Table of Contents

SAML Identity Provider

Presentation

LL::NG can act as an SAML 2.0 Identity Provider, that can allow one to federate LL::NG with:

This requires to configure LL::NG as an SAML Identity Provider.
Google Apps Cornerstone SalesForce simpleSAMLphp
NextCloud ADFS Office365 AWS
logo_amazon_web_services.jpg
Gitlab

Configuration

SAML Service

See SAML service configuration chapter.

IssuerDB

Go in General Parameters » Issuer modules » SAML and configure:

For example, to allow only users with a strong authentication level:
$authenticationLevel > 2

Register LemonLDAP::NG on partner Service Provider

After configuring SAML Service, you can export metadata to your partner Service Provider.

They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata.

Register partner Service Provider on LemonLDAP::NG

In the Manager, select node SAML service providers and click on Add SAML SP.

The SP name is asked, enter it and click OK.

Now you have access to the SP parameters list.

Metadata

You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).

You can also edit the metadata directly in the textarea

Exported attributes

For each attribute, you can set:

Options

Authentication response
<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
  SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
  SessionNotOnOrAfter="2014-07-21T15:47:08Z">
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
  Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
  InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>
<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
  NotOnOrAfter="2014-07-21T12:48:08Z">
There is a time tolerance of 60 seconds in <Conditions>
Signature

These options override service signature options (see SAML service configuration).

Security
The IDP Initiated URL is the SSO SAML URL with GET parameters:
  • IDPInitiated: 1
  • One of:
    • sp: SP entity ID
    • spConfKey: SP configuration key

For example: http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp