Microsoft ADFS (Active Directory Federation Services) is an Identity/Service Provider, compatible with several protocols, including <abbrtitle="Security Assertion Markup Language">SAML</abbr> 2.0.
</p>
<divclass="noteimportant">This documentation does not explains how to setup ADFS, but give only tricks to make it works with <abbrtitle="LemonLDAP::NG">LL::NG</abbr>
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [101-399] -->
<h2class="sectionedit3"id="adfs_as_identity_provider">ADFS as Identity Provider</h2>
<divclass="level2">
<p>
When ADFS is declared as an Identity Provider in LemonLDAP::NG, you need to take care of the following items:
</p>
<ul>
<liclass="level1"><divclass="li"> HTTPS is mandatory on <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal</div>
</li>
<liclass="level1"><divclass="li"> You need to use a certificate in <abbrtitle="LemonLDAP::NG">LL::NG</abbr><abbrtitle="Security Assertion Markup Language">SAML</abbr> metadata instead of a raw public key</div>
</li>
<liclass="level1"><divclass="li"> Activate option <code>Use specific query_string method</code> in <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service</div>
</li>
<liclass="level1"><divclass="li"> Use SHA1 instead of SHA256 as signature algorithm on ADFS if using a Lasso version < 2.5.0</div>
</li>
<liclass="level1"><divclass="li"> Force <abbrtitle="Security Assertion Markup Language">SAML</abbr> response to be sent by POST and not Artifact (signature verification fails with Artifact)</div>
</li>
<liclass="level1"><divclass="li"> Enable <code>Allow proxy authentication</code> in IDP options on <abbrtitle="LemonLDAP::NG">LL::NG</abbr> side</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "ADFS as Identity Provider" [400-] --></div>
@@ -73,6 +73,14 @@ For GLPI >= 0.71, it is a simple configuration in GLPI: Setup → Authenticat
For older version, check <ahref="http://wiki.glpi-project.org/doku.php?id=en:authautoad"class="urlextern"title="http://wiki.glpi-project.org/doku.php?id=en:authautoad"rel="nofollow">http://wiki.glpi-project.org/doku.php?id=en:authautoad</a>
</p>
<p>
If you use Nginx, you need to add this in configuration:
@@ -72,7 +72,11 @@ This artifact allows one to define its own modules (authentication, user databas
<divclass="level2">
<p>
You just have to define class names of your custom modules in “Custom module names”.
You just have to define class names of your custom modules in “Custom module names”. You can also add your custom parameters in “Additional parameters”. Be careful to use names not already used elsewhere in configuration. This parameters are available in your plugins using <code>$self→conf→{<em>customName</em>}</code>.
</p>
<p>
See portal manpages to see how to write these plugins.
<!-- EDIT4 TABLE [905-1106] --><divclass="noteimportant">OpenID-Connect specification isn't finished for logout propagation. So logout initiated by relaying-party will be forward to OpenID-Connect provider but logout initiated by the provider (or another RP) will not be propagated. LLNG will implement this when <abbrtitle="specification">spec</abbr> will be published.
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can use <ahref="https://en.wikipedia.org/wiki/Pluggable_authentication_module"class="urlextern"title="https://en.wikipedia.org/wiki/Pluggable_authentication_module"rel="nofollow">Pluggable authentication module</a> as a simple authentication backend.
