Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:applications:cornerstone [2013/12/06 17:23]
coudot
documentation:latest:applications:cornerstone [2017/02/07 17:06] (current)
Line 5: Line 5:
 ===== Presentation ===== ===== Presentation =====
  
-[[http://​www.cornerstoneondemand.com/​|CornerStone On Demand (CSOD)]] allows to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.+[[http://​www.cornerstoneondemand.com/​|CornerStone On Demand (CSOD)]] allows ​one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
  
 To work with LL::NG it requires: To work with LL::NG it requires:
Line 47: Line 47:
  
 CSOD needs two things to configure LL::NG as an IDP: CSOD needs two things to configure LL::NG as an IDP:
-* Certificate +  ​* Certificate 
-* SAML assertion+  * SAML assertion
  
 === Certificate === === Certificate ===
  
-For the certificate,​ you can build it from the signing private key registered in ManagerSelect the key, and export it (button ''​Download this file''​): +See [[..:samlservice#​security_parameters|SAML security parameters]] ​to know how generate ​certificate ​from you SAML private ​key.
- +
-{{ :​documentation:​googleapps-export-priv-key.png ​|}} +
- +
-After choosing the file name (for example lemonldapn-ng-priv.key),​ download the key on your disk. +
- +
-Then use openssl ​to generate ​an auto-signed ​certificate+
-<​code>​ +
-openssl req -new -key lemonldap-ng-priv.key -out cert.csr +
-openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem +
-</​code>​ +
  
 === SAML assertion === === SAML assertion ===
  
-This is quite difficult ​to have because ​LL::​NG ​only send SAML assertions when it receives an SAML request, and CSOD will only send an SAML Request when configured. +You need to use the IDP initiated feature of LL::​NG. ​Just call this URL:
- +
-The only solution is to simulate an SAML Request on LL::NG. It requires to disable signature verification in the CSDO SP configuration. +
- +
-After that, you can create your own SAML Request: +
-<file xml> +
-<​AuthnRequest xmlns:​xsd="​http://​www.w3.org/​2001/​XMLSchema"​ +
-              xmlns:​xsi="​http://​www.w3.org/​2001/​XMLSchema-instance"​ +
-              ID="​6fe8d616-9210-49ad-ad54-f4482e17c5ba"​ +
-              Version="​2.0"​ +
-              IssueInstant="​2013-11-26T14:​50:​00.515738Z"​ +
-              Destination="​https://​auth.example.com/​saml/​singleSignOn"​ +
-              ProtocolBinding="​urn:​oasis:​names:​tc:​SAML:​2.0:​bindings:​HTTP-POST"​ +
-              AssertionConsumerServiceURL="​https://​mycompanyid.csod.com/​samldefault.aspx"​ +
-              xmlns="​urn:​oasis:​names:​tc:​SAML:​2.0:​protocol"​ +
-              > +
-    <Issuer xmlns="​urn:​oasis:​names:​tc:​SAML:​2.0:​assertion">​mycompanyid.csod.com</​Issuer>​ +
-    <​NameIDPolicy +
-Format="​urn:​oasis:​names:​tc:​SAML:​1.1:​nameid-format:​unspecified"​ /> +
-    <​Conditions NotBefore="​2013-01-31T23:​22:​32.515738Z"​ +
-                NotOnOrAfter="​2014-01-31T23:​27:​32.515738Z"​ +
-                xmlns="​urn:​oasis:​names:​tc:​SAML:​2.0:​assertion"​ +
-                /> +
-</​AuthnRequest>​ +
-</​file>​ +
- +
-<note important>​Change **mycompanyid** (in ''​AssertionConsumerService''​ markup, parameter ''​Location''​) into your CSOD company ID, update all dates and update the URL in Destination</​note>​ +
- +
-Encode it into base64 and send it to LL::NG as a GET request:+
 <​code>​ <​code>​
-https://​auth.example.com/​saml/​singleSignOn?​SAMLRequest=XXXX+https://​auth.example.com/​saml/​singleSignOn?​IDPInitiated=1&​sp=mycompanyid.csod.com
 </​code>​ </​code>​
  
-With the network tracer of your browser, you can get the POST response and extract the SAML assertion.