Differences
This shows you the differences between two versions of the page.
| — |
documentation:2.1:applications:cornerstone [2017/02/07 17:06] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Cornerstone On Demand ====== | ||
| + | |||
| + | {{ :applications:csod_logo.png |}} | ||
| + | |||
| + | ===== Presentation ===== | ||
| + | |||
| + | [[http://www.cornerstoneondemand.com/|CornerStone On Demand (CSOD)]] allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic. | ||
| + | |||
| + | To work with LL::NG it requires: | ||
| + | * An enterprise account | ||
| + | * LL::NG configured as [[..idpsaml|SAML Identity Provider]] | ||
| + | * Registered users on CSOD with the same email than those used by LL::NG (email will be the NameID exchanged between CSOD and LL::NG) | ||
| + | |||
| + | ===== Configuration ===== | ||
| + | |||
| + | ==== New Service Provider ==== | ||
| + | |||
| + | You should have configured LL::NG as an [[..idpsaml|SAML Identity Provider]], | ||
| + | |||
| + | Now we will add CSOD as a new SAML Service Provider: | ||
| + | - In Manager, click on SAML service providers and the button ''New service provider''. | ||
| + | - Set csod as Service Provider name. | ||
| + | - Set ''Email'' in ''Options'' » ''Authentication Response'' » ''Default NameID format'' | ||
| + | - Select ''Metadata'', and unprotect the field to paste the following value: | ||
| + | <file xml> | ||
| + | <md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> | ||
| + | <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | ||
| + | <KeyDescriptor use="signing"> | ||
| + | <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | ||
| + | <ds:X509Data> | ||
| + | <ds:X509Certificate> | ||
| + | Base64 encoded CSOD certificate | ||
| + | </ds:X509Certificate> | ||
| + | </ds:X509Data> | ||
| + | </ds:KeyInfo> | ||
| + | </KeyDescriptor> | ||
| + | <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompanyid.csod.com/samldefault.aspx" index="1" /> | ||
| + | <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> | ||
| + | </SPSSODescriptor> | ||
| + | </md:EntityDescriptor> | ||
| + | </file> | ||
| + | |||
| + | <note important>Change **mycompanyid** (in ''AssertionConsumerService'' markup, parameter ''Location'') into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup</note> | ||
| + | |||
| + | |||
| + | ==== CSOD control panel ==== | ||
| + | |||
| + | CSOD needs two things to configure LL::NG as an IDP: | ||
| + | * Certificate | ||
| + | * SAML assertion | ||
| + | |||
| + | === Certificate === | ||
| + | |||
| + | See [[..:samlservice#security_parameters|SAML security parameters]] to know how generate a certificate from you SAML private key. | ||
| + | |||
| + | === SAML assertion === | ||
| + | |||
| + | You need to use the IDP initiated feature of LL::NG. Just call this URL: | ||
| + | <code> | ||
| + | https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com | ||
| + | </code> | ||