LL::NG can act as an SAML 2.0 Identity Provider, that can allow one to federate LL::NG with:
See SAML service configuration chapter.
Go in General Parameters
» Issuer modules
» SAML
and
configure:
On
.^/saml/
unless you have change SAML end points
suffix in SAML service configuration.1
to always allow.Tip
For example, to allow only users with a strong authentication level:
$authenticationLevel > 2
After configuring SAML Service, you can export metadata to your partner Service Provider.
They are available at the Metadata URL, by default: http://auth.example.com/saml/metadata.
You can also use http://auth.example.com/saml/metadata/idp to have only IDP related metadata.
In both cases, the entityID of the LemonLDAP::NG server is http://auth.example.com/saml/metadata
In the Manager, select node SAML service providers and click on
Add SAML SP
.
The SP name is asked, enter it and click OK.
Now you have access to the SP parameters list.
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).
Tip
You can also edit the metadata directly in the textarea
For each attribute, you can set:
<Condtions>
).<AuthnStatement>
):<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
SessionNotOnOrAfter="2014-07-21T15:47:08Z">
<Condtions>
and <SubjectConfirmationData>
):<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>
<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
NotOnOrAfter="2014-07-21T12:48:08Z">
Attention
There is a time tolerance of 60 seconds in
<Conditions>
These options override service signature options (see SAML service configuration).
On
to enable IDP
Initiated URL on this SP.Tip
The IDP Initiated URL is the SSO SAML URL with GET parameters:
For example: http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp
You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
Using both Issuer::SAML and Auth::SAML on the same LLNG may have some side-effects on single-logout.