##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
fix(docs): fixed rst error
super-admin -
r5506:b08d803a default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,159 +1,161 b''
1 1 .. _config-saml-azure-ref:
2 2
3 3
4 4 SAML 2.0 with Azure Entra ID
5 5 ----------------------------
6 6
7 7 **This plugin is available only in EE Edition.**
8 8
9 9 |RCE| supports SAML 2.0 Authentication with Azure Entra ID provider. This allows
10 10 users to log-in to RhodeCode via SSO mechanism of external identity provider
11 11 such as Azure AD. The login can be triggered either by the external IDP, or internally
12 12 by clicking specific authentication button on the log-in page.
13 13
14 14
15 15 Configuration steps
16 16 ^^^^^^^^^^^^^^^^^^^
17 17
18 18 To configure Duo Security SAML authentication, use the following steps:
19 19
20 20 1. From the |RCE| interface, select
21 21 :menuselection:`Admin --> Authentication`
22 22 2. Activate the `Azure Entra ID` plugin and select :guilabel:`Save`
23 23 3. Go to newly available menu option called `Azure Entra ID` on the left side.
24 24 4. Check the `enabled` check box in the plugin configuration section,
25 25 and fill in the required SAML information and :guilabel:`Save`, for more details,
26 26 see :ref:`config-saml-azure`
27 27
28 28
29 29 .. _config-saml-azure:
30 30
31 31
32 32 Example SAML Azure Entra ID configuration
33 33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34 34
35 35 Example configuration for SAML 2.0 with Azure Entra ID provider
36 36
37 37
38 38 Enabled
39 39 `True`:
40 40
41 41 .. note::
42 42 Enable or disable this authentication plugin.
43 43
44 44
45 45 Auth Cache TTL
46 46 `30`:
47 47
48 48 .. note::
49 49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
50 50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
51 51
52 52 Debug
53 53 `True`:
54 54
55 55 .. note::
56 56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
57 57
58 58
59 59 Auth button name
60 60 `Azure Entra ID`:
61 61
62 62 .. note::
63 63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
64 64
65 65
66 66 Entity ID
67 67 `https://sts.windows.net/APP_ID/`:
68 68
69 69 .. note::
70 70 Identity Provider entity/metadata URI. Known as "Microsoft Entra Identifier"
71 71 E.g. https://sts.windows.net/abcd-c655-dcee-aab7-abcd/
72 72
73 73 SSO URL
74 74 `https://login.microsoftonline.com/APP_ID/saml2`:
75 75
76 76 .. note::
77 77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
78 78 E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2
79 79
80 80 SLO URL
81 81 `https://login.microsoftonline.com/APP_ID/saml2`:
82 82
83 83 .. note::
84 84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
85 85 E.g. https://login.microsoftonline.com/abcd-c655-dcee-aab7-abcd/saml2
86 86
87 87 x509cert
88 88 `<CERTIFICATE_STRING>`:
89 89
90 90 .. note::
91 91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
92 92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
93 93
94 94 SAML Signature
95 95 `sha-256`:
96 96
97 97 .. note::
98 98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
99 99
100 100 SAML Digest
101 101 `sha-256`:
102 102
103 103 .. note::
104 104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
105 105
106 106 Service Provider Cert Dir
107 107 `/etc/rhodecode/conf/saml_ssl/`:
108 108
109 109 .. note::
110 110 Optional directory to store service provider certificate and private keys.
111 111 Expected certs for the SP should be stored in this folder as:
112 * sp.key Private Key
113 * sp.crt Public cert
114 * sp_new.crt Future Public cert
112
113 * sp.key Private Key
114 * sp.crt Public cert
115 * sp_new.crt Future Public cert
115 116
116 117 Also you can use other cert to sign the metadata of the SP using the:
117 * metadata.key
118 * metadata.crt
118
119 * metadata.key
120 * metadata.crt
119 121
120 122 Expected NameID Format
121 123 `nameid-format:emailAddress`:
122 124
123 125 .. note::
124 126 The format that specifies how the NameID is sent to the service provider.
125 127
126 128 User ID Attribute
127 129 `user.email`:
128 130
129 131 .. note::
130 132 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
131 133 Ensure this is returned from DuoSecurity for example via duo_username.
132 134
133 135 Username Attribute
134 136 `user.username`:
135 137
136 138 .. note::
137 139 Username Attribute name. This defines which attribute in SAML response will map to a username.
138 140
139 141 Email Attribute
140 142 `user.email`:
141 143
142 144 .. note::
143 145 Email Attribute name. This defines which attribute in SAML response will map to an email address.
144 146
145 147
146 148
147 149 Below is example setup from Azure Administration page that can be used with above config.
148 150
149 151 .. image:: ../images/saml-azure-service-provider-example.png
150 152 :alt: Azure SAML setup example
151 153 :scale: 50 %
152 154
153 155
154 156 Below is an example attribute mapping set for IDP provider required by the above config.
155 157
156 158
157 159 .. image:: ../images/saml-azure-attributes-example.png
158 160 :alt: Azure SAML setup example
159 161 :scale: 50 % No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,159 +1,161 b''
1 1 .. _config-saml-duosecurity-ref:
2 2
3 3
4 4 SAML 2.0 with Duo Security
5 5 --------------------------
6 6
7 7 **This plugin is available only in EE Edition.**
8 8
9 9 |RCE| supports SAML 2.0 Authentication with Duo Security provider. This allows
10 10 users to log-in to RhodeCode via SSO mechanism of external identity provider
11 11 such as Duo. The login can be triggered either by the external IDP, or internally
12 12 by clicking specific authentication button on the log-in page.
13 13
14 14
15 15 Configuration steps
16 16 ^^^^^^^^^^^^^^^^^^^
17 17
18 18 To configure Duo Security SAML authentication, use the following steps:
19 19
20 20 1. From the |RCE| interface, select
21 21 :menuselection:`Admin --> Authentication`
22 22 2. Activate the `Duo Security` plugin and select :guilabel:`Save`
23 23 3. Go to newly available menu option called `Duo Security` on the left side.
24 24 4. Check the `enabled` check box in the plugin configuration section,
25 25 and fill in the required SAML information and :guilabel:`Save`, for more details,
26 26 see :ref:`config-saml-duosecurity`
27 27
28 28
29 29 .. _config-saml-duosecurity:
30 30
31 31
32 32 Example SAML Duo Security configuration
33 33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34 34
35 35 Example configuration for SAML 2.0 with Duo Security provider
36 36
37 37
38 38 Enabled
39 39 `True`:
40 40
41 41 .. note::
42 42 Enable or disable this authentication plugin.
43 43
44 44
45 45 Auth Cache TTL
46 46 `30`:
47 47
48 48 .. note::
49 49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
50 50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
51 51
52 52 Debug
53 53 `True`:
54 54
55 55 .. note::
56 56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
57 57
58 58
59 59 Auth button name
60 60 `Azure Entra ID`:
61 61
62 62 .. note::
63 63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
64 64
65 65
66 66 Entity ID
67 67 `https://my-duo-gateway.com/dag/saml2/idp/metadata.php`:
68 68
69 69 .. note::
70 70 Identity Provider entity/metadata URI.
71 71 E.g. https://duo-gateway.com/dag/saml2/idp/metadata.php
72 72
73 73 SSO URL
74 74 `https://duo-gateway.com/dag/saml2/idp/SSOService.php?spentityid=<metadata_entity_id>`:
75 75
76 76 .. note::
77 77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
78 78 E.g. http://rc-app.com/dag/saml2/idp/SSOService.php?spentityid=https://docker-dev/_admin/auth/duosecurity/saml-metadata
79 79
80 80 SLO URL
81 81 `https://duo-gateway.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=<return_url>`:
82 82
83 83 .. note::
84 84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
85 85 E.g. http://rc-app.com/dag/saml2/idp/SingleLogoutService.php?ReturnTo=https://docker-dev/_admin/auth/duosecurity/saml-sign-out-endpoint
86 86
87 87 x509cert
88 88 `<CERTIFICATE_STRING>`:
89 89
90 90 .. note::
91 91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
92 92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
93 93
94 94 SAML Signature
95 95 `sha-256`:
96 96
97 97 .. note::
98 98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
99 99
100 100 SAML Digest
101 101 `sha-256`:
102 102
103 103 .. note::
104 104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
105 105
106 106 Service Provider Cert Dir
107 107 `/etc/rhodecode/conf/saml_ssl/`:
108 108
109 109 .. note::
110 110 Optional directory to store service provider certificate and private keys.
111 111 Expected certs for the SP should be stored in this folder as:
112 * sp.key Private Key
113 * sp.crt Public cert
114 * sp_new.crt Future Public cert
112
113 * sp.key Private Key
114 * sp.crt Public cert
115 * sp_new.crt Future Public cert
115 116
116 117 Also you can use other cert to sign the metadata of the SP using the:
117 * metadata.key
118 * metadata.crt
118
119 * metadata.key
120 * metadata.crt
119 121
120 122 Expected NameID Format
121 123 `nameid-format:emailAddress`:
122 124
123 125 .. note::
124 126 The format that specifies how the NameID is sent to the service provider.
125 127
126 128 User ID Attribute
127 129 `PersonImmutableID`:
128 130
129 131 .. note::
130 132 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
131 133 Ensure this is returned from DuoSecurity for example via duo_username.
132 134
133 135 Username Attribute
134 136 `User.username`:
135 137
136 138 .. note::
137 139 Username Attribute name. This defines which attribute in SAML response will map to a username.
138 140
139 141 Email Attribute
140 142 `User.email`:
141 143
142 144 .. note::
143 145 Email Attribute name. This defines which attribute in SAML response will map to an email address.
144 146
145 147
146 148
147 149 Below is example setup from DUO Administration page that can be used with above config.
148 150
149 151 .. image:: ../images/saml-duosecurity-service-provider-example.png
150 152 :alt: DUO Security SAML setup example
151 153 :scale: 50 %
152 154
153 155
154 156 Below is an example attribute mapping set for IDP provider required by the above config.
155 157
156 158
157 159 .. image:: ../images/saml-duosecurity-attributes-example.png
158 160 :alt: DUO Security SAML setup example
159 161 :scale: 50 % No newline at end of file
Show file before | Show file after | Hide comments
@@ -1,159 +1,161 b''
1 1 .. _config-saml-onelogin-ref:
2 2
3 3
4 4 SAML 2.0 with One Login
5 5 -----------------------
6 6
7 7 **This plugin is available only in EE Edition.**
8 8
9 9 |RCE| supports SAML 2.0 Authentication with OneLogin provider. This allows
10 10 users to log-in to RhodeCode via SSO mechanism of external identity provider
11 11 such as OneLogin. The login can be triggered either by the external IDP, or internally
12 12 by clicking specific authentication button on the log-in page.
13 13
14 14
15 15 Configuration steps
16 16 ^^^^^^^^^^^^^^^^^^^
17 17
18 18 To configure OneLogin SAML authentication, use the following steps:
19 19
20 20 1. From the |RCE| interface, select
21 21 :menuselection:`Admin --> Authentication`
22 22 2. Activate the `OneLogin` plugin and select :guilabel:`Save`
23 23 3. Go to newly available menu option called `OneLogin` on the left side.
24 24 4. Check the `enabled` check box in the plugin configuration section,
25 25 and fill in the required SAML information and :guilabel:`Save`, for more details,
26 26 see :ref:`config-saml-onelogin`
27 27
28 28
29 29 .. _config-saml-onelogin:
30 30
31 31
32 32 Example SAML OneLogin configuration
33 33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
34 34
35 35 Example configuration for SAML 2.0 with OneLogin provider
36 36
37 37
38 38 Enabled
39 39 `True`:
40 40
41 41 .. note::
42 42 Enable or disable this authentication plugin.
43 43
44 44
45 45 Auth Cache TTL
46 46 `30`:
47 47
48 48 .. note::
49 49 Amount of seconds to cache the authentication and permissions check response call for this plugin.
50 50 Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).
51 51
52 52 Debug
53 53 `True`:
54 54
55 55 .. note::
56 56 Enable or disable debug mode that shows SAML errors in the RhodeCode logs.
57 57
58 58
59 59 Auth button name
60 60 `Azure Entra ID`:
61 61
62 62 .. note::
63 63 Alternative authentication display name. E.g AzureAuth, CorporateID etc.
64 64
65 65
66 66 Entity ID
67 67 `https://app.onelogin.com/saml/metadata/<onelogin_connector_id>`:
68 68
69 69 .. note::
70 70 Identity Provider entity/metadata URI.
71 71 E.g. https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
72 72
73 73 SSO URL
74 74 `https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>`:
75 75
76 76 .. note::
77 77 SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL
78 78 E.g. https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>
79 79
80 80 SLO URL
81 81 `https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>`:
82 82
83 83 .. note::
84 84 SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL
85 85 E.g. https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>
86 86
87 87 x509cert
88 88 `<CERTIFICATE_STRING>`:
89 89
90 90 .. note::
91 91 Identity provider public x509 certificate. It will be converted to single-line format without headers.
92 92 Download the raw base64 encoded certificate from the Identity provider and paste it here.
93 93
94 94 SAML Signature
95 95 `sha-256`:
96 96
97 97 .. note::
98 98 Type of Algorithm to use for verification of SAML signature on Identity provider side.
99 99
100 100 SAML Digest
101 101 `sha-256`:
102 102
103 103 .. note::
104 104 Type of Algorithm to use for verification of SAML digest on Identity provider side.
105 105
106 106 Service Provider Cert Dir
107 107 `/etc/rhodecode/conf/saml_ssl/`:
108 108
109 109 .. note::
110 110 Optional directory to store service provider certificate and private keys.
111 111 Expected certs for the SP should be stored in this folder as:
112 * sp.key Private Key
113 * sp.crt Public cert
114 * sp_new.crt Future Public cert
112
113 * sp.key Private Key
114 * sp.crt Public cert
115 * sp_new.crt Future Public cert
115 116
116 117 Also you can use other cert to sign the metadata of the SP using the:
117 * metadata.key
118 * metadata.crt
118
119 * metadata.key
120 * metadata.crt
119 121
120 122 Expected NameID Format
121 123 `nameid-format:emailAddress`:
122 124
123 125 .. note::
124 126 The format that specifies how the NameID is sent to the service provider.
125 127
126 128 User ID Attribute
127 129 `PersonImmutableID`:
128 130
129 131 .. note::
130 132 User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id.
131 133 Ensure this is returned from DuoSecurity for example via duo_username.
132 134
133 135 Username Attribute
134 136 `User.username`:
135 137
136 138 .. note::
137 139 Username Attribute name. This defines which attribute in SAML response will map to a username.
138 140
139 141 Email Attribute
140 142 `User.email`:
141 143
142 144 .. note::
143 145 Email Attribute name. This defines which attribute in SAML response will map to an email address.
144 146
145 147
146 148
147 149 Below is example setup that can be used with OneLogin SAML authentication that can be used with above config..
148 150
149 151 .. image:: ../images/saml-onelogin-config-example.png
150 152 :alt: OneLogin SAML setup example
151 153 :scale: 50 %
152 154
153 155
154 156 Below is an example attribute mapping set for IDP provider required by the above config.
155 157
156 158
157 159 .. image:: ../images/saml-onelogin-attributes-example.png
158 160 :alt: OneLogin SAML setup example
159 161 :scale: 50 % No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now