##// END OF EJS Templates
auth: updated saml docs, and re-order info on plugin details for easier setup
auth: updated saml docs, and re-order info on plugin details for easier setup

File last commit:

r5505:3fc95e3b default
r5505:3fc95e3b default
Show More
auth-saml-onelogin.rst
158 lines | 4.5 KiB | text/x-rst | RstLexer
/ docs / auth / auth-saml-onelogin.rst

SAML 2.0 with One Login

This plugin is available only in EE Edition.

|RCE| supports SAML 2.0 Authentication with OneLogin provider. This allows users to log-in to RhodeCode via SSO mechanism of external identity provider such as OneLogin. The login can be triggered either by the external IDP, or internally by clicking specific authentication button on the log-in page.

Configuration steps

To configure OneLogin SAML authentication, use the following steps:

  1. From the |RCE| interface, select :menuselection:`Admin --> Authentication`
  2. Activate the OneLogin plugin and select :guilabel:`Save`
  3. Go to newly available menu option called OneLogin on the left side.
  4. Check the enabled check box in the plugin configuration section, and fill in the required SAML information and :guilabel:`Save`, for more details, see :ref:`config-saml-onelogin`

Example SAML OneLogin configuration

Example configuration for SAML 2.0 with OneLogin provider

Enabled

True:

Note

Enable or disable this authentication plugin.

Auth Cache TTL

30:

Note

Amount of seconds to cache the authentication and permissions check response call for this plugin. Useful for expensive calls like LDAP to improve the performance of the system (0 means disabled).

Debug

True:

Note

Enable or disable debug mode that shows SAML errors in the RhodeCode logs.

Auth button name

Azure Entra ID:

Note

Alternative authentication display name. E.g AzureAuth, CorporateID etc.

Entity ID

https://app.onelogin.com/saml/metadata/<onelogin_connector_id>:

Note

Identity Provider entity/metadata URI. E.g. https://app.onelogin.com/saml/metadata/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

SSO URL

https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>:

Note

SSO (SingleSignOn) endpoint URL of the IdP. This can be used to initialize login, Known also as Login URL E.g. https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>

SLO URL

https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>:

Note

SLO (SingleLogout) endpoint URL of the IdP. , Known also as Logout URL E.g. https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>

x509cert

<CERTIFICATE_STRING>:

Note

Identity provider public x509 certificate. It will be converted to single-line format without headers. Download the raw base64 encoded certificate from the Identity provider and paste it here.

SAML Signature

sha-256:

Note

Type of Algorithm to use for verification of SAML signature on Identity provider side.

SAML Digest

sha-256:

Note

Type of Algorithm to use for verification of SAML digest on Identity provider side.

Service Provider Cert Dir

/etc/rhodecode/conf/saml_ssl/:

Note

Optional directory to store service provider certificate and private keys. Expected certs for the SP should be stored in this folder as:

  • sp.key Private Key
  • sp.crt Public cert
  • sp_new.crt Future Public cert
Also you can use other cert to sign the metadata of the SP using the:
  • metadata.key
  • metadata.crt
Expected NameID Format

nameid-format:emailAddress:

Note

The format that specifies how the NameID is sent to the service provider.

User ID Attribute

PersonImmutableID:

Note

User ID Attribute name. This defines which attribute in SAML response will be used to link accounts via unique id. Ensure this is returned from DuoSecurity for example via duo_username.

Username Attribute

User.username:

Note

Username Attribute name. This defines which attribute in SAML response will map to a username.

Email Attribute

User.email:

Note

Email Attribute name. This defines which attribute in SAML response will map to an email address.

Below is example setup that can be used with OneLogin SAML authentication that can be used with above config..

OneLogin SAML setup example

Below is an example attribute mapping set for IDP provider required by the above config.

OneLogin SAML setup example