[doc] Use name Authentic 2
This commit is contained in:
parent
72ec4a3099
commit
40c36926e5
|
@ -1,11 +1,11 @@
|
||||||
.. _administration_with_policies:
|
.. _administration_with_policies:
|
||||||
|
|
||||||
=========================================================
|
==========================================================
|
||||||
How global policies are used in Authentic2 administration
|
How global policies are used in Authentic 2 administration
|
||||||
=========================================================
|
==========================================================
|
||||||
|
|
||||||
The policy management with global policies is nearly used for any kind of
|
The policy management with global policies is nearly used for any kind of
|
||||||
policy in Authentic2.
|
policy in Authentic 2.
|
||||||
|
|
||||||
For each kind of these policies, the system takes in account two special
|
For each kind of these policies, the system takes in account two special
|
||||||
global policies named 'Default' and 'All':
|
global policies named 'Default' and 'All':
|
||||||
|
|
|
@ -1,25 +1,25 @@
|
||||||
.. _attribute_management:
|
.. _attribute_management:
|
||||||
|
|
||||||
==================================
|
===================================
|
||||||
Attribute Management in Authentic2
|
Attribute Management in Authentic 2
|
||||||
==================================
|
===================================
|
||||||
|
|
||||||
Summary
|
Summary
|
||||||
=======
|
=======
|
||||||
|
|
||||||
Attribute management currently allows to configure attribute policies
|
Attribute management currently allows to configure attribute policies
|
||||||
associated with SAML2 service providers to define attributes that are
|
associated with SAML2 service providers to define attributes that are
|
||||||
pushed in SAML2 successful authentication response delivered by Authentic2.
|
pushed in SAML2 successful authentication response delivered by Authentic 2.
|
||||||
|
|
||||||
User attributes can be taken from LDAP directories, the user Django
|
User attributes can be taken from LDAP directories, the user Django
|
||||||
profile or taken from the user Django session if Authentic2 is also configured
|
profile or taken from the user Django session if Authentic 2 is also configured
|
||||||
as a SAML2 service provider.
|
as a SAML2 service provider.
|
||||||
|
|
||||||
Indeed, when Authentic2 acts also as a SAML2 service provider,
|
Indeed, when Authentic 2 acts also as a SAML2 service provider,
|
||||||
attributes contained in the SAML2 assertion received from third IdP are put in
|
attributes contained in the SAML2 assertion received from third IdP are put in
|
||||||
the user session.
|
the user session.
|
||||||
|
|
||||||
Attributes can thus be proxyfied during SSO with Authentic2
|
Attributes can thus be proxyfied during SSO with Authentic 2
|
||||||
configured as a SAML2 proxy.
|
configured as a SAML2 proxy.
|
||||||
|
|
||||||
*If there is no attribute policy associate with a service provider, no
|
*If there is no attribute policy associate with a service provider, no
|
||||||
|
@ -111,11 +111,11 @@ ___________________________________________________
|
||||||
|
|
||||||
To find the user in a LDAP directory, authentic2 must know its distinguished
|
To find the user in a LDAP directory, authentic2 must know its distinguished
|
||||||
name (DN). If this LDAP has been used when the user has authenticated,
|
name (DN). If this LDAP has been used when the user has authenticated,
|
||||||
Authentic2 learn the user DN. Nothing has to be done from this point of view.
|
Authentic 2 learn the user DN. Nothing has to be done from this point of view.
|
||||||
|
|
||||||
However, if it is expected that user attributes be taken in a directory that
|
However, if it is expected that user attributes be taken in a directory that
|
||||||
is not used by the user for authentication, it is necessary to manually
|
is not used by the user for authentication, it is necessary to manually
|
||||||
indicate to Authentic2 what is the user DN in the directory. For this, a
|
indicate to Authentic 2 what is the user DN in the directory. For this, a
|
||||||
user alias in source is created for the user:
|
user alias in source is created for the user:
|
||||||
|
|
||||||
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/useraliasinsource/add/
|
1. Go to http[s]://your.domain.com/admin/attribute_aggregator/useraliasinsource/add/
|
||||||
|
@ -291,7 +291,7 @@ ________________________________________________________________________________
|
||||||
|
|
||||||
The system needs to 'recognise the attributes' to perform the mapping.
|
The system needs to 'recognise the attributes' to perform the mapping.
|
||||||
For this, you need to indicate the namespace of attributes received per source
|
For this, you need to indicate the namespace of attributes received per source
|
||||||
if the namespace is not the one of Authentic2 (X500/LDAP and extensions edu*
|
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu*
|
||||||
and supann).
|
and supann).
|
||||||
|
|
||||||
In other words if the source provides attributes in a different namespace, you
|
In other words if the source provides attributes in a different namespace, you
|
||||||
|
@ -322,7 +322,7 @@ ________________________________________________________________________________
|
||||||
The system needs to 'recognise the attributes' to filter the attributes
|
The system needs to 'recognise the attributes' to filter the attributes
|
||||||
according to a list of attributes.
|
according to a list of attributes.
|
||||||
For this, you need to indicate the namespace of attributes received per source
|
For this, you need to indicate the namespace of attributes received per source
|
||||||
if the namespace is not the one of Authentic2 (X500/LDAP and extensions edu*
|
if the namespace is not the one of Authentic 2 (X500/LDAP and extensions edu*
|
||||||
and supann).
|
and supann).
|
||||||
|
|
||||||
In other words if the source provides attributes in a different namespace, you
|
In other words if the source provides attributes in a different namespace, you
|
||||||
|
|
|
@ -235,13 +235,13 @@ exists, obsolete data are removed at loading.
|
||||||
When authentic 2 deals with attributes and needs mapping?
|
When authentic 2 deals with attributes and needs mapping?
|
||||||
---------------------------------------------------------
|
---------------------------------------------------------
|
||||||
|
|
||||||
Authentic2 behaves as an attribute provider:
|
Authentic 2 behaves as an attribute provider:
|
||||||
* At the SSO login
|
* At the SSO login
|
||||||
* When an attribute request is received
|
* When an attribute request is received
|
||||||
|
|
||||||
Authentic requests (e.g. by soap) are not yet supported.
|
Authentic requests (e.g. by soap) are not yet supported.
|
||||||
|
|
||||||
When Authentic2 behaves as an attribute provider at SSO login
|
When Authentic 2 behaves as an attribute provider at SSO login
|
||||||
_____________________________________________________________
|
_____________________________________________________________
|
||||||
|
|
||||||
At a SSO request, just before responding to the service provider, the saml2
|
At a SSO request, just before responding to the service provider, the saml2
|
||||||
|
@ -433,6 +433,6 @@ This is currently implemented only for the SAML2 service provider module of
|
||||||
authentic2. Authsaml2, the SP module, parse the assertion and put the
|
authentic2. Authsaml2, the SP module, parse the assertion and put the
|
||||||
attributes in the session.
|
attributes in the session.
|
||||||
|
|
||||||
Then, Authentic2 can be used as a SAML2 proxy forwarding attributes in
|
Then, Authentic 2 can be used as a SAML2 proxy forwarding attributes in
|
||||||
assertion, eventually doing a namespace mapping. For this, the option
|
assertion, eventually doing a namespace mapping. For this, the option
|
||||||
forward attributes in sesion must be set (by default False).
|
forward attributes in sesion must be set (by default False).
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
.. _auth_pam:
|
.. _auth_pam:
|
||||||
|
|
||||||
=====================================
|
======================================
|
||||||
Authentication on Authentic2 with PAM
|
Authentication on Authentic 2 with PAM
|
||||||
=====================================
|
======================================
|
||||||
|
|
||||||
This module is copied from https://bitbucket.org/wnielson/django-pam/ by Weston
|
This module is copied from https://bitbucket.org/wnielson/django-pam/ by Weston
|
||||||
Nielson and the pam ctype module by Chris Atlee http://atlee.ca/software/pam/.
|
Nielson and the pam ctype module by Chris Atlee http://atlee.ca/software/pam/.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
.. _config_cas_idp:
|
.. _config_cas_idp:
|
||||||
|
|
||||||
====================================
|
=====================================
|
||||||
Configure Authentic2 as a CAS client
|
Configure Authentic 2 as a CAS client
|
||||||
====================================
|
=====================================
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
.. _config_cas_sp:
|
.. _config_cas_sp:
|
||||||
|
|
||||||
====================================
|
=====================================
|
||||||
Configure Authentic2 as a CAS server
|
Configure Authentic 2 as a CAS server
|
||||||
====================================
|
=====================================
|
||||||
|
|
||||||
How to use Authentic2 as a CAS 1.0 or CAS 2.0 identity provider ?
|
How to use Authentic 2 as a CAS 1.0 or CAS 2.0 identity provider ?
|
||||||
-----------------------------------------------------------------
|
------------------------------------------------------------------
|
||||||
|
|
||||||
1. Activate CAS IdP support in settings.py::
|
1. Activate CAS IdP support in settings.py::
|
||||||
|
|
||||||
|
|
|
@ -1,29 +1,29 @@
|
||||||
.. _config_saml2_idp:
|
.. _config_saml2_idp:
|
||||||
|
|
||||||
=================================================================
|
==================================================================
|
||||||
Configure Authentic2 as a SAML2 service provider or a SAML2 proxy
|
Configure Authentic 2 as a SAML2 service provider or a SAML2 proxy
|
||||||
=================================================================
|
==================================================================
|
||||||
|
|
||||||
**The configuration to make Authentic2 a SAML2 service provider or a SAML2
|
**The configuration to make Authentic 2 a SAML2 service provider or a SAML2
|
||||||
proxy is the same. The difference comes from that Authentic2 is may be
|
proxy is the same. The difference comes from that Authentic 2 is may be
|
||||||
configured or not as a SAML2 identity provider.**
|
configured or not as a SAML2 identity provider.**
|
||||||
|
|
||||||
How do I authenticate against a third SAML2 identity provider?
|
How do I authenticate against a third SAML2 identity provider?
|
||||||
==============================================================
|
==============================================================
|
||||||
|
|
||||||
1. Declare Authentic2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic2.
|
1. Declare Authentic 2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic 2.
|
||||||
|
|
||||||
Go to http[s]://your.domain.com/authsaml2/metadata
|
Go to http[s]://your.domain.com/authsaml2/metadata
|
||||||
|
|
||||||
2. Add and configure a SAML2 identity provider entry in Authentic2 using the metadata of the identity provider.
|
2. Add and configure a SAML2 identity provider entry in Authentic 2 using the metadata of the identity provider.
|
||||||
|
|
||||||
How do I add and configure a SAML2 identity provider in Authentic2?
|
How do I add and configure a SAML2 identity provider in Authentic 2?
|
||||||
===================================================================
|
====================================================================
|
||||||
|
|
||||||
You first need to create a SAML2 identity provider entry with the SAML2
|
You first need to create a SAML2 identity provider entry with the SAML2
|
||||||
metadata of the identity provider. Then, you configure it.
|
metadata of the identity provider. Then, you configure it.
|
||||||
|
|
||||||
If your identity provider is Authentic2, the metadata are available at:
|
If your identity provider is Authentic 2, the metadata are available at:
|
||||||
|
|
||||||
http[s]://your.domain.com/idp/saml2/metadata
|
http[s]://your.domain.com/idp/saml2/metadata
|
||||||
|
|
||||||
|
|
|
@ -4,22 +4,22 @@
|
||||||
Configure SAML 2.0 service providers
|
Configure SAML 2.0 service providers
|
||||||
====================================
|
====================================
|
||||||
|
|
||||||
How do I authenticate against Authentic2 with a SAML2 service provider?
|
How do I authenticate against Authentic 2 with a SAML2 service provider?
|
||||||
=======================================================================
|
=======================================================================
|
||||||
|
|
||||||
1. Declare Authentic2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic2.
|
1. Declare Authentic 2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic 2.
|
||||||
|
|
||||||
Go to http[s]://your.domain.com/idp/saml2/metadata
|
Go to http[s]://your.domain.com/idp/saml2/metadata
|
||||||
|
|
||||||
2. Add and configure a SAML2 service provider in Authentic2 using the metadata of the service provider.
|
2. Add and configure a SAML2 service provider in Authentic 2 using the metadata of the service provider.
|
||||||
|
|
||||||
How do I add and configure a SAML2 service provider in Authentic2?
|
How do I add and configure a SAML2 service provider in Authentic 2?
|
||||||
==================================================================
|
==================================================================
|
||||||
|
|
||||||
You first need to create a new SAML2 service provider entry. This requires the
|
You first need to create a new SAML2 service provider entry. This requires the
|
||||||
SAML2 metadata of the service provider.
|
SAML2 metadata of the service provider.
|
||||||
|
|
||||||
If your service provider is Authentic2, the metadata are available at:
|
If your service provider is Authentic 2, the metadata are available at:
|
||||||
|
|
||||||
http[s]://your.domain.com/authsaml2/metadata
|
http[s]://your.domain.com/authsaml2/metadata
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
.. _consent_management:
|
.. _consent_management:
|
||||||
|
|
||||||
================================
|
=================================
|
||||||
Consent Management in Authentic2
|
Consent Management in Authentic 2
|
||||||
================================
|
=================================
|
||||||
|
|
||||||
What is the SAML2 federation consent aka account linking consent?
|
What is the SAML2 federation consent aka account linking consent?
|
||||||
=================================================================
|
=================================================================
|
||||||
|
|
22
index.rst
22
index.rst
|
@ -1,20 +1,20 @@
|
||||||
.. Authentic2 documentation master file, created by
|
.. Authentic 2 documentation master file, created by
|
||||||
sphinx-quickstart on Thu Oct 13 09:53:03 2011.
|
sphinx-quickstart on Thu Oct 13 09:53:03 2011.
|
||||||
You can adapt this file completely to your liking, but it should at least
|
You can adapt this file completely to your liking, but it should at least
|
||||||
contain the root `toctree` directive.
|
contain the root `toctree` directive.
|
||||||
|
|
||||||
==========================
|
===========================
|
||||||
Authentic2's documentation
|
Authentic 2's documentation
|
||||||
==========================
|
===========================
|
||||||
|
|
||||||
Authentic2 is a versatile identity provider addressing a broad
|
Authentic 2 is a versatile identity provider addressing a broad
|
||||||
range of needs, from simple to advanced setups, around web authentication,
|
range of needs, from simple to advanced setups, around web authentication,
|
||||||
attribute sharing and namespace mapping.
|
attribute sharing and namespace mapping.
|
||||||
|
|
||||||
Authentic2 supports many protocols and standards, including SAML2, CAS, OpenID,
|
Authentic 2 supports many protocols and standards, including SAML2, CAS, OpenID,
|
||||||
LDAP, X509, OATH, and can bridge between them.
|
LDAP, X509, OATH, and can bridge between them.
|
||||||
|
|
||||||
Authentic2 is under the GNU AGPL version 3 licence.
|
Authentic 2 is under the GNU AGPL version 3 licence.
|
||||||
|
|
||||||
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
|
It has support for SAMLv2 thanks to `Lasso <http://lasso.entrouvert.org>`_,
|
||||||
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
|
a free (GNU GPL) implementation of the Liberty Alliance and OASIS
|
||||||
|
@ -22,9 +22,9 @@ specifications of SAML2, ID-FF1.2 and ID-WSF2.
|
||||||
|
|
||||||
The Documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
|
The Documentation is under the licence Creative Commons `CC BY-SA 2.0 <http://creativecommons.org/licenses/by-sa/2.0/>`_.
|
||||||
|
|
||||||
- `Authentic2 project site <http://dev.entrouvert.org/projects/authentic>`_
|
- `Authentic 2 project site <http://dev.entrouvert.org/projects/authentic>`_
|
||||||
- `Authentic2 roadmap <http://dev.entrouvert.org/projects/authentic/roadmap>`_
|
- `Authentic 2 roadmap <http://dev.entrouvert.org/projects/authentic/roadmap>`_
|
||||||
- `Documentation in PDF <https://dev.entrouvert.org/attachments/158/Authentic2.pdf>`_
|
- `Documentation in PDF <https://dev.entrouvert.org/attachments/158/Authentic 2.pdf>`_
|
||||||
|
|
||||||
Documentation content
|
Documentation content
|
||||||
=====================
|
=====================
|
||||||
|
@ -69,7 +69,7 @@ Documentation content
|
||||||
Copyright
|
Copyright
|
||||||
=========
|
=========
|
||||||
|
|
||||||
Authentic and Authentic2 are copyrighted by Entr'ouvert and are licensed
|
Authentic and Authentic 2 are copyrighted by Entr'ouvert and are licensed
|
||||||
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of
|
through the GNU AFFERO GENERAL PUBLIC LICENSE, version 3 or later. A copy of
|
||||||
the whole license text is available in the COPYING file.
|
the whole license text is available in the COPYING file.
|
||||||
|
|
||||||
|
|
|
@ -1,23 +1,23 @@
|
||||||
.. _saml2_slo:
|
.. _saml2_slo:
|
||||||
|
|
||||||
======================================
|
=======================================
|
||||||
Single Logout Management in Authentic2
|
Single Logout Management in Authentic 2
|
||||||
======================================
|
=======================================
|
||||||
|
|
||||||
Explanation
|
Explanation
|
||||||
===========
|
===========
|
||||||
|
|
||||||
Authentic2 implements the single logout profile of SAML2 (SLO). Single Logout is
|
Authentic 2 implements the single logout profile of SAML2 (SLO). Single Logout is
|
||||||
used to realise to close user session on distributed applications. The Single
|
used to realise to close user session on distributed applications. The Single
|
||||||
Logout is managed by the IdP. However, its exists many profiles all supported
|
Logout is managed by the IdP. However, its exists many profiles all supported
|
||||||
by Authentic2:
|
by Authentic 2:
|
||||||
|
|
||||||
- SLO IdP initiated by SOAP
|
- SLO IdP initiated by SOAP
|
||||||
- SLO IdP initiated by Redirect
|
- SLO IdP initiated by Redirect
|
||||||
- SLO SP initiated by SOAP
|
- SLO SP initiated by SOAP
|
||||||
- SLO SP initiated by Redirect
|
- SLO SP initiated by Redirect
|
||||||
|
|
||||||
Then, Authentic2 acting as an IdP but also as a SP (for proxying), a
|
Then, Authentic 2 acting as an IdP but also as a SP (for proxying), a
|
||||||
logout request can be received from:
|
logout request can be received from:
|
||||||
|
|
||||||
- the logout button on the user interface;
|
- the logout button on the user interface;
|
||||||
|
@ -28,16 +28,16 @@ The configuration by policy allows to refuse SLO request coming from a SP or
|
||||||
an IdP.
|
an IdP.
|
||||||
|
|
||||||
**The the SLO request is accepted or comes from the user interface, at the end
|
**The the SLO request is accepted or comes from the user interface, at the end
|
||||||
of the process the local session on Authentic2 will always be closed.**
|
of the process the local session on Authentic 2 will always be closed.**
|
||||||
|
|
||||||
During the process of treatment of the logout request, when the logout request
|
During the process of treatment of the logout request, when the logout request
|
||||||
comes from a SP, if the local session was established through a third SAML2 IdP,
|
comes from a SP, if the local session was established through a third SAML2 IdP,
|
||||||
Authentic2 sends it a logout request (SLO proxying). Then, Authentic2
|
Authentic 2 sends it a logout request (SLO proxying). Then, Authentic 2
|
||||||
sends logout resuests to all service providers with an active session but the
|
sends logout resuests to all service providers with an active session but the
|
||||||
requesting service provider.
|
requesting service provider.
|
||||||
|
|
||||||
During the process of treatment of the logout request, when the logout request
|
During the process of treatment of the logout request, when the logout request
|
||||||
comes from an IdP, Authentic2 sends logout resuests to all service providers
|
comes from an IdP, Authentic 2 sends logout resuests to all service providers
|
||||||
with an active session.
|
with an active session.
|
||||||
|
|
||||||
The configuration by policy allows to select which IdP and SP to logout
|
The configuration by policy allows to select which IdP and SP to logout
|
||||||
|
@ -117,7 +117,7 @@ How deactivate the SLO?
|
||||||
=======================
|
=======================
|
||||||
|
|
||||||
There is no real deactivation process. When it is possible and authorized,
|
There is no real deactivation process. When it is possible and authorized,
|
||||||
Authentic2 send logout requests when a logout request is received.
|
Authentic 2 send logout requests when a logout request is received.
|
||||||
|
|
||||||
If an options policy is not found for the source or the destination of the
|
If an options policy is not found for the source or the destination of the
|
||||||
logout request, the logout requests are not accepted nor forwarded.
|
logout request, the logout requests are not accepted nor forwarded.
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
.. _where_metadata:
|
.. _where_metadata:
|
||||||
|
|
||||||
==============================================
|
===============================================
|
||||||
Where do I find the Authentic2 SAML2 metadata?
|
Where do I find the Authentic 2 SAML2 metadata?
|
||||||
==============================================
|
===============================================
|
||||||
|
|
||||||
The SAML2 metadata are automatically generated.
|
The SAML2 metadata are automatically generated.
|
||||||
|
|
||||||
**Authentic2 will infer from environment variables the host and port to
|
**Authentic 2 will infer from environment variables the host and port to
|
||||||
generate the URLs contained in the medatada.**
|
generate the URLs contained in the medatada.**
|
||||||
|
|
||||||
The metadata of Authentic2 SAML2 identity provider are available at:
|
The metadata of Authentic 2 SAML2 identity provider are available at:
|
||||||
|
|
||||||
http[s]://your.domain.com/idp/saml2/metadata
|
http[s]://your.domain.com/idp/saml2/metadata
|
||||||
|
|
||||||
The metadata of Authentic2 SAML2 service provider are available at:
|
The metadata of Authentic 2 SAML2 service provider are available at:
|
||||||
|
|
||||||
http[s]://your.domain.com/authsaml2/metadata
|
http[s]://your.domain.com/authsaml2/metadata
|
||||||
|
|
Reference in New Issue