entrouvert
/
authentic2-doc
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity
This repository has been archived on 2023-02-21. You can view files and clone it, but cannot push or open issues or pull requests.
authentic2-doc/config_saml2_sp.rst

143 lines
4.0 KiB
ReStructuredText
Raw Permalink Blame History

.. _config_saml2_sp:
====================================
Configure SAML 2.0 service providers
====================================
How do I authenticate against Authentic 2 with a SAML2 service provider?
========================================================================
1. Declare Authentic 2 as a SAML2 identity provider on your SAML2 service provider using the SAML2 identity provider metadata of Authentic 2.
Go to http[s]://your.domain.com/idp/saml2/metadata
2. Add and configure a SAML2 service provider in Authentic 2 using the metadata of the service provider.
How do I add and configure a SAML2 service provider in Authentic 2?
===================================================================
You first need to create a new SAML2 service provider entry. This requires the
SAML2 metadata of the service provider.
If your service provider is Authentic 2, the metadata are available at:
http[s]://your.domain.com/authsaml2/metadata
See :ref:`where_metadata` for more information.
Create a SAML2 service provider entry
-------------------------------------
1. Go to
http[s]://your.domain.com/admin/saml/libertyprovider/add/
2. Fill the form fields
.. image:: pictures/new_saml2_sp_1.png
:width: 800 px
:align: center
.. image:: pictures/new_saml2_sp_2.png
:width: 800 px
:align: center
**Note:** The service provider must be enabled.
See below about configuring the service provider with policies:
* options of the service provider
* protocol policy
* attribute policy
3. Save
.. image:: pictures/new_saml2_sp_saved.png
:width: 800 px
:align: center
Apply a SAML2 service provider options policy
---------------------------------------------
The SAML2 options of the service provider are configured using sp options
policies.
See the *administration with policy principle* page :ref:`administration_with_policies`.
You may create a regular policy and configure your service provider to use it.
Go to:
http[s]://your.domain.com/admin/saml/spoptionsidppolicy/add/
Configure your policy and save:
.. image:: pictures/sp_options_regular.png
:width: 800 px
:align: center
.. image:: pictures/sp_options_regular_saved.png
:width: 800 px
:align: center
Apply the policy to the service provider:
.. image:: pictures/sp_options_regular_modify_sp.png
:width: 800 px
:align: center
Example with a policy 'Default':
.. image:: pictures/sp_options_default.png
:width: 800 px
:align: center
Example with a policy 'All':
.. image:: pictures/sp_options_all.png
:width: 800 px
:align: center
If no policy is found for the configuration of the SAML2 options of a service
provider, the following error is displayed to the users when a SSO request is
received.
.. image:: pictures/error_no_sp_options.png
:width: 800 px
:align: center
Configure the SAML2 service provider protocol options
-----------------------------------------------------
This kind of policy does not use the policy management using global policies.
You should use the default option except if your service provider is a
Shibboleth service provider, then you should use the option "Shibboleth SP
(AuthnRequest Signature: Does not check signatures)".
Configure the attribute policy of the service provider
------------------------------------------------------
See the attribute management page :ref:`attribute_management`.
How to refresh the metadata of a service provider hosted at a Well-Known Location?
==================================================================================
The Well-Known Location (WKL) means that the entity Id of the provider is a
URL at which the provider metadata are hosted.
To refresh them, select the provider on the list of provider, then select in
the menu 'Update metadata', then click on 'Go'.
.. image:: pictures/update_metadata.png
:width: 800 px
:align: center
How to create in bulk service providers with the sync-metadata script?
======================================================================
See the page explaining the use of the script sync-metadata :ref:`sync-metadata_script`.
View Git Blame Copy Permalink