##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
fix(docs): fixed rst error
super-admin -
r5506:b08d803a default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,159 +1,161 b''
1 .. _config-saml-azure-ref:
1 .. _config-saml-azure-ref:
2
2
3
3
4 SAML 2.0 with Azure Entra ID
4 SAML 2.0 with Azure Entra ID
5 ----------------------------
5 ----------------------------
6
6
7 **This plugin is available only in EE Edition.**
7 **This plugin is available only in EE Edition.**
8
8
9 |RCE| supports SAML 2.0 Authentication with Azure Entra ID provider. This allows
9 |RCE| supports SAML 2.0 Authentication with Azure Entra ID provider. This allows
10 users to log-in to RhodeCode via SSO mechanism of external identity provider
10 users to log-in to RhodeCode via SSO mechanism of external identity provider
11 such as Azure AD. The login can be triggered either by the external IDP, or internally
11 such as Azure AD. The login can be triggered either by the external IDP, or internally
12 by clicking specific authentication button on the log-in page.
12 by clicking specific authentication button on the log-in page.
13
13
14
14
15 Configuration steps
15 Configuration steps
16 ^^^^^^^^^^^^^^^^^^^
16 ^^^^^^^^^^^^^^^^^^^
17
17
18 To configure Duo Security SAML authentication, use the following steps:
18 To configure Duo Security SAML authentication, use the following steps:
19
19
20 1. From the |RCE| interface, select
20 1. From the |RCE| interface, select
21 :menuselection:`Admin --> Authentication`
21 :menuselection:`Admin --> Authentication`
22 2. Activate the `Azure Entra ID` plugin and select :guilabel:`Save`
22 2. Activate the `Azure Entra ID` plugin and select :guilabel:`Save`
23 3. Go to newly available menu option called `Azure Entra ID` on the left side.
23 3. Go to newly available menu option called `Azure Entra ID` on the left side.
24 4. Check the `enabled` check box in the plugin configuration section,
24 4. Check the `enabled` check box in the plugin configuration section,
25 and fill in the required SAML information and :guilabel:`Save`, for more details,
25 and fill in the required SAML information and :guilabel:`Save`, for more details,
26 see :ref:`config-saml-azure`
26 see :ref:`config-saml-azure`
27
27
28
28
29 .. _config-saml-azure:
29 .. _config-saml-azure:
30
30
31
31
32 Example SAML Azure Entra ID configuration
32 Example SAML Azure Entra ID configuration
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34
34
35 Example configuration for SAML 2.0 with Azure Entra ID provider
35 Example configuration for SAML 2.0 with Azure Entra ID provider
36
36
37
37
38 Enabled
38 Enabled
39 `True`:
39 `True`:
40
40
41 .. note::
41 .. note::
42 Enable or disable this authentication plugin.
42 Enable or disable this authentication plugin.
43
43
44
44
45 Auth Cache TTL
45 Auth Cache TTL
46 `30`:
46 `30`:
47
47
48 .. note::
48 .. note::
49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
51
51
52 Debug
52 Debug
53 `True`:
53 `True`:
54
54
55 .. note::
55 .. note::
56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
57
57
58
58
59 Auth button name
59 Auth button name
60 `Azure Entra ID`:
60 `Azure Entra ID`:
61
61
62 .. note::
62 .. note::
63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
64
64
65
65
66 Entity ID
66 Entity ID
67 `https://sts.windows.net/APP_ID/`:
67 `https://sts.windows.net/APP_ID/`:
68
68
69 .. note::
69 .. note::
70 Identity Provider entity/metadata URI. Known as "Microsoft Entra Identifier"
70 Identity Provider entity/metadata URI. Known as "Microsoft Entra Identifier"
71 E.g. https://sts.windows.net/abcd-c655-dcee-aab7-abcd/
71 E.g. https://sts.windows.net/abcd-c655-dcee-aab7-abcd/
72
72
73 SSO URL
73 SSO URL
74 `https://login.microsoftonline.com/APP_ID/saml2`:
74 `https://login.microsoftonline.com/APP_ID/saml2`:
75
75
76 .. note::
76 .. note::
77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
78 E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2
78 E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2
79
79
80 SLO URL
80 SLO URL
81 `https://login.microsoftonline.com/APP_ID/saml2`:
81 `https://login.microsoftonline.com/APP_ID/saml2`:
82
82
83 .. note::
83 .. note::
84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
85 E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2
85 E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2
86
86
87 x509cert
87 x509cert
88 `<CERTIFICATE_STRING>`:
88 `<CERTIFICATE_STRING>`:
89
89
90 .. note::
90 .. note::
91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
93
93
94 SAML Signature
94 SAML Signature
95 `sha-256`:
95 `sha-256`:
96
96
97 .. note::
97 .. note::
98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
99
99
100 SAML Digest
100 SAML Digest
101 `sha-256`:
101 `sha-256`:
102
102
103 .. note::
103 .. note::
104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
105
105
106 Service Provider Cert Dir
106 Service Provider Cert Dir
107 `/etc/rhodecode/conf/saml_ssl/`:
107 `/etc/rhodecode/conf/saml_ssl/`:
108
108
109 .. note::
109 .. note::
110 Optional directory to store service provider certificate and private keys.
110 Optional directory to store service provider certificate and private keys.
111 Expected certs for the SP should be stored in this folder as:
111 Expected certs for the SP should be stored in this folder as:
112
112 * sp.key Private Key
113 * sp.key Private Key
113 * sp.crt Public cert
114 * sp.crt Public cert
114 * sp_new.crt Future Public cert
115 * sp_new.crt Future Public cert
115
116
116 Also you can use other cert to sign the metadata of the SP using the:
117 Also you can use other cert to sign the metadata of the SP using the:
118
117 * metadata.key
119 * metadata.key
118 * metadata.crt
120 * metadata.crt
119
121
120 Expected NameID Format
122 Expected NameID Format
121 `nameid-format:emailAddress`:
123 `nameid-format:emailAddress`:
122
124
123 .. note::
125 .. note::
124 The format that specifies how the NameID is sent to the service provider.
126 The format that specifies how the NameID is sent to the service provider.
125
127
126 User ID Attribute
128 User ID Attribute
127 `user.email`:
129 `user.email`:
128
130
129 .. note::
131 .. note::
130 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
132 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
131 Ensure this is returned from DuoSecurity for example via duo_username.
133 Ensure this is returned from DuoSecurity for example via duo_username.
132
134
133 Username Attribute
135 Username Attribute
134 `user.username`:
136 `user.username`:
135
137
136 .. note::
138 .. note::
137 Username Attribute name. This defines which attribute in SAML response will map to a username.
139 Username Attribute name. This defines which attribute in SAML response will map to a username.
138
140
139 Email Attribute
141 Email Attribute
140 `user.email`:
142 `user.email`:
141
143
142 .. note::
144 .. note::
143 Email Attribute name. This defines which attribute in SAML response will map to an email address.
145 Email Attribute name. This defines which attribute in SAML response will map to an email address.
144
146
145
147
146
148
147 Below is example setup from Azure Administration page that can be used with above config.
149 Below is example setup from Azure Administration page that can be used with above config.
148
150
149 .. image:: ../images/saml-azure-service-provider-example.png
151 .. image:: ../images/saml-azure-service-provider-example.png
150 :alt: Azure SAML setup example
152 :alt: Azure SAML setup example
151 :scale: 50 %
153 :scale: 50 %
152
154
153
155
154 Below is an example attribute mapping set for IDP provider required by the above config.
156 Below is an example attribute mapping set for IDP provider required by the above config.
155
157
156
158
157 .. image:: ../images/saml-azure-attributes-example.png
159 .. image:: ../images/saml-azure-attributes-example.png
158 :alt: Azure SAML setup example
160 :alt: Azure SAML setup example
159 :scale: 50 % No newline at end of file
161 :scale: 50 %
Show file before | Show file after | Hide comments
@@ -1,159 +1,161 b''
1 .. _config-saml-duosecurity-ref:
1 .. _config-saml-duosecurity-ref:
2
2
3
3
4 SAML 2.0 with Duo Security
4 SAML 2.0 with Duo Security
5 --------------------------
5 --------------------------
6
6
7 **This plugin is available only in EE Edition.**
7 **This plugin is available only in EE Edition.**
8
8
9 |RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows
9 |RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows
10 users to log-in to RhodeCode via SSO mechanism of external identity provider
10 users to log-in to RhodeCode via SSO mechanism of external identity provider
11 such as Duo. The login can be triggered either by the external IDP, or internally
11 such as Duo. The login can be triggered either by the external IDP, or internally
12 by clicking specific authentication button on the log-in page.
12 by clicking specific authentication button on the log-in page.
13
13
14
14
15 Configuration steps
15 Configuration steps
16 ^^^^^^^^^^^^^^^^^^^
16 ^^^^^^^^^^^^^^^^^^^
17
17
18 To configure Duo Security SAML authentication, use the following steps:
18 To configure Duo Security SAML authentication, use the following steps:
19
19
20 1. From the |RCE| interface, select
20 1. From the |RCE| interface, select
21 :menuselection:`Admin --> Authentication`
21 :menuselection:`Admin --> Authentication`
22 2. Activate the `Duo Security` plugin and select :guilabel:`Save`
22 2. Activate the `Duo Security` plugin and select :guilabel:`Save`
23 3. Go to newly available menu option called `Duo Security` on the left side.
23 3. Go to newly available menu option called `Duo Security` on the left side.
24 4. Check the `enabled` check box in the plugin configuration section,
24 4. Check the `enabled` check box in the plugin configuration section,
25 and fill in the required SAML information and :guilabel:`Save`, for more details,
25 and fill in the required SAML information and :guilabel:`Save`, for more details,
26 see :ref:`config-saml-duosecurity`
26 see :ref:`config-saml-duosecurity`
27
27
28
28
29 .. _config-saml-duosecurity:
29 .. _config-saml-duosecurity:
30
30
31
31
32 Example SAML Duo Security configuration
32 Example SAML Duo Security configuration
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34
34
35 Example configuration for SAML 2.0 with Duo Security provider
35 Example configuration for SAML 2.0 with Duo Security provider
36
36
37
37
38 Enabled
38 Enabled
39 `True`:
39 `True`:
40
40
41 .. note::
41 .. note::
42 Enable or disable this authentication plugin.
42 Enable or disable this authentication plugin.
43
43
44
44
45 Auth Cache TTL
45 Auth Cache TTL
46 `30`:
46 `30`:
47
47
48 .. note::
48 .. note::
49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
51
51
52 Debug
52 Debug
53 `True`:
53 `True`:
54
54
55 .. note::
55 .. note::
56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
57
57
58
58
59 Auth button name
59 Auth button name
60 `Azure Entra ID`:
60 `Azure Entra ID`:
61
61
62 .. note::
62 .. note::
63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
64
64
65
65
66 Entity ID
66 Entity ID
67 `https://my-duo-gateway.com/dag/saml2/idp/metadata.php`:
67 `https://my-duo-gateway.com/dag/saml2/idp/metadata.php`:
68
68
69 .. note::
69 .. note::
70 Identity Provider entity/metadata URI.
70 Identity Provider entity/metadata URI.
71 E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php
71 E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php
72
72
73 SSO URL
73 SSO URL
74 `https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`:
74 `https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`:
75
75
76 .. note::
76 .. note::
77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
78 E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata
78 E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata
79
79
80 SLO URL
80 SLO URL
81 `https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`:
81 `https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`:
82
82
83 .. note::
83 .. note::
84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
85 E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint
85 E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint
86
86
87 x509cert
87 x509cert
88 `<CERTIFICATE_STRING>`:
88 `<CERTIFICATE_STRING>`:
89
89
90 .. note::
90 .. note::
91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
93
93
94 SAML Signature
94 SAML Signature
95 `sha-256`:
95 `sha-256`:
96
96
97 .. note::
97 .. note::
98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
99
99
100 SAML Digest
100 SAML Digest
101 `sha-256`:
101 `sha-256`:
102
102
103 .. note::
103 .. note::
104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
105
105
106 Service Provider Cert Dir
106 Service Provider Cert Dir
107 `/etc/rhodecode/conf/saml_ssl/`:
107 `/etc/rhodecode/conf/saml_ssl/`:
108
108
109 .. note::
109 .. note::
110 Optional directory to store service provider certificate and private keys.
110 Optional directory to store service provider certificate and private keys.
111 Expected certs for the SP should be stored in this folder as:
111 Expected certs for the SP should be stored in this folder as:
112
112 * sp.key Private Key
113 * sp.key Private Key
113 * sp.crt Public cert
114 * sp.crt Public cert
114 * sp_new.crt Future Public cert
115 * sp_new.crt Future Public cert
115
116
116 Also you can use other cert to sign the metadata of the SP using the:
117 Also you can use other cert to sign the metadata of the SP using the:
118
117 * metadata.key
119 * metadata.key
118 * metadata.crt
120 * metadata.crt
119
121
120 Expected NameID Format
122 Expected NameID Format
121 `nameid-format:emailAddress`:
123 `nameid-format:emailAddress`:
122
124
123 .. note::
125 .. note::
124 The format that specifies how the NameID is sent to the service provider.
126 The format that specifies how the NameID is sent to the service provider.
125
127
126 User ID Attribute
128 User ID Attribute
127 `PersonImmutableID`:
129 `PersonImmutableID`:
128
130
129 .. note::
131 .. note::
130 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
132 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
131 Ensure this is returned from DuoSecurity for example via duo_username.
133 Ensure this is returned from DuoSecurity for example via duo_username.
132
134
133 Username Attribute
135 Username Attribute
134 `User.username`:
136 `User.username`:
135
137
136 .. note::
138 .. note::
137 Username Attribute name. This defines which attribute in SAML response will map to a username.
139 Username Attribute name. This defines which attribute in SAML response will map to a username.
138
140
139 Email Attribute
141 Email Attribute
140 `User.email`:
142 `User.email`:
141
143
142 .. note::
144 .. note::
143 Email Attribute name. This defines which attribute in SAML response will map to an email address.
145 Email Attribute name. This defines which attribute in SAML response will map to an email address.
144
146
145
147
146
148
147 Below is example setup from DUO Administration page that can be used with above config.
149 Below is example setup from DUO Administration page that can be used with above config.
148
150
149 .. image:: ../images/saml-duosecurity-service-provider-example.png
151 .. image:: ../images/saml-duosecurity-service-provider-example.png
150 :alt: DUO Security SAML setup example
152 :alt: DUO Security SAML setup example
151 :scale: 50 %
153 :scale: 50 %
152
154
153
155
154 Below is an example attribute mapping set for IDP provider required by the above config.
156 Below is an example attribute mapping set for IDP provider required by the above config.
155
157
156
158
157 .. image:: ../images/saml-duosecurity-attributes-example.png
159 .. image:: ../images/saml-duosecurity-attributes-example.png
158 :alt: DUO Security SAML setup example
160 :alt: DUO Security SAML setup example
159 :scale: 50 % No newline at end of file
161 :scale: 50 %
Show file before | Show file after | Hide comments
@@ -1,159 +1,161 b''
1 .. _config-saml-onelogin-ref:
1 .. _config-saml-onelogin-ref:
2
2
3
3
4 SAML 2.0 with One Login
4 SAML 2.0 with One Login
5 -----------------------
5 -----------------------
6
6
7 **This plugin is available only in EE Edition.**
7 **This plugin is available only in EE Edition.**
8
8
9 |RCE| supports SAML 2.0 Authentication with OneLogin provider. This allows
9 |RCE| supports SAML 2.0 Authentication with OneLogin provider. This allows
10 users to log-in to RhodeCode via SSO mechanism of external identity provider
10 users to log-in to RhodeCode via SSO mechanism of external identity provider
11 such as OneLogin. The login can be triggered either by the external IDP, or internally
11 such as OneLogin. The login can be triggered either by the external IDP, or internally
12 by clicking specific authentication button on the log-in page.
12 by clicking specific authentication button on the log-in page.
13
13
14
14
15 Configuration steps
15 Configuration steps
16 ^^^^^^^^^^^^^^^^^^^
16 ^^^^^^^^^^^^^^^^^^^
17
17
18 To configure OneLogin SAML authentication, use the following steps:
18 To configure OneLogin SAML authentication, use the following steps:
19
19
20 1. From the |RCE| interface, select
20 1. From the |RCE| interface, select
21 :menuselection:`Admin --> Authentication`
21 :menuselection:`Admin --> Authentication`
22 2. Activate the `OneLogin` plugin and select :guilabel:`Save`
22 2. Activate the `OneLogin` plugin and select :guilabel:`Save`
23 3. Go to newly available menu option called `OneLogin` on the left side.
23 3. Go to newly available menu option called `OneLogin` on the left side.
24 4. Check the `enabled` check box in the plugin configuration section,
24 4. Check the `enabled` check box in the plugin configuration section,
25 and fill in the required SAML information and :guilabel:`Save`, for more details,
25 and fill in the required SAML information and :guilabel:`Save`, for more details,
26 see :ref:`config-saml-onelogin`
26 see :ref:`config-saml-onelogin`
27
27
28
28
29 .. _config-saml-onelogin:
29 .. _config-saml-onelogin:
30
30
31
31
32 Example SAML OneLogin configuration
32 Example SAML OneLogin configuration
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34
34
35 Example configuration for SAML 2.0 with OneLogin provider
35 Example configuration for SAML 2.0 with OneLogin provider
36
36
37
37
38 Enabled
38 Enabled
39 `True`:
39 `True`:
40
40
41 .. note::
41 .. note::
42 Enable or disable this authentication plugin.
42 Enable or disable this authentication plugin.
43
43
44
44
45 Auth Cache TTL
45 Auth Cache TTL
46 `30`:
46 `30`:
47
47
48 .. note::
48 .. note::
49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
51
51
52 Debug
52 Debug
53 `True`:
53 `True`:
54
54
55 .. note::
55 .. note::
56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
57
57
58
58
59 Auth button name
59 Auth button name
60 `Azure Entra ID`:
60 `Azure Entra ID`:
61
61
62 .. note::
62 .. note::
63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
64
64
65
65
66 Entity ID
66 Entity ID
67 `https://app.onelogin.com/saml/metadata/<onelogin_connector_id>`:
67 `https://app.onelogin.com/saml/metadata/<onelogin_connector_id>`:
68
68
69 .. note::
69 .. note::
70 Identity Provider entity/metadata URI.
70 Identity Provider entity/metadata URI.
71 E.g. https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
71 E.g. https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
72
72
73 SSO URL
73 SSO URL
74 `https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>`:
74 `https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>`:
75
75
76 .. note::
76 .. note::
77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
78 E.g. https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>
78 E.g. https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>
79
79
80 SLO URL
80 SLO URL
81 `https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>`:
81 `https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>`:
82
82
83 .. note::
83 .. note::
84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
85 E.g. https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>
85 E.g. https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>
86
86
87 x509cert
87 x509cert
88 `<CERTIFICATE_STRING>`:
88 `<CERTIFICATE_STRING>`:
89
89
90 .. note::
90 .. note::
91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
93
93
94 SAML Signature
94 SAML Signature
95 `sha-256`:
95 `sha-256`:
96
96
97 .. note::
97 .. note::
98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
99
99
100 SAML Digest
100 SAML Digest
101 `sha-256`:
101 `sha-256`:
102
102
103 .. note::
103 .. note::
104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
105
105
106 Service Provider Cert Dir
106 Service Provider Cert Dir
107 `/etc/rhodecode/conf/saml_ssl/`:
107 `/etc/rhodecode/conf/saml_ssl/`:
108
108
109 .. note::
109 .. note::
110 Optional directory to store service provider certificate and private keys.
110 Optional directory to store service provider certificate and private keys.
111 Expected certs for the SP should be stored in this folder as:
111 Expected certs for the SP should be stored in this folder as:
112
112 * sp.key Private Key
113 * sp.key Private Key
113 * sp.crt Public cert
114 * sp.crt Public cert
114 * sp_new.crt Future Public cert
115 * sp_new.crt Future Public cert
115
116
116 Also you can use other cert to sign the metadata of the SP using the:
117 Also you can use other cert to sign the metadata of the SP using the:
118
117 * metadata.key
119 * metadata.key
118 * metadata.crt
120 * metadata.crt
119
121
120 Expected NameID Format
122 Expected NameID Format
121 `nameid-format:emailAddress`:
123 `nameid-format:emailAddress`:
122
124
123 .. note::
125 .. note::
124 The format that specifies how the NameID is sent to the service provider.
126 The format that specifies how the NameID is sent to the service provider.
125
127
126 User ID Attribute
128 User ID Attribute
127 `PersonImmutableID`:
129 `PersonImmutableID`:
128
130
129 .. note::
131 .. note::
130 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
132 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
131 Ensure this is returned from DuoSecurity for example via duo_username.
133 Ensure this is returned from DuoSecurity for example via duo_username.
132
134
133 Username Attribute
135 Username Attribute
134 `User.username`:
136 `User.username`:
135
137
136 .. note::
138 .. note::
137 Username Attribute name. This defines which attribute in SAML response will map to a username.
139 Username Attribute name. This defines which attribute in SAML response will map to a username.
138
140
139 Email Attribute
141 Email Attribute
140 `User.email`:
142 `User.email`:
141
143
142 .. note::
144 .. note::
143 Email Attribute name. This defines which attribute in SAML response will map to an email address.
145 Email Attribute name. This defines which attribute in SAML response will map to an email address.
144
146
145
147
146
148
147 Below is example setup that can be used with OneLogin SAML authentication that can be used with above config..
149 Below is example setup that can be used with OneLogin SAML authentication that can be used with above config..
148
150
149 .. image:: ../images/saml-onelogin-config-example.png
151 .. image:: ../images/saml-onelogin-config-example.png
150 :alt: OneLogin SAML setup example
152 :alt: OneLogin SAML setup example
151 :scale: 50 %
153 :scale: 50 %
152
154
153
155
154 Below is an example attribute mapping set for IDP provider required by the above config.
156 Below is an example attribute mapping set for IDP provider required by the above config.
155
157
156
158
157 .. image:: ../images/saml-onelogin-attributes-example.png
159 .. image:: ../images/saml-onelogin-attributes-example.png
158 :alt: OneLogin SAML setup example
160 :alt: OneLogin SAML setup example
159 :scale: 50 % No newline at end of file
161 :scale: 50 %
General Comments 0
You need to be logged in to leave comments. Login now