Differences

This shows you the differences between two versions of the page.

--- documentation:latest:applications:cornerstone [2013/12/06 17:23]
coudot
+++ documentation:latest:applications:cornerstone [2017/11/20 14:59]
xguimard Spelling errors
@@ Line 5: / Line 5: @@
 ===== Presentation =====
-[[http://www.cornerstoneondemand.com/|CornerStone On Demand (CSOD)]] allows to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
+[[http://www.cornerstoneondemand.com/|CornerStone On Demand (CSOD)]] allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
 To work with LL::NG it requires:
@@ Line 47: / Line 47: @@
 CSOD needs two things to configure LL::NG as an IDP:
-* Certificate
+  * Certificate
-* SAML assertion
+  * SAML assertion
 === Certificate ===
-For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button ''Download this file''):
+See [[..:samlservice#security_parameters|SAML security parameters]] to know how generate a certificate from you SAML private key.
-{{ :documentation:googleapps-export-priv-key.png |}}
-After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.
-Then use openssl to generate an auto-signed certificate:
-<code>
-openssl req -new -key lemonldap-ng-priv.key -out cert.csr
-openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
-</code>
 === SAML assertion ===
-This is quite difficult to have because LL::NG only send SAML assertions when it receives an SAML request, and CSOD will only send an SAML Request when configured.
+You need to use the IDP initiated feature of LL::NG. Just call this URL:
-The only solution is to simulate an SAML Request on LL::NG. It requires to disable signature verification in the CSDO SP configuration.
-After that, you can create your own SAML Request:
-<file xml>
-<AuthnRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema"
-              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-              ID="6fe8d616-9210-49ad-ad54-f4482e17c5ba"
-              Version="2.0"
-              IssueInstant="2013-11-26T14:50:00.515738Z"
-              Destination="https://auth.example.com/saml/singleSignOn"
-              ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-              AssertionConsumerServiceURL="https://mycompanyid.csod.com/samldefault.aspx"
-              xmlns="urn:oasis:names:tc:SAML:2.0:protocol"
-              >
-    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">mycompanyid.csod.com</Issuer>
-    <NameIDPolicy
-Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
-    <Conditions NotBefore="2013-01-31T23:22:32.515738Z"
-                NotOnOrAfter="2014-01-31T23:27:32.515738Z"
-                xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
-                />
-</AuthnRequest>
-</file>
-<note important>Change **mycompanyid** (in ''AssertionConsumerService'' markup, parameter ''Location'') into your CSOD company ID, update all dates and update the URL in Destination</note>
-Encode it into base64 and send it to LL::NG as a GET request:
 <code>
-https://auth.example.com/saml/singleSignOn?SAMLRequest=XXXX
+https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com
 </code>
-With the network tracer of your browser, you can get the POST response and extract the SAML assertion.