Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
documentation:latest:applications:cornerstone [2013/12/06 17:23] coudot |
documentation:latest:applications:cornerstone [2017/11/20 14:59] xguimard Spelling errors |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== Presentation ===== | ===== Presentation ===== | ||
- | [[http://www.cornerstoneondemand.com/|CornerStone On Demand (CSOD)]] allows to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic. | + | [[http://www.cornerstoneondemand.com/|CornerStone On Demand (CSOD)]] allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic. |
To work with LL::NG it requires: | To work with LL::NG it requires: | ||
Line 47: | Line 47: | ||
CSOD needs two things to configure LL::NG as an IDP: | CSOD needs two things to configure LL::NG as an IDP: | ||
- | * Certificate | + | * Certificate |
- | * SAML assertion | + | * SAML assertion |
=== Certificate === | === Certificate === | ||
- | For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button ''Download this file''): | + | See [[..:samlservice#security_parameters|SAML security parameters]] to know how generate a certificate from you SAML private key. |
- | + | ||
- | {{ :documentation:googleapps-export-priv-key.png |}} | + | |
- | + | ||
- | After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk. | + | |
- | + | ||
- | Then use openssl to generate an auto-signed certificate: | + | |
- | <code> | + | |
- | openssl req -new -key lemonldap-ng-priv.key -out cert.csr | + | |
- | openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem | + | |
- | </code> | + | |
=== SAML assertion === | === SAML assertion === | ||
- | This is quite difficult to have because LL::NG only send SAML assertions when it receives an SAML request, and CSOD will only send an SAML Request when configured. | + | You need to use the IDP initiated feature of LL::NG. Just call this URL: |
- | + | ||
- | The only solution is to simulate an SAML Request on LL::NG. It requires to disable signature verification in the CSDO SP configuration. | + | |
- | + | ||
- | After that, you can create your own SAML Request: | + | |
- | <file xml> | + | |
- | <AuthnRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" | + | |
- | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | + | |
- | ID="6fe8d616-9210-49ad-ad54-f4482e17c5ba" | + | |
- | Version="2.0" | + | |
- | IssueInstant="2013-11-26T14:50:00.515738Z" | + | |
- | Destination="https://auth.example.com/saml/singleSignOn" | + | |
- | ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" | + | |
- | AssertionConsumerServiceURL="https://mycompanyid.csod.com/samldefault.aspx" | + | |
- | xmlns="urn:oasis:names:tc:SAML:2.0:protocol" | + | |
- | > | + | |
- | <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">mycompanyid.csod.com</Issuer> | + | |
- | <NameIDPolicy | + | |
- | Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> | + | |
- | <Conditions NotBefore="2013-01-31T23:22:32.515738Z" | + | |
- | NotOnOrAfter="2014-01-31T23:27:32.515738Z" | + | |
- | xmlns="urn:oasis:names:tc:SAML:2.0:assertion" | + | |
- | /> | + | |
- | </AuthnRequest> | + | |
- | </file> | + | |
- | + | ||
- | <note important>Change **mycompanyid** (in ''AssertionConsumerService'' markup, parameter ''Location'') into your CSOD company ID, update all dates and update the URL in Destination</note> | + | |
- | + | ||
- | Encode it into base64 and send it to LL::NG as a GET request: | + | |
<code> | <code> | ||
- | https://auth.example.com/saml/singleSignOn?SAMLRequest=XXXX | + | https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com |
</code> | </code> | ||
- | With the network tracer of your browser, you can get the POST response and extract the SAML assertion. |