@@ -72,7 +72,7 @@ Before transmission, the username and password are encoded as a sequence of base
</p>
<p>
So HTTP Basic Autentication is managed trough an HTTP header (<code>Authorization</code>), that can be forged by <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, with this precautions:
So HTTP Basic Authentication is managed trough an HTTP header (<code>Authorization</code>), that can be forged by <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, with this precautions:
</p>
<ul>
<liclass="level1"><divclass="li"> Data should not contains accents or special characters, as HTTP protocol only allow <abbrtitle="American Standard Code for Information Interchange">ASCII</abbr> values in header (but depending on the HTTP server, you can use ISO encoded values)</div>
...
...
@@ -82,7 +82,7 @@ So HTTP Basic Autentication is managed trough an HTTP header (<code>Authorizatio
@@ -107,6 +107,6 @@ So the above example can also be written like this:
<divclass="notetip">The <code>basic</code> function will also force conversion from UTF-8 to ISO-8859-1, which should be accepted by most of HTTP servers.
<ahref="http://www.cornerstoneondemand.com/"class="urlextern"title="http://www.cornerstoneondemand.com/"rel="nofollow">CornerStone On Demand (CSOD)</a> allows to use <abbrtitle="Security Assertion Markup Language">SAML</abbr> to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
<ahref="http://www.cornerstoneondemand.com/"class="urlextern"title="http://www.cornerstoneondemand.com/"rel="nofollow">CornerStone On Demand (CSOD)</a> allows one to use <abbrtitle="Security Assertion Markup Language">SAML</abbr> to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
</p>
<p>
...
...
@@ -93,12 +93,12 @@ To work with <abbr title="LemonLDAP::NG">LL::NG</abbr> it requires:
<divclass="noteimportant">Change <strong>mycompanyid</strong> (in <code>AssertionConsumerService</code> markup, parameter <code>Location</code>) into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup
</div>
</div>
<!-- EDIT4 SECTION "New Service Provider" [602-2116] -->
<!-- EDIT4 SECTION "New Service Provider" [606-2120] -->
<h3class="sectionedit5"id="csod_control_panel">CSOD control panel</h3>
<divclass="level3">
...
...
@@ -171,6 +171,6 @@ You need to use the IDP initiated feature of <abbr title="LemonLDAP::NG">LL::NG<
<ahref="http://www.limesurvey.org"class="urlextern"title="http://www.limesurvey.org"rel="nofollow">LimeSurvey</a> is a web survey software written in PHP. LimeSurvey has a webserver authentication mode that allows to integrate it directly into LemonLDAP::NG.
<ahref="http://www.limesurvey.org"class="urlextern"title="http://www.limesurvey.org"rel="nofollow">LimeSurvey</a> is a web survey software written in PHP. LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
</p>
<p>
...
...
@@ -94,13 +94,13 @@ To have a stronger integration, we will configure LimeSurvey to autocreate unkno
<h3class="sectionedit6"id="limesurvey_virtual_host_in_manager">LimeSurvey virtual host in Manager</h3>
<divclass="level3">
...
...
@@ -228,7 +228,7 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
<tdclass="col0 centeralign"> Auth-SuperAdmin </td><tdclass="col1 centeralign"> 1 if user is superadmin </td>
</tr>
</table></div>
<!-- EDIT7 TABLE [3365-3583] --><divclass="notetip">You can manage roles with the <ahref="../rbac.html"class="wikilink1"title="documentation:1.9:rbac">RBAC model</a> or by using groups.
<!-- EDIT7 TABLE [3369-3587] --><divclass="notetip">You can manage roles with the <ahref="../rbac.html"class="wikilink1"title="documentation:1.9:rbac">RBAC model</a> or by using groups.
</div>
</div>
...
...
@@ -250,7 +250,7 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
<tdclass="col0 centeralign"> Default </td><tdclass="col1 centeralign"> default </td><tdclass="col2 centeralign"> Allow only users with a LimeSurvey role </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [3690-3975] --><divclass="notetip">You can set the default access to:<ul>
<!-- EDIT8 TABLE [3694-3979] --><divclass="notetip">You can set the default access to:<ul>
<liclass="level1"><divclass="li"><strong>accept</strong>: all authenticated users will access surveys</div>
</li>
<liclass="level1"><divclass="li"><strong>unprotect</strong>: no authentication will be asked to access surveys </div>
...
...
@@ -259,6 +259,6 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</div>
</div>
<!-- EDIT6 SECTION "LimeSurvey virtual host in Manager" [3193-] --></div>
<!-- EDIT6 SECTION "LimeSurvey virtual host in Manager" [3197-] --></div>
<ahref="https://en.wikipedia.org/wiki/Office_365"class="urlextern"title="https://en.wikipedia.org/wiki/Office_365"rel="nofollow">Office 365</a> provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on <ahref="https://login.microsoftonline.com/"class="urlextern"title="https://login.microsoftonline.com/"rel="nofollow">https://login.microsoftonline.com/</a> and can be forwarded to an <abbrtitle="Security Assertion Markup Language">SAML</abbr> Identity Provider.
<liclass="level1"><divclass="li"> cert: The <abbrtitle="Security Assertion Markup Language">SAML</abbr> certificate containing the signature public key</div>
</li>
</ul>
<p>
If you have several Office365 domains, you can't use the same URLs for each domains. To be able to have a single <abbrtitle="Security Assertion Markup Language">SAML</abbr> IDP for several domains, you must add the 'domain' GET parameters at the end of <abbrtitle="Single Sign On">SSO</abbr> endpoint and metadata URLs, for example:
Create a new <abbrtitle="Security Assertion Markup Language">SAML</abbr> Service Provider and import Microsoft metadata from <ahref="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"class="urlextern"title="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml"rel="nofollow">https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml</a>
</p>
<p>
Set the NameID value to persistent, or any immutable value for the user.
</p>
<p>
Create a <abbrtitle="Security Assertion Markup Language">SAML</abbr> attribute named IDPEmail which contains the user principal name (UPN).
It allows to use <abbrtitle="Security Assertion Markup Language">SAML</abbr> to authenticate users. It can deal with both SP and IdP initiated modes.
It allows one to use <abbrtitle="Security Assertion Markup Language">SAML</abbr> to authenticate users. It can deal with both SP and IdP initiated modes.
</p>
<p>
...
...
@@ -94,7 +94,7 @@ To work with <abbr title="LemonLDAP::NG">LL::NG</abbr> it requires:
@@ -139,7 +139,7 @@ match with the correct values. (adapt the domain if necessary)
<divclass="noteimportant">For now, the authentication service parameter has no domain available. You must come back later to fill this parameter. Once <abbrtitle="Security Assertion Markup Language">SAML</abbr> cinematics are working, you can then put your domain, and delete the login form, and you'll have an automatic redirection to your Identity Provider (no need for the user to click). Note that you can always access Salesforce by the general login page: <ahref="https://login.salesforce.com"class="urlextern"title="https://login.salesforce.com"rel="nofollow">https://login.salesforce.com</a>
@@ -161,7 +161,7 @@ Go to the <abbr title="Security Assertion Markup Language">SAML</abbr> Single Si
</li>
<liclass="level1"><divclass="li"> Issuer: this is the LemonLDAP::NG (our IdP) Entity Id, which is by default #PORTAL#/saml/metadata</div>
</li>
<liclass="level1"><divclass="li"> Identity Provider Certificate: whereas it is mentionned that this is the authentication certificate, you must give your LemonLDAP::NG (IdP) signing certificate. If you don't have one, create it with the signing key pair already generated (you could do this with openssl). SSL authentication (https) does not seem to be checked anyway.</div>
<liclass="level1"><divclass="li"> Identity Provider Certificate: whereas it is mentioned that this is the authentication certificate, you must give your LemonLDAP::NG (IdP) signing certificate. If you don't have one, create it with the signing key pair already generated (you could do this with openssl). SSL authentication (https) does not seem to be checked anyway.</div>
</li>
<liclass="level1"><divclass="li"> Signing Certificate: choose a certificate for SP signature. (create one if none is present)</div>
</li>
...
...
@@ -192,7 +192,7 @@ Go to the <abbr title="Security Assertion Markup Language">SAML</abbr> Single Si
Zimbra use a specific <ahref="http://wiki.zimbra.com/index.php?title=Preauth"class="urlextern"title="http://wiki.zimbra.com/index.php?title=Preauth"rel="nofollow">preauthentication protocol</a> to provide <abbrtitle="Single Sign On">SSO</abbr> on its application. This protocol is implementated in an <abbrtitle="LemonLDAP::NG">LL::NG</abbr> specific Handler.
Zimbra use a specific <ahref="http://wiki.zimbra.com/index.php?title=Preauth"class="urlextern"title="http://wiki.zimbra.com/index.php?title=Preauth"rel="nofollow">preauthentication protocol</a> to provide <abbrtitle="Single Sign On">SSO</abbr> on its application. This protocol is implemented in an <abbrtitle="LemonLDAP::NG">LL::NG</abbr> specific Handler.
</p>
<divclass="notetip">Zimbra can also be connected to <abbrtitle="LemonLDAP::NG">LL::NG</abbr> via <ahref="../idpsaml.html"class="wikilink1"title="documentation:1.9:idpsaml">SAML protocol</a> (see <ahref="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html"class="urlextern"title="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html"rel="nofollow">Zimbra blog</a>).
</div><divclass="noteimportant">For now, Zimbra isn't supported by Nginx handler. You have to use Apache.
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can delegate authentication to a <abbrtitle="Central Authentication Service">CAS</abbr> server. This requires <ahref="http://sourcesup.cru.fr/projects/perlcas/"class="urlextern"title="http://sourcesup.cru.fr/projects/perlcas/"rel="nofollow">Perl CAS module</a>.
</p>
<divclass="notetip"><abbrtitle="LemonLDAP::NG">LL::NG</abbr> can also act as <ahref="idpcas.html"class="wikilink1"title="documentation:1.9:idpcas">CAS server</a>, that allows to interconnect two <abbrtitle="LemonLDAP::NG">LL::NG</abbr> systems.
<divclass="notetip"><abbrtitle="LemonLDAP::NG">LL::NG</abbr> can also act as <ahref="idpcas.html"class="wikilink1"title="documentation:1.9:idpcas">CAS server</a>, that allows one to interconnect two <abbrtitle="LemonLDAP::NG">LL::NG</abbr> systems.
</div>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can also request proxy tickets for its protected services. Proxy tickets will be collected at authentication phase and stored in user session under the form:
...
...
@@ -94,7 +94,7 @@ They can then be forwarded to applications trough <a href="writingrulesand_heade
<divclass="notetip"><abbrtitle="Central Authentication Service">CAS</abbr> authentication will automatically add a <ahref="logoutforward.html"class="wikilink1"title="documentation:1.9:logoutforward">logout forward rule</a> on <abbrtitle="Central Authentication Service">CAS</abbr> server logout <abbrtitle="Uniform Resource Locator">URL</abbr> in order to close <abbrtitle="Central Authentication Service">CAS</abbr> session on <abbrtitle="LemonLDAP::NG">LL::NG</abbr> logout.
