Merge branch 'fix_SAML_README_escaping_less-than_and_greater-than_symbols' into 'master'
Fix SAML_README.md by escaping less-than and greater-than symbols See merge request isard/isard-sso!11
Josep Maria Viñolas Auquer
commit
8d0714ee6f
|
|
@ -4,7 +4,7 @@ The authentication it is done with SAML plugins in the apps agains a central Key
|
|||
|
||||
## Keycloak
|
||||
|
||||
The identity provider administration interface can be reached at https://sso.<yourdomain>. There you can add client apps, roles, groups, users, mappers, etc... Please read documentation at: https://www.keycloak.org/documentation
|
||||
The identity provider administration interface can be reached at https://sso.\<domain\>. There you can add client apps, roles, groups, users, mappers, etc... Please read documentation at: https://www.keycloak.org/documentation
|
||||
|
||||
## Applications
|
||||
|
||||
|
|
@ -15,13 +15,13 @@ In this document we will cover **Moodle**, **Nextcloud** and **Wordpress** SAML
|
|||
Install SAML plugin and follow this steps in **Moodle**:
|
||||
|
||||
1. Activate SAML2 plugin at the **Extensions** -> **Authentication** in Moodle. You should click on the eye. Then enter de *configuration* link.
|
||||
2. Click on the **Regenerate SP certificate** button. Optionally set up your desired certificate data and accept. You will need to get back to SAML2 configuration plugin afterwards. The direct link page is: https://moodle.<yourdomain>/auth/saml2/regenerate.php
|
||||
2. Click on the **Regenerate SP certificate** button. Optionally set up your desired certificate data and accept. You will need to get back to SAML2 configuration plugin afterwards. The direct link page is: https://moodle.\<domain\>/auth/saml2/regenerate.php
|
||||
3. Click on the **Lock down** certificate button and accept. This will avoid SAML2 plugin to regenerate the certificate each time we restart Moodle (why has this annoying behaviour?)
|
||||
4. Download **SAML2 Service Provider** xml and save it in a file (better right click and save to file). The direct link page is: https://moodle.<yourdomain>/auth/saml2/sp/metadata.php
|
||||
4. Download **SAML2 Service Provider** xml and save it in a file (better right click and save to file). The direct link page is: https://moodle.\<domain\>/auth/saml2/sp/metadata.php
|
||||
|
||||
Now go to your *keycloak* admin (https://sso.<yourdomain>.) and:
|
||||
Now go to your *keycloak* admin (https://sso.\<domain\>.) and:
|
||||
|
||||
1. At **Clients** menú go to **create** new client and import the moodle **SAML2 Service Provider** xml and accept. The direct link is: https://sso.<yourdomain>/auth/admin/master/console/#/create/client/master
|
||||
1. At **Clients** menú go to **create** new client and import the moodle **SAML2 Service Provider** xml and accept. The direct link is: https://sso.\<domain\>/auth/admin/master/console/#/create/client/master
|
||||
2. Now go to **Mappers** tab in this client and add this builtins:
|
||||
1. *email*
|
||||
2. *givenName*
|
||||
|
|
@ -64,7 +64,7 @@ BEAWARE: of the good programmers, but very bad designers (I empathyze with them
|
|||
2. Generate Nextcloud SP keys. Sorry, this step is needed. So you should generate your own ones. If you don't know how to install this just enter the nextcloud container (docker exec -ti isard-apps-nextcloud-app /bin/sh) and run the command there and copy the contents elsewhere with the *private.key* and *public.cert* names.
|
||||
1. **openssl req -nodes -new -x509 -keyout private.key -out public.cert**
|
||||
3. Install SAML plugin. Select **Integrated configuration** at first config page.
|
||||
4. Configure at: https://nextcloud.<yourdomain>/settings/admin/saml or going to the **Settings** options in user menú.
|
||||
4. Configure at: https://nextcloud.\<domain\>/settings/admin/saml or going to the **Settings** options in user menú.
|
||||
1. **General**
|
||||
1. Input box: **Attribute to map the UID to**: username
|
||||
2. Input box: **Optional display name**: *anything you want as this won't be shown when we activate the direct redirect to keycloak SSO login.
|
||||
|
|
@ -72,9 +72,9 @@ BEAWARE: of the good programmers, but very bad designers (I empathyze with them
|
|||
1. **x509**: public.key (generated before)
|
||||
2. **Private key**: private.key (generated before)
|
||||
3. **Identity Provider Data**
|
||||
1. **Identifier of the IdP**: https://sso.<yourdomain>/auth/realms/master
|
||||
2. **URL target of the IdP**: https://sso.<yourdomain>/auth/realms/master/protocol/saml
|
||||
3. **URL Location of the IdP SLO request**: https://sso.<domain>/auth/realms/poc/protocol/saml
|
||||
1. **Identifier of the IdP**: https://sso.\<domain\>/auth/realms/master
|
||||
2. **URL target of the IdP**: https://sso.\<domain\>/auth/realms/master/protocol/saml
|
||||
3. **URL Location of the IdP SLO request**: https://sso.\<domain\>/auth/realms/poc/protocol/saml
|
||||
4. **Public X.509 certificate**: (The *RSA Certificate* from keycloak at the very first step number 1).
|
||||
4. **Attribute mapping**
|
||||
1. **email**: email
|
||||
|
|
@ -91,8 +91,8 @@ BEAWARE: of the good programmers, but very bad designers (I empathyze with them
|
|||
|
||||
If you reached this point you are almost done with Nextcloud SAML configuration if the *annoying* live update of this plugin page shows at the bottom the **Download XML metadata** with no errors. Now let's go back to **Keycloak admin console** and finish configuration.
|
||||
|
||||
1. At **Clients** menú go to **create** new client and import the nextcloud **SAML2 Service Provider** xml that you just downloaded and accept. The direct link is: https://sso.<yourdomain>/auth/admin/master/console/#/create/client/master.
|
||||
1. My guru that I referenced at the beginning of this documentation says that you should set the **Client SAML Endpoint** to https://sso.<yourdomain>/auth/realms/master prior to accepting the uploaded xml data. I tested that this is not really needed.
|
||||
1. At **Clients** menú go to **create** new client and import the nextcloud **SAML2 Service Provider** xml that you just downloaded and accept. The direct link is: https://sso.\<domain\>/auth/admin/master/console/#/create/client/master.
|
||||
1. My guru that I referenced at the beginning of this documentation says that you should set the **Client SAML Endpoint** to https://sso.\<domain\>/auth/realms/master prior to accepting the uploaded xml data. I tested that this is not really needed.
|
||||
2. Now go to **Mappers** tab in this client and create **Custom Mapper** fields: NOTE: ONLY USERNAME and ROLES WORKING. Nextcloud doesn't get email
|
||||
1. Name: `username`
|
||||
Mapper Type: *User Property*
|
||||
|
|
@ -193,4 +193,4 @@ NOTE: Client Id in Keycloak has to be exactly **php-saml**. It could be modified
|
|||
SAML Attribute NameFormat: *Basic*
|
||||
Single Role Attribute: *On*
|
||||
|
||||
To access as an admin again you should use the url: https://wp.<domain>/wp-login.php?normal
|
||||
To access as an admin again you should use the url: https://wp.\<domain\>/wp-login.php?normal
|
||||
|
|
|
|||
Loading…
Reference in New Issue