |
|
27 | 27 | <ul class="nav nav-pills nav-stacked"> |
|
28 | 28 | % for item in resource.get_root().get_nav_list(): |
|
29 | ||
|
29 | 30 | <li ${('class=active' if item == resource else '')}> |
|
30 | <a href="${request.resource_path(item, route_name='auth_home')}">${item.display_name}</a> | |
|
31 | % if getattr(item, 'is_root', False): | |
|
32 | <a href="${request.resource_path(item, route_name='auth_home')}">${item.display_name}</a> | |
|
33 | % else: | |
|
34 | <a style="padding-left: 10px" href="${request.resource_path(item, route_name='auth_home')}">${item.display_name}</a> | |
|
35 | % endif | |
|
31 | 36 | </li> |
|
32 | 37 | % endfor |
|
33 | 38 | </ul> |
@@ -50,6 +50,13 b'' | |||
|
50 | 50 | ${h.secure_form(request.resource_path(resource, route_name='auth_home'), request=request)} |
|
51 | 51 | <div class="form"> |
|
52 | 52 |
|
|
53 | ## Allow derived templates to add something above the form | |
|
54 | ## input fields | |
|
55 | %if hasattr(next, 'above_form_fields'): | |
|
56 | ${next.above_form_fields()} | |
|
57 | %endif | |
|
58 | ||
|
59 | <h4>${_('Plugin Configuration')}</h4> | |
|
53 | 60 | %for node in plugin.get_settings_schema(): |
|
54 | 61 | <% |
|
55 | 62 | label_to_type = {'label-checkbox': 'bool', 'label-textarea': 'textarea'} |
General Comments 0
You need to be logged in to leave comments.
Login now