Connect to SAML Federations¶
Warning
This feature only works with version 2.6.0 of Lasso and above
Presentation¶
SAML federations are a list of Identity Providers or Service Providers which publish their metadata in a central point. Members of the federation can then easily download and use the full metadata file to connect to any party of the federation.
Well known federations are Renater and EduGain.
Note that in previous LemonLDAP::NG versions, the way to handle federations was to import the entire federation into the LemonLDAP::NG configuration. This caused several issues:
The configuration JSON objects grows very large, sometimes beyond storage limitations
The memory consumption is very high
The manager interface becomes crowded with service definitions that are very rarely use
Now LL::NG works with a separated federation metadata file, and provide the possibility to override some settings in its configuration.
Configuration¶
Declare your SAML federation files¶
You need to use the provided downloadSamlMetadata
script to periodically download
the federation metadata on each portal server. This script checks if the
received metadata is valid, and ensures the metadata file does not contain
partial content during download.
downloadSamlMetadata -m http://path/to/main-sps-renater-metadata.xml \
-o /etc/lemonldap-ng/metadata/main-sps-renater-metadata.xml
Then, declare your federation metadata files in
SAML2 Service » Advanced » Federation » SAML Federation Metadata files
You should list local file paths, separated by spaces. For example
/etc/lemonldap-ng/metadata/main-all-edugain-metadata.xml /etc/lemonldap-ng/metadata/main-sps-renater-metadata.xml
In case an EntityID is defined in multiple files, the first match wins.
Configure template IDP/SPs¶
SAML metadata does not contain all the information LemonLDAP::NG needs. It is recommended that you create a generic configuration for all the providers found in federation metadata.
In order to do this:
Add a new SAML2 Service provider (or IDP)
Leave the Metadata content empty
Set Options » Federation » Entity Identifier to the Name= attribute of the federation. (eg:
https://federation.renater.fr/
)
All options set on this special provider will be applied to SPs (or IDPs) defined in the Renater federation
In the case of Service Providers, Federation Metadata files contain a list of attributes that the SP wishes to receive. These attributes can be flagged as optional or mandatory (isRequired="true"
).
LemonLDAP::NG lets you decide what to do with these attributes:
Keep: The attribute definition from federation metadata will be handled by LemonLDAP::NG
Make optional: The attribute will be handled by LemonLDAP::NG, but made optional if it was mandatory
Ignore: The attribute will never be sent to this SP
You can also define additional attributes to be sent in the Exported Attributes section. In case of a conflict between an attribute definition in federation metadata and an explicit definition in LemonLDAP::NG configuration, the LemonLDAP::NG configuration wins.
Configure specific IDP/SPs¶
You may want to override the federation-wide defaults for some specific SP/IDPs. A common example is the Renater test SP that defines all its attributes as mandatory. Or you might want to disable AuthnRequest signature validation for some SPs
To do this:
Add a new SAML2 Service provider (or IDP)
Leave the Metadata content empty
Set Options » Federation » Entity Identifier to the entityID of the provider you want to override
Set the desired configuration options on this provider
Configure SAML attributes¶
Federation metadata files contains information about attributes required or simply requested by federated service providers (SP). In order for those attributes to be successfully sent to providers, they must exist in the LemonLDAP::NG session, under the same name as the FriendlyName declared in metadata.
For example, the following attribute definition:
<md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:0.9.2342.19200300.100.1.1"
FriendlyName="uid" isRequired="true"/>
requires an uid
attribute in the session. Make sure you configure your
exported variables accordingly, and use macros to fill the gaps if needed.
Subject ID¶
New in version 2.17.
Some SAML SPs can now use a subject-id
attribute instead of a NameID or
eduPersonTargetedID
(not supported in LemonLDAP::NG).
In order to provide a subject-id
attribute, you must create a macro with
Key:
subjectId
Value:
subjectid($uid, "scope.edu", "myrandomsalt1")
The subject-id
attribute will only be sent if the SP metadata contains the
urn:oasis:names:tc:SAML:profiles:subject-id:req
extension with a value of
any
or subject-id