<h2class="sectionedit2"id="how_to_integrate">How to integrate</h2>
<divclass="level2">
<p>
Applications listed below are known to be easy to integrate in <abbrtitle="LemonLDAP::NG">LL::NG</abbr>. As<abbrtitle="LemonLDAP::NG">LL::NG</abbr> works like classic WebSSO (like Siteminder™), <strong>many other applications are easy to integrate</strong>.
To integrate a Web application in <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, you have the following possibilities:
</p>
<ul>
<liclass="level1"><divclass="li"> Protect the application with the Handler, and push user identity trough HTTP headers. This is how main Access Manager products, like CA SiteMinder, are working. This also how Apache authentication modules are working, so if your application is compatible with Apache authentication (often called “external authentifcation”), then you can use the Handler.</div>
</li>
<liclass="level1"><divclass="li"> Specific Handler: some applications can require a specific Handler, to manage preauthentication process for example.</div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="Central Authentication Service">CAS</abbr>: your application is a <abbrtitle="Central Authentication Service">CAS</abbr> client, you can configure <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as a <ahref="idpcas.html"class="wikilink1"title="documentation:2.0:idpcas">CAS server</a>.</div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="Security Assertion Markup Language">SAML</abbr>: your application is a <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service Provider, you can configure <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as a <ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML Identity Provider</a>.</div>
</li>
<liclass="level1"><divclass="li"> OpenID Connect: your application is a OpenID Connect Relying Party, you can configure <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as a <ahref="idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect">OpenID Connect Provider</a>.</div>
</li>
</ul>
<p>
If none of above methods is available, you can try:
<liclass="level1"><divclass="li"><ahref="formreplay.html"class="wikilink1"title="documentation:2.0:formreplay">Form replay</a>: replay form based authentication</div>
<tdclass="col0 centeralign"><ahref="http://en.wikipedia.org/wiki/Outlook_Web_App"class="urlextern"title="http://en.wikipedia.org/wiki/Outlook_Web_App"rel="nofollow">Outlook Web App</a><br/>
<divclass="noteclassic">This requires to configure <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as an <ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML Identity Provider</a>.
Since 4.0 release, it offers an easy way to configure <abbrtitle="Single Sign On">SSO</abbr> thanks to authentication subsystems.
</p>
<divclass="noteimportant">If you use an older version, you need to refer to the following documentation: <ahref="https://wiki.alfresco.com/wiki/SSO"class="urlextern"title="https://wiki.alfresco.com/wiki/SSO"rel="nofollow">https://wiki.alfresco.com/wiki/SSO</a>
<p>
Authentication against <abbrtitle="LemonLDAP::NG">LL::NG</abbr> can be done trough:
<divclass="notetip">The official documentation can be found here: <ahref="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html"class="urlextern"title="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html"rel="nofollow">http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html</a>
@ -105,7 +126,7 @@ You need to find the following files in your Alfresco installation:
</ul>
<p>
The first will allow one to configure <abbrtitle="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp.
The first will allow to configure <abbrtitle="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp.
</p>
<p>
@ -163,28 +184,389 @@ You need to restart Tomcat to apply changes.
<divclass="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbrtitle="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT4 SECTION "Alfresco" [423-3123] -->
<!-- EDIT4 SECTION "Alfresco" [457-3153] -->
<h3class="sectionedit5"id="llng">LL::NG</h3>
<divclass="level3">
</div>
<h4id="headers">Headers</h4>
<divclass="level4">
<p>
Just set the <code>Auth-User</code> header with the attribute that carries the user login, for example <code>$uid</code>.
</p>
</div>
<h4id="rules">Rules</h4>
<divclass="level4">
<p>
Set the default rule to what you need.
</p>
<p>
Other rules:
</p>
<ul>
<liclass="level1"><divclass="li"> Unprotect access to some resources: <code>^/share/res ⇒ unprotect</code></div>
<spanclass="sc3"><spanclass="re1"><param</span><spanclass="re0">name</span>=<spanclass="st0">"message"</span><spanclass="re2">></span></span>It is not allowed to access this url from your browser<spanclass="sc3"><spanclass="re1"></param<spanclass="re2">></span></span></span>
<spanclass="sc-1"> Verify that all remaining state changing requests from logged in users' requests contains a token in the</span>
<spanclass="sc-1"> header and correct referer & origin headers if available. We "catch" all content types since just setting it to</span>
<spanclass="sc-1">"application/json.*" since a webscript that doesn't require a json request body otherwise would be</span>
<spanclass="sc-1"> successfully executed using i.e."text/plain".</span>
Configure <abbrtitle="Security Assertion Markup Language">SAML</abbr> service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).
</p>
<p>
You can intercept the logout with this rule: <code>^/share/page/dologout ⇒ logout_app_sso</code>
<liclass="level1"><divclass="li"> User ID mapping: Subject/NameID</div>
</li>
</ul>
<p>
To finish with Alfresco configuration, tick the “Enable <abbrtitle="Security Assertion Markup Language">SAML</abbr> authentication (<abbrtitle="Single Sign On">SSO</abbr>)” box.
</p>
</div>
<!-- EDIT7 SECTION "Alfresco" [3514-14172] -->
<h3class="sectionedit8"id="llng1">LL::NG</h3>
<divclass="level3">
<p>
Configure <abbrtitle="Security Assertion Markup Language">SAML</abbr> service and set a certificate as signature public key in metadata.
</p>
<p>
Export Alfresco <abbrtitle="Security Assertion Markup Language">SAML</abbr> Metadata from admin console and import them in <abbrtitle="LemonLDAP::NG">LL::NG</abbr>.
<liclass="level1"><divclass="li"><ahref="https://www.youtube.com/watch?v=5tS0XrC_-rw"class="urlextern"title="https://www.youtube.com/watch?v=5tS0XrC_-rw"rel="nofollow">DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki</a></div>
</li>
<liclass="level1"><divclass="li"><ahref="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng"class="urlextern"title="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng"rel="nofollow">Setting up Alfresco SAML authentication with LemonLDAP::NG</a></div>
<h1class="sectionedit1"id="amazon_web_services">Amazon Web Services</h1>
<divclass="level1">
<p>
<ahref="https://aws.amazon.com"class="urlextern"title="https://aws.amazon.com"rel="nofollow">Amazon Web Services</a> allows to delegate authentication through SAML2.
</p>
</div>
<!-- EDIT1 SECTION "Amazon Web Services" [1-132] -->
<h2class="sectionedit2"id="saml">SAML</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"> Make sure you have followed the steps <ahref="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html"class="urlextern"title="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html"rel="nofollow">here</a>.</div>
</li>
<liclass="level1"><divclass="li"> Go to <ahref="https://your.portal.com/saml/metadata"class="urlextern"title="https://your.portal.com/saml/metadata"rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
</li>
<liclass="level1"><divclass="li"> In each AWS account, go to IAM → Identity providers → Create Provider.</div>
</li>
<liclass="level1"><divclass="li"> Select <code><abbrtitle="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
</li>
<liclass="level1"><divclass="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
</li>
<liclass="level1"><divclass="li"> Looking again at the links on the left side of the page, go to Roles → Create role</div>
<liclass="level1"><divclass="li"> Select the provider you just configured, click <code>Allow programmatic and AWSManagement Console access</code> which will fill in the rest of the form for you, then click next.</div>
</li>
<liclass="level1"><divclass="li"> Set whatever permissions you need to and then click <code>Review</code>.</div>
</li>
<liclass="level1"><divclass="li"> Choose a name for the role. These will shown to people when they log in, so make them descriptive. We have different accounts for different regions of the world, so I put the region into the role name so people know which account is which.</div>
</li>
</ul>
<divclass="noteclassic">If you have only one role, the configuration is simple. If you have multiple
roles for different people, it is a little trickier. As you will see, the <abbrtitle="Security Assertion Markup Language">SAML</abbr>
attributes are not dynamic, so you have to set them in the session when a user
logs in or use a custom function. In this example, I wanted to avoid managing
custom functions on all the servers, so the <abbrtitle="Security Assertion Markup Language">SAML</abbr> attributes are set in
the session. We also use LDAP for user information, so I will describe that.
In our LDAP tree, each user has attributes which are used quite heavily for
dynamic groups and authorisation. You will want something
similar, using whatever attribute makes sense to you. For example:<preclass="code file ldif"><spanclass="re0">dn</span>:<spanclass="re1"> uid=user,ou=people,dc=your,dc=com</span>
<liclass="level1"><divclass="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters → Authentication parameters → LDAP parameters → Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
</li>
<liclass="level1"><divclass="li"> Now go to *Variables → Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<liclass="level1"><divclass="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> → <code>$ou =~ sysadmin ? “arn:aws…” : “arn:…”</code></div>
</li>
<liclass="level1"><divclass="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters → Advanced Parameters → Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<liclass="level1"><divclass="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> → <code>join(“; ”, $role_name1, $role_name2, …)</code></div>
</li>
<liclass="level1"><divclass="li"> On the left again, click <code><abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
<liclass="level1"><divclass="li"> Enter a name, click ok, then select it on the left. Select <code>Metadata</code>, then enter `<ahref="https://signin.aws.amazon.com/static/saml-metadata.xml"class="urlextern"title="https://signin.aws.amazon.com/static/saml-metadata.xml"rel="nofollow">https://signin.aws.amazon.com/static/saml-metadata.xml</a>` in the <code><abbrtitle="Uniform Resource Locator">URL</abbr></code> field, then click load.</div>
</li>
<liclass="level1"><divclass="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user's session:</div>
<ul>
<liclass="level2"><divclass="li"><code>_whatToTrace</code> → <code><ahref="https://aws.amazon.com/SAML/Attributes/RoleSessionName"class="urlextern"title="https://aws.amazon.com/SAML/Attributes/RoleSessionName"rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
</li>
<liclass="level2"><divclass="li"><code>z_aws_roles</code> (the macro name you defined above) → <code><ahref="https://aws.amazon.com/SAML/Attributes/Role"class="urlextern"title="https://aws.amazon.com/SAML/Attributes/Role"rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> On the left, select Options → Security → Enable use of IDP initiated <abbrtitle="Uniform Resource Locator">URL</abbr> → On</div>
</li>
<liclass="level1"><divclass="li"> Select General Parameters → Portal → Menu → Categories and applications</div>
</li>
<liclass="level1"><divclass="li"> Select a category or create a new one if you need to. Then click <code>New application</code>. </div>
</li>
<liclass="level1"><divclass="li"> Enter a name etc. For the <abbrtitle="Uniform Resource Locator">URL</abbr>, use <code><ahref="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices"class="urlextern"title="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices"rel="nofollow">https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices</a></code></div>
</li>
<liclass="level1"><divclass="li"> Display application should be set to <code>Enabled</code></div>
</li>
<liclass="level1"><divclass="li"> Go to your portal, click on the link, and check that it works!</div>
<liclass="level2"><divclass="li"><ahref="#dokuwiki_virtual_host_in_manager">Dokuwiki virtual host in Manager</a></div></li>
</ul></li>
@ -79,46 +79,52 @@
</p>
<divclass="notetip">LemonLDAP::NG wiki uses Dokuwiki!
</div>
<p>
You will need to install a Dokuwiki plugin, available on <ahref="../download.html#contributions"class="wikilink1"title="download">download page</a>. The plugin will check the <code>REMOTE_USER</code> environment variable to get the connected user.
<ahref="../download.html#contributions"class="wikilink1"title="download">Download</a> the plugin and copy the files in dokuwiki <code>inc/auth/</code> directory:
You need to install a Dokuwiki plugin, available on <ahref="https://www.dokuwiki.org/plugins"class="urlextern"title="https://www.dokuwiki.org/plugins"rel="nofollow">Dokuwiki plugins registry</a>: <ahref="https://www.dokuwiki.org/plugin:authlemonldap"class="urlextern"title="https://www.dokuwiki.org/plugin:authlemonldap"rel="nofollow">https://www.dokuwiki.org/plugin:authlemonldap</a>
Install the plugin using the <ahref="https://www.dokuwiki.org/plugin:plugin"class="urlextern"title="https://www.dokuwiki.org/plugin:plugin"rel="nofollow">Plugin Manager</a>.
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [978-1004] -->
<h3class="sectionedit5"id="dokuwiki_local_configuration">Dokuwiki local configuration</h3>
Configure Dokuwiki virtual host like other <ahref="../configvhost.html"class="wikilink1"title="documentation:2.0:configvhost">protected virtual host</a>.
</p>
<divclass="noteimportant">If you are protecting Dokuwiki with <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, <ahref="../header_remote_user_conversion.html"class="wikilink1"title="documentation:2.0:header_remote_user_conversion">convert header into REMOTE_USER environment variable</a>.
</div><ul>
<ul>
<liclass="level1"><divclass="li"> For Apache:</div>
</li>
</ul>
@ -170,7 +176,7 @@ Configure Dokuwiki virtual host like other <a href="../configvhost.html" class="
<h3class="sectionedit7"id="dokuwiki_virtual_host_in_manager">Dokuwiki virtual host in Manager</h3>
<divclass="level3">
@ -179,14 +185,25 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</p>
<p>
Just configure the <ahref="../writingrulesand_headers.html#rules"class="wikilink1"title="documentation:2.0:writingrulesand_headers">access rules</a>.
Configure the <ahref="../writingrulesand_headers.html#rules"class="wikilink1"title="documentation:2.0:writingrulesand_headers">access rules</a>.
</p>
<p>
If using <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, configure the <code>Auth-User</code><ahref="../writingrulesand_headers.html#headers"class="wikilink1"title="documentation:2.0:writingrulesand_headers">header</a>, else no headers are needed.
<divclass="noteimportant">To allow execution of encode_base64() method, you must deactivate the <ahref="../safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>.
</div>
</div>
<!-- EDIT7 SECTION "Dokuwiki virtual host in Manager" [2631-] --></div>
<!-- EDIT7 SECTION "Dokuwiki virtual host in Manager" [2377-] --></div>
GRR has a <abbrtitle="Single Sign On">SSO</abbr> configuration page in its administration panel. You just need to choose if the authenticated user will be a “user” or a “guest”.
GRR has a <abbrtitle="Single Sign On">SSO</abbr> configuration page in its administration panel.
</p>
<p>
Do not use Lemonldap mode, which is for a very old Lemonldap version, but HTTP authentication.
</p>
<p>
Set the default profile of connected users and which headers contains surname, firstname and mail.
GRR will check the username in REMOTE_USER, so use <ahref="../header_remote_user_conversion.html"class="wikilink1"title="documentation:2.0:header_remote_user_conversion">remote header conversion</a> if you are in proxy mode.
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [176-660] -->
<h3class="sectionedit5"id="grr_virtual_host_in_llng">GRR virtual host in LL::NG</h3>
<ahref="http://www.limesurvey.org"class="urlextern"title="http://www.limesurvey.org"rel="nofollow">LimeSurvey</a> is a web survey software written in PHP. LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
<ahref="http://www.limesurvey.org"class="urlextern"title="http://www.limesurvey.org"rel="nofollow">LimeSurvey</a> is a web survey software written in PHP.
To have a stronger integration, we will configure LimeSurvey to autocreate unknown users and use HTTP headers to fill name, mail and roles. For example, we will use 3 roles:
LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
</p>
<ul>
<liclass="level1"><divclass="li"> User: can answer to surveys</div>
</li>
<liclass="level1"><divclass="li"> Admin: can create surveys</div>
</li>
<liclass="level1"><divclass="li"> Superadmin: no one can stop him!</div>
<spanclass="co1">// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this</span>
<spanclass="co1">// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory</span>
<spanclass="co1">// on your webspace.</span>
<spanclass="co1">// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates</span>
<spanclass="st_h">'debugsql'</span><spanclass="sy0">=></span><spanclass="nu0">0</span><spanclass="sy0">,</span><spanclass="co1">// Set this to 1 to enanble sql logging, only active when debug = 2</span>
See also <ahref="https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import"class="urlextern"title="https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import"rel="nofollow">https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import</a>
Configure LimeSurvey virtual host like other <ahref="../configvhost.html"class="wikilink1"title="documentation:2.0:configvhost">protected virtual host</a>.
</p>
<ul>
<liclass="level1"><divclass="li"> For Apache:</div>
<h3class="sectionedit6"id="limesurvey_virtual_host_in_manager">LimeSurvey virtual host in Manager</h3>
<divclass="level3">
@ -221,15 +176,8 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
<trclass="row3 rowodd">
<tdclass="col0 centeralign"> Auth-Mail </td><tdclass="col1 centeralign"> user email </td>
</tr>
<trclass="row4 roweven">
<tdclass="col0 centeralign"> Auth-Admin </td><tdclass="col1 centeralign"> 1 if user is admin </td>
</tr>
<trclass="row5 rowodd">
<tdclass="col0 centeralign"> Auth-SuperAdmin </td><tdclass="col1 centeralign"> 1 if user is superadmin </td>
</tr>
</table></div>
<!-- EDIT7 TABLE [3369-3587] --><divclass="notetip">You can manage roles with the <ahref="../rbac.html"class="wikilink1"title="documentation:2.0:rbac">RBAC model</a> or by using groups.
</div>
<!-- EDIT7 TABLE [2595-2723] -->
</div>
<h4id="rules">Rules</h4>
@ -241,16 +189,16 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
<tdclass="col0 centeralign"> Admin </td><tdclass="col1 centeralign"> ^/limesurvey/admin/</td><tdclass="col2 centeralign"> Allow only admin and superadmin roles </td>
<tdclass="col0 centeralign"> Admin </td><tdclass="col1 centeralign"> ^/(index\.php/)?admin</td><tdclass="col2 centeralign"> Allow only admin and superadmin users </td>
</tr>
<trclass="row3 rowodd">
<tdclass="col0 centeralign"> Default </td><tdclass="col1 centeralign"> default </td><tdclass="col2 centeralign"> Allow only users with a LimeSurvey role </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [3694-3979] --><divclass="notetip">You can set the default access to:<ul>
<!-- EDIT8 TABLE [2740-3024] --><divclass="notetip">You can set the default access to:<ul>
<liclass="level1"><divclass="li"><strong>accept</strong>: all authenticated users will access surveys</div>
</li>
<liclass="level1"><divclass="li"><strong>unprotect</strong>: no authentication will be asked to access surveys </div>
@ -259,6 +207,6 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</div>
</div>
<!-- EDIT6 SECTION "LimeSurvey virtual host in Manager" [3197-] --></div>
<!-- EDIT6 SECTION "LimeSurvey virtual host in Manager" [2423-] --></div>
<ahref="https://en.wikipedia.org/wiki/Office_365"class="urlextern"title="https://en.wikipedia.org/wiki/Office_365"rel="nofollow">Office 365</a> provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on <ahref="https://login.microsoftonline.com/"class="urlextern"title="https://login.microsoftonline.com/"rel="nofollow">https://login.microsoftonline.com/</a> and can be forwarded to an <abbrtitle="Security Assertion Markup Language">SAML</abbr> Identity Provider.
<liclass="level1"><divclass="li"> cert: The <abbrtitle="Security Assertion Markup Language">SAML</abbr> certificate containing the signature public key</div>
</li>
</ul>
<p>
If you have several Office365 domains, you can't use the same URLs for each domains. To be able to have a single <abbrtitle="Security Assertion Markup Language">SAML</abbr> IDP for several domains, you must add the 'domain' GET parameters at the end of <abbrtitle="Single Sign On">SSO</abbr> endpoint and metadata URLs, for example:
Create a new <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service Provider and import Microsoft metadata from <ahref="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"class="urlextern"title="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"rel="nofollow">https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml</a>
</p>
<p>
Set the NameID value to persistent, or any immutable value for the user.
</p>
<p>
Create a <abbrtitle="Security Assertion Markup Language">SAML</abbr> attribute named IDPEmail which contains the user principal name (UPN).
Read the following documentation: <ahref="http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm"class="urlextern"title="http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm"rel="nofollow">http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm</a>
</p>
</div>
<!-- EDIT2 SECTION "HTTP header" [57-208] -->
<h2class="sectionedit3"id="saml">SAML</h2>
<divclass="level2">
<p>
Read the following documentation: <ahref="https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm"class="urlextern"title="https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm"rel="nofollow">https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm</a>
<ahref="saplogo.0fea6a13c52b4d4725368f24b045ca84.gif"title="View original file"><imgwidth="73"height="36"class="img_detail"alt="saplogo.gif"title="saplogo.gif"src="saplogo.951291dc5d49a61fed6af1b6c94c5cf5.gif"/></a>
<ahref="sap.html"class="action img_backto"accesskey="b"rel="nofollow"title="Back to documentation:2.0:applications:sap [B]">Back to documentation:2.0:applications:sap</a></div>
<ahref="screenshot_dokuwiki_configuration.0fea6a13c52b4d4725368f24b045ca84.png"title="View original file"><imgwidth="898"height="317"class="img_detail"alt="screenshot_dokuwiki_configuration.png"title="screenshot_dokuwiki_configuration.png"src="screenshot_dokuwiki_configuration.5c3b7e8bd8174c47fa38d992a5bf5a62.png"/></a>
<ahref="dokuwiki.html"class="action img_backto"accesskey="b"rel="nofollow"title="Back to documentation:2.0:applications:dokuwiki [B]">Back to documentation:2.0:applications:dokuwiki</a></div>
<liclass="level2"><divclass="li"><ahref="#web_server_kerberos_module">Web Server Kerberos module</a></div></li>
</ul></li>
</ul>
</div>
@ -81,8 +82,12 @@
<ahref="https://en.wikipedia.org/wiki/Kerberos_(protocol)"class="urlextern"title="https://en.wikipedia.org/wiki/Kerberos_(protocol)"rel="nofollow">Kerberos</a> is a network authentication protocol used to authenticate users based on their desktop session.
</p>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> uses GSSAPI module to validate Kerberos ticket against a local keytab.
@ -92,14 +97,18 @@ In Manager, go in <code>General Parameters</code> > <code>Authentication modu
<ul>
<liclass="level1"><divclass="li"><strong>keytab file</strong> (required): the Kerberos keytab file</div>
</li>
<liclass="level1"><divclass="li"><strong>Use Ajax request</strong>: set to “enabled” if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <ahref="authcombination.html"class="wikilink1"title="documentation:2.0:authcombination">combination</a></strong></div>
<liclass="level1"><divclass="li"><strong>Use Ajax request</strong>: set to “enabled” if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <ahref="authcombination.html"class="wikilink1"title="documentation:2.0:authcombination">combination</a></strong></div>
</li>
<liclass="level1"><divclass="li"><strong>Kerberos authentication level</strong>: default to 3</div>
</li>
<liclass="level1"><divclass="li"><strong>Use Web Server Kerberos module</strong>: set to “enabled” to use the Web Server module (for example Apache mod_auth_kerb) instead of Perl Kerberos code to validate Kerberos ticket</div>
</li>
<liclass="level1"><divclass="li"><strong>Remove domain in username</strong>: set to “enabled” to strip username value and remove the '@domain'.</div>
<h3class="sectionedit6"id="web_server_kerberos_module">Web Server Kerberos module</h3>
<divclass="level3">
<p>
If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to “enabled” and configure the portal virtual host to launch the module if “kerberos” GET parameter is in the request.
Auto-Signin add-on provides a simple way to bypass authentication based on rules. For example, a TV can be automatically authenticated by its <abbrtitle="Internet Protocol">IP</abbr> address.
This add-on is automatically enabled if a rule is declared. A rule associates a username to a rule. The only variable usable here is <code>$env</code>. Example:
<liclass="level1"><divclass="li"> Another <abbrtitle="LemonLDAP::NG">LL::NG</abbr> system configured with <ahref="authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML authentication</a></div>
</li>
<liclass="level1"><divclass="li"> Any <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service Provider, for example:</div>
<liclass="level1"><divclass="li"> Any <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service Provider</div>
<divclass="noteclassic">This requires to configure <abbrtitle="LemonLDAP::NG">LL::NG</abbr> as an <spanclass="curid"><ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML Identity Provider</a></span>.
@ -126,7 +128,7 @@ If you run Debian testing or unstable, the packages are directly installable:
<divclass="noteimportant">Packages from <ahref="http://packages.debian.org/search?keywords=lemonldap-ng"class="urlextern"title="http://packages.debian.org/search?keywords=lemonldap-ng"rel="nofollow">Debian repository</a> may not be up to date. Prefer then the other solutions (see below).
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication to AD domain users to <abbrtitle="LemonLDAP::NG">LL::NG</abbr>.
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.
</p>
<p>
We will present several architectures:
You can use Kerberos in <abbrtitle="LemonLDAP::NG">LL::NG</abbr> with the following authentication modules:
</p>
<ul>
<liclass="level1"><divclass="li">Single <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server linked to one AD domain</div>
<liclass="level1"><divclass="li"><ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos</a> (recommended): use Perl GSSAPI module, compatible with Apache and Nginx</div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="LemonLDAP::NG">LL::NG</abbr> cluster linked to one AD domain</div>
</li>
<liclass="level1"><divclass="li"><abbrtitle="LemonLDAP::NG">LL::NG</abbr> cluster linked to two AD domains</div>
<liclass="level1"><divclass="li"><ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Apache</a>: use mod_auth_kerb or mod_auth_gssapi in Apache</div>
@ -138,26 +124,12 @@ We will use the following values in our examples
</li>
<liclass="level1"><divclass="li"><strong>auth.example.com</strong>: <abbrtitle="Domain Name System">DNS</abbr> of the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal</div>
</li>
<liclass="level1"><divclass="li"><strong>authpwd.example.com</strong>: <abbrtitle="Domain Name System">DNS</abbr> of the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal (to failback to a form based authentication)</div>
</li>
<liclass="level1"><divclass="li"><strong>node1.example.com</strong>: <abbrtitle="Domain Name System">DNS</abbr> of the first <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal server (in cluster mode)</div>
</li>
<liclass="level1"><divclass="li"><strong>node2.example.com</strong>: <abbrtitle="Domain Name System">DNS</abbr> of the second <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal server (in cluster mode)</div>
</li>
<liclass="level1"><divclass="li"><strong>ad.example.com</strong>: <abbrtitle="Domain Name System">DNS</abbr> of First Active Directory</div>
</li>
<liclass="level1"><divclass="li"><strong>ad.acme.com</strong>: <abbrtitle="Domain Name System">DNS</abbr> of Second Active Directory</div>
</li>
<liclass="level1"><divclass="li"><strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server (in single mode)</div>
</li>
<liclass="level1"><divclass="li"><strong>KERB_NODE1</strong>: AD account to generate the keytab for the first <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server (in cluster mode)</div>
</li>
<liclass="level1"><divclass="li"><strong>KERB_NODE2</strong>: AD account to generate the keytab for the second <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server (in cluster mode)</div>
<liclass="level1"><divclass="li"><strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server</div>
@ -166,26 +138,26 @@ It is mandatory that <abbr title="LemonLDAP::NG">LL::NG</abbr> servers and AD se
</p>
</div>
<!-- EDIT5 SECTION "Server time" [1264-1399] -->
<!-- EDIT5 SECTION "Server time" [752-887] -->
<h3class="sectionedit6"id="dns">DNS</h3>
<divclass="level3">
<p>
All names must be registered in the <abbrtitle="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbrtitle="Domain Name System">DNS</abbr>should also work for all the names.
The auth.example.com must be registered in the <abbrtitle="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbrtitle="Domain Name System">DNS</abbr>of auth.example.com <strong>must</strong> return the portal <abbrtitle="Internet Protocol">IP</abbr>.
</p>
<divclass="notetip">If you have a <abbrtitle="Single Sign On">SSO</abbr> cluster, you must setup a Virtual <abbrtitle="Internet Protocol">IP</abbr> in cluster and register this <abbrtitle="Internet Protocol">IP</abbr> in <abbrtitle="Domain Name System">DNS</abbr>.
It is recommended to create an AD account for each<abbrtitle="LemonLDAP::NG">LL::NG</abbr> server. Each account will hold the Service Principal Name (SPN) of the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server.
SSL is not mandatory, but it is strongly recommended. Your portal<abbrtitle="Uniform Resource Locator">URL</abbr> should be <ahref="https://auth.example.com"class="urlextern"title="https://auth.example.com"rel="nofollow">https://auth.example.com</a>.
</p>
<divclass="notetip">It should be possible to have the same account for all SPN, but this may require some manipulations on AD (command setspn) that are not documented here.
<divclass="notetip">You can do the same check for the keytab as with the single <abbrtitle="LemonLDAP::NG">LL::NG</abbr> server. Just use node1.example.com and node2.example.com instead of auth.example.com.
<liclass="level2"><divclass="li"><strong>off</strong>: never display</div>
</li>
<liclass="level2"><divclass="li"><strong>rule</strong>: specify a <ahref="writingrulesand_headers.html"class="wikilink1"title="documentation:2.0:writingrulesand_headers">rule</a> or “sp: <name>” where “name” is the key name of the service provider, the corresponding rule will be applied <em>(available for <abbrtitle="Central Authentication Service">CAS</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect)</em></div>
<divclass="notetip">The chosen logo file must be in portal applications logos directory (<code>portal/skins/common/apps/</code>). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory
<divclass="notetip">The chosen logo file must be in portal applications logos directory (<code>portal/static/common/apps/</code>). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory
</div>
</div>
<!-- EDIT3 SECTION "Categories and applications" [828-] --></div>
There is 3 types of SQL configuration backends for LemonLDAP::NG:
There is 2 types of SQL configuration backends for LemonLDAP::NG:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>CDBI</strong> : very simple storage</div>
</li>
<liclass="level1"><divclass="li"><strong>RDBI</strong> : triple store storage</div>
<liclass="level1"><divclass="li"><strong>CDBI</strong>: very simple storage</div>
</li>
<liclass="level1"><divclass="li"><strong><abbrtitle="Database Interface">DBI</abbr></strong> which has been deprecated: it is a read-only backend that exists just for compatibility with older versions of LemonLDAP::NG. See <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">how to change configuration backend</a>.</div>
<liclass="level1"><divclass="li"><strong>RDBI</strong>: triple store storage (recommended)</div>
</li>
</ul>
<divclass="notetip">You can use any database engine if it provides a Perl Driver. You will find here examples for MySQL and PostGreSQL, but other engines may also work.
</div>
<p>
See <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">how to change configuration backend</a>.
To use a SQL backend, configure your <code>lemonldap-ng.ini</code> file (section configuration) :
You need DBD::MySQL Perl module:
</p>
<ul>
<liclass="level1"><divclass="li"> Choose <abbrtitle="Database Interface">DBI</abbr> type (RDBI, CDBI or <abbrtitle="Database Interface">DBI</abbr>)</div>
<liclass="level1"><divclass="li">Debian:</div>
</li>
<liclass="level1"><divclass="li"> Configure the connection string (see <ahref="http://search.cpan.org/perldoc?DBI"class="urlextern"title="http://search.cpan.org/perldoc?DBI"rel="nofollow">DBI manual page</a>)</div>
</li>
<liclass="level1"><divclass="li"> Configure user and password</div>
</li>
<liclass="level1"><divclass="li"> If your table is not named lmConfig, set it's name in <code>dbiTable</code> parameter.</div>
<em>(*): <ahref="nodehandler.html"class="wikilink1"title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionality.</em>
</p>
@ -445,7 +451,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
@ -491,7 +497,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<tdclass="col0 centeralign"><ahref="restconfbackend.html"class="wikilink1"title="documentation:2.0:restconfbackend">REST</a><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 leftalign"> Proxy backend to be used in conjunction with another configuration backend. <br/><strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [6369-7351] --><divclass="notetip">You can not start with an empty configuration, so read <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
<!-- EDIT14 TABLE [6460-7442] --><divclass="notetip">You can not start with an empty configuration, so read <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
</div>
<p>
</div></div>
@ -546,13 +552,13 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
<strong>Can be used to secure another backend</strong> for remote servers. </td>
<h3class="sectionedit17"id="well_known_compatible_applications">Well known compatible applications</h3>
<divclass="level3">
<divclass="noteclassic">Here is a list of well known applications that are compatible with <abbrtitle="LemonLDAP::NG">LL::NG</abbr>. A full list is available on <ahref="applications.html"class="wikilink1"title="documentation:2.0:applications">vendor applications page</a>.
@ -667,7 +673,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT17 SECTION "Well known compatible applications" [10415-12353] -->
<!-- EDIT17 SECTION "Well known compatible applications" [10506-12444] -->
<h2class="sectionedit2"id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<divclass="level2">
<p>
As usual, if you use more than 1 server and don't want to stop the <abbrtitle="Single Sign On">SSO</abbr> service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:
</p>
<ol>
<liclass="level1"><divclass="li"> servers that have only handlers;</div>
</li>
<liclass="level1"><divclass="li"> portal servers <em>(all together if your load balancer doesn't keep state by user or client <abbrtitle="Internet Protocol">IP</abbr> and if users use the menu)</em>;</div>
@ -103,15 +127,19 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
</li>
<liclass="level1"><divclass="li"> Apache and Nginx configurations must updated to use the FastCGI portal</div>
</li>
<liclass="level1"><divclass="li"> URLs for mail reset and register pages have changed, you must update configuration parameters. For example:</div>
</li>
</ul>
<divclass="noteimportant">Apache-ModPerl is no longer usable since version 2.4 <em>(many segfaults,…)</em>, especially when using mpm-worker. That's why LLNG doesn't use anymore ModPerl::Registry: all is now handle by FastCGI <em>(portal and manager)</em>.
<divclass="noteimportant">Apache mod_perl has a lot of issues since version 2.4 <em>(many segfaults,…)</em>, especially when using mpm-worker. That's why <abbrtitle="LemonLDAP::NG">LL::NG</abbr> doesn't use anymore ModPerl::Registry: all is now handled by FastCGI <em>(portal and manager)</em>.
<p>
<strong>For handlers, it is now recommended to migrate to Nginx</strong>, but Apache-2.X is still supported
<strong>For Handlers, it is now recommended to migrate to Nginx</strong>, but Apache 2 is still supported
</p>
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [305-1090] -->
<!-- EDIT4 SECTION "Configuration" [873-1894] -->
<h2class="sectionedit5"id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<divclass="level2">
<ul>
@ -122,7 +150,7 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
</ul>
</div>
<!-- EDIT5 SECTION "Kerberos or SSL usage" [1091-1599] -->
<!-- EDIT5 SECTION "Kerberos or SSL usage" [1895-2403] -->
<h2class="sectionedit6"id="logs">Logs</h2>
<divclass="level2">
<ul>
@ -133,7 +161,7 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
@ -206,12 +234,12 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
<divclass="noteimportant"><ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
Clément OUDOT
8 years ago
