File: samlservice.html

package info (click to toggle)
lemonldap-ng 1.9.7-3%2Bdeb9u2
links: PTS, VCS
area: main
in suites: stretch
size: 39,024 kB
sloc: perl: 37,552; makefile: 922; sh: 472; sql: 5
file content (613 lines) | stat: -rw-r--r-- 27,222 bytes
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:1.9:samlservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,samlservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="samlservice.html"/>
<link rel="contents" href="samlservice.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:samlservice","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#prerequisites">Prerequisites</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#lasso">Lasso</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#debianubuntu">Debian/Ubuntu</a></div></li>
<li class="level3"><div class="li"><a href="#rhelcentosfedora">RHEL/CentOS/Fedora</a></div></li>
<li class="level3"><div class="li"><a href="#other">Other</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#rewrite_rules">Rewrite rules</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level3"><div class="li"><a href="#nginx">Nginx</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#service_configuration">Service configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#entry_identifier">Entry Identifier</a></div></li>
<li class="level2"><div class="li"><a href="#security_parameters">Security parameters</a></div></li>
<li class="level2"><div class="li"><a href="#nameid_formats">NameID formats</a></div></li>
<li class="level2"><div class="li"><a href="#authentication_contexts">Authentication contexts</a></div></li>
<li class="level2"><div class="li"><a href="#organization">Organization</a></div></li>
<li class="level2"><div class="li"><a href="#service_provider">Service Provider</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#general_options">General options</a></div></li>
<li class="level3"><div class="li"><a href="#single_logout">Single Logout</a></div></li>
<li class="level3"><div class="li"><a href="#assertion_consumer">Assertion Consumer</a></div></li>
<li class="level3"><div class="li"><a href="#artifact_resolution">Artifact Resolution</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#identity_provider">Identity Provider</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#general_parameters">General parameters</a></div></li>
<li class="level3"><div class="li"><a href="#single_sign_on">Single Sign On</a></div></li>
<li class="level3"><div class="li"><a href="#single_logout1">Single Logout</a></div></li>
<li class="level3"><div class="li"><a href="#artifact_resolution1">Artifact Resolution</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#attribute_authority">Attribute Authority</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#attribute_service">Attribute Service</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#advanced">Advanced</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#saml_sessions_module_name_and_options">SAML sessions module name and options</a></div></li>
<li class="level3"><div class="li"><a href="#common_domain_cookie">Common Domain Cookie</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="saml_service_configuration">SAML service configuration</h1>
<div class="level1">
<div class="noteclassic"><abbr title="Security Assertion Markup Language">SAML</abbr> service configuration is a common step to configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as <a href="authsaml.html" class="wikilink1" title="documentation:1.9:authsaml">SAML SP</a> or <a href="idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML IDP</a>.
</div>
</div>
<!-- EDIT1 SECTION "SAML service configuration" [1-169] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
This documentation explains how configure <abbr title="Security Assertion Markup Language">SAML</abbr> service in <abbr title="LemonLDAP::NG">LL::NG</abbr>, in particular:
</p>
<ul>
<li class="level1"><div class="li"> Install prerequisites</div>
</li>
<li class="level1"><div class="li"> Import or generate security keys</div>
</li>
<li class="level1"><div class="li"> Set <abbr title="Security Assertion Markup Language">SAML</abbr> end points</div>
</li>
</ul>
<div class="noteimportant">Service configuration will be used to generate <abbr title="LemonLDAP::NG">LL::NG</abbr> <abbr title="Security Assertion Markup Language">SAML</abbr> metadata, that will be shared with other providers. It means that if you modify some settings here, you will have to share again the metadata with other providers. In other words, take the time to configure this part before sharing metadata.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [170-689] -->
<h2 class="sectionedit3" id="prerequisites">Prerequisites</h2>
<div class="level2">

</div>
<!-- EDIT3 SECTION "Prerequisites" [690-716] -->
<h3 class="sectionedit4" id="lasso">Lasso</h3>
<div class="level3">

<p>
<a href="documentation/lasso.png_documentation_1.9_samlservice.html" class="media" title="documentation:lasso.png"><img src="documentation/lasso.png" class="mediacenter" alt="" /></a>
</p>

<p>
SAML2 implementation is based on <a href="http://lasso.entrouvert.org" class="urlextern" title="http://lasso.entrouvert.org"  rel="nofollow">Lasso</a>. You will need a very recent version of Lasso (&gt;= 2.3.0).
</p>

</div>

<h4 id="debianubuntu">Debian/Ubuntu</h4>
<div class="level4">

<p>
There are packages available here: <a href="http://deb.entrouvert.org/" class="urlextern" title="http://deb.entrouvert.org/"  rel="nofollow">http://deb.entrouvert.org/</a>.
</p>

<p>
You will only need to install liblasso-perl package:
</p>
<pre class="code">sudo apt-get install liblasso-perl</pre>

</div>

<h4 id="rhelcentosfedora">RHEL/CentOS/Fedora</h4>
<div class="level4">

<p>
RPMs are available in <abbr title="LemonLDAP::NG">LL::NG</abbr> RPM repository (see <a href="installrpm.html#yum_repository" class="wikilink1" title="documentation:1.9:installrpm">yum_repository</a>)
</p>

<p>
Then install lasso and lasso-perl packages:
</p>
<pre class="code">yum install lasso lasso-perl</pre>
<div class="noteimportant">Only EL6 64bits and EL7 64bits package are available.
</div>
</div>

<h4 id="other">Other</h4>
<div class="level4">

<p>
<a href="http://lasso.entrouvert.org/download/" class="urlextern" title="http://lasso.entrouvert.org/download/"  rel="nofollow">Download the Lasso tarball</a> and compile it on your system.
</p>

</div>
<!-- EDIT4 SECTION "Lasso" [717-1484] -->
<h3 class="sectionedit5" id="rewrite_rules">Rewrite rules</h3>
<div class="level3">

</div>

<h4 id="apache">Apache</h4>
<div class="level4">

<p>
Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in <a href="configlocation.html#portal" class="wikilink1" title="documentation:1.9:configlocation">Apache portal configuration</a>:
</p>
<pre class="code file apache">&lt;<span class="kw3">IfModule</span> mod_rewrite.c&gt;
        <span class="kw1">RewriteEngine</span> <span class="kw2">On</span>
        <span class="kw1">RewriteRule</span> ^/saml/metadata /metadata.pl
        <span class="kw1">RewriteRule</span> ^/saml/.* /index.pl
&lt;/<span class="kw3">IfModule</span>&gt;</pre>

</div>

<h4 id="nginx">Nginx</h4>
<div class="level4">

<p>
Be sure that SAML2 rewrite rules are activated in <a href="configlocation.html#portal1" class="wikilink1" title="documentation:1.9:configlocation">Nginx portal configuration</a>:
</p>
<pre class="code file nginx">  # SAML2 Issuer
  rewrite ^/saml/metadata /metadata.pl last;
  rewrite ^/saml/.* /index.pl last;</pre>

</div>
<!-- EDIT5 SECTION "Rewrite rules" [1485-2078] -->
<h2 class="sectionedit6" id="service_configuration">Service configuration</h2>
<div class="level2">

<p>
Go in Manager and click on <code><abbr title="Security Assertion Markup Language">SAML</abbr> 2 Service</code> node.
</p>
<div class="notetip">You can use #PORTAL# in values to replace the portal <abbr title="Uniform Resource Locator">URL</abbr>.
</div>
</div>
<!-- EDIT6 SECTION "Service configuration" [2079-2242] -->
<h3 class="sectionedit7" id="entry_identifier">Entry Identifier</h3>
<div class="level3">

<p>
Your EntityID, often use as metadata <abbr title="Uniform Resource Locator">URL</abbr>, by default #PORTAL#/saml/metadata.
</p>
<div class="noteclassic">The value will be use in metadata main markup:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;EntityDescriptor</span> <span class="re0">entityID</span>=<span class="st0">&quot;http://auth.example.com/saml/metadata&quot;</span><span class="re2">&gt;</span></span>
  ...
<span class="sc3"><span class="re1">&lt;/EntityDescriptor<span class="re2">&gt;</span></span></span></pre>

</div><div class="notewarning">If you modify <code>/saml/metadata</code> suffix you have to change corresponding Apache rewrite rule.
</div>
</div>
<!-- EDIT7 SECTION "Entry Identifier" [2243-2640] -->
<h3 class="sectionedit8" id="security_parameters">Security parameters</h3>
<div class="level3">

<p>
You can define keys for <abbr title="Security Assertion Markup Language">SAML</abbr> message signature and encryption. If no encryption keys are defined, signature keys are used for signature and encryption.
</p>

<p>
To define keys, you can:
</p>
<ul>
<li class="level1"><div class="li"> import your own private and public keys (<code>Replace by file</code> input)</div>
</li>
<li class="level1"><div class="li"> generate new public and private keys (<code>New keys</code> button)</div>
</li>
</ul>
<div class="notetip">You can enter a password to protect private key with a password. It will be prompted if you generate keys, else you can set it in the <code>Private key password</code>.
</div>
<p>
<img src="documentation/manager-saml-signature.png" class="mediacenter" alt="" />
</p>

<p>
You can import a certificate containing the public key instead the raw public key. However, certificate will not be really validated by other <abbr title="Security Assertion Markup Language">SAML</abbr> components (expiration date, common name, etc.), but will just be a public key wrapper.
</p>

<p>
You can force <abbr title="LemonLDAP::NG">LL::NG</abbr> to use this certificate in <abbr title="Security Assertion Markup Language">SAML</abbr> responses by enabling <strong>Use certificate in response</strong> option.
</p>
<div class="notetip">You can easily generate a certificate to replace your public key by saving the private key in a file, and use <code>openssl</code> commands to issue a self-signed certificate:
<pre class="code">$ openssl req -new -key private.key -out cert.csr
$ openssl x509 -req -days 3650 -in cert.csr -signkey private.key -out cert.pem</pre>

</div>
</div>
<!-- EDIT8 SECTION "Security parameters" [2641-3903] -->
<h3 class="sectionedit9" id="nameid_formats">NameID formats</h3>
<div class="level3">

<p>
<abbr title="Security Assertion Markup Language">SAML</abbr> can use different NameID formats. The NameID is the main user identifier, carried in <abbr title="Security Assertion Markup Language">SAML</abbr> messages. You can configure here which field of <abbr title="LemonLDAP::NG">LL::NG</abbr> session will be associated to a NameID format.
</p>
<div class="noteclassic">This parameter is used by <a href="idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML IDP</a> to fill the NameID in authentication responses.
</div>
<p>
Customizable NameID formats are:
</p>
<ul>
<li class="level1"><div class="li"> Email</div>
</li>
<li class="level1"><div class="li"> X509</div>
</li>
<li class="level1"><div class="li"> Windows</div>
</li>
<li class="level1"><div class="li"> Kerberos</div>
</li>
</ul>
<div class="notetip">For example, if you are using <a href="authldap.html" class="wikilink1" title="documentation:1.9:authldap">AD as authentication backend</a>, you can use sAMAccountName for the Windows NameID format.
</div>
<p>
Other NameID formats are automatically managed:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Transient</strong>: NameID is generated</div>
</li>
<li class="level1"><div class="li"> <strong>Persistent</strong>: NameID is restored from previous sessions</div>
</li>
<li class="level1"><div class="li"> <strong>Undefined</strong>: Default NameID format is used</div>
</li>
</ul>

</div>
<!-- EDIT9 SECTION "NameID formats" [3904-4662] -->
<h3 class="sectionedit10" id="authentication_contexts">Authentication contexts</h3>
<div class="level3">

<p>
Each <abbr title="LemonLDAP::NG">LL::NG</abbr> authentication module has an authentication level, which can be associated to an <a href="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf" class="urlextern" title="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf"  rel="nofollow">SAML authentication context</a>.
</p>
<div class="noteclassic">This parameter is used by <a href="idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML IDP</a> to fill the authentication context in authentication responses. It will use the authentication level registered in user session to match the <abbr title="Security Assertion Markup Language">SAML</abbr> authentication context. It is also used by <a href="authsaml.html" class="wikilink1" title="documentation:1.9:authsaml">SAML SP</a> to fill the authentication level in user session, based on authentication response authentication context.
</div>
<p>
Customizable NameID formats are:
</p>
<ul>
<li class="level1"><div class="li"> Password</div>
</li>
<li class="level1"><div class="li"> Password protected transport</div>
</li>
<li class="level1"><div class="li"> TLS client</div>
</li>
<li class="level1"><div class="li"> Kerberos</div>
</li>
</ul>

</div>
<!-- EDIT10 SECTION "Authentication contexts" [4663-5386] -->
<h3 class="sectionedit11" id="organization">Organization</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Organization metadata section:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;Organization<span class="re2">&gt;</span></span></span>
  <span class="sc3"><span class="re1">&lt;OrganizationName</span> <span class="re0">xml:lang</span>=<span class="st0">&quot;en&quot;</span><span class="re2">&gt;</span></span>Example<span class="sc3"><span class="re1">&lt;/OrganizationName<span class="re2">&gt;</span></span></span>
  <span class="sc3"><span class="re1">&lt;OrganizationDisplayName</span> <span class="re0">xml:lang</span>=<span class="st0">&quot;en&quot;</span><span class="re2">&gt;</span></span>Example<span class="sc3"><span class="re1">&lt;/OrganizationDisplayName<span class="re2">&gt;</span></span></span>
  <span class="sc3"><span class="re1">&lt;OrganizationURL</span> <span class="re0">xml:lang</span>=<span class="st0">&quot;en&quot;</span><span class="re2">&gt;</span></span>http://www.example.com<span class="sc3"><span class="re1">&lt;/OrganizationURL<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/Organization<span class="re2">&gt;</span></span></span></pre>

</div><ul>
<li class="level1"><div class="li"> <strong>Display Name</strong>: should be displayed on IDP, this is often your society name</div>
</li>
<li class="level1"><div class="li"> <strong>Name</strong>: internal name</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> of your society</div>
</li>
</ul>

</div>
<!-- EDIT11 SECTION "Organization" [5387-5898] -->
<h3 class="sectionedit12" id="service_provider">Service Provider</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Service Provider metadata section: 
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;SPSSODescriptor<span class="re2">&gt;</span></span></span>
  ...
<span class="sc3"><span class="re1">&lt;/SPSSODescriptor<span class="re2">&gt;</span></span></span></pre>

</div>
</div>

<h4 id="general_options">General options</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Signed Authentication Request</strong>: set to On to always sign authentication request.</div>
</li>
<li class="level1"><div class="li"> <strong>Want Assertions Signed</strong>: set to On to require that received assertions are signed.</div>
</li>
</ul>
<div class="notetip">These options can then be overridden for each Identity Provider.
</div>
</div>

<h4 id="single_logout">Single Logout</h4>
<div class="level4">

<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for SLO request.</div>
</li>
<li class="level1"><div class="li"> <strong>Response Location</strong>: Access Point for SLO response.</div>
</li>
</ul>

<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Redirect</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
<li class="level1"><div class="li"> HTTP SOAP</div>
</li>
</ul>

</div>

<h4 id="assertion_consumer">Assertion Consumer</h4>
<div class="level4">

<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Default</strong>: will this binding be used by default for authentication response.</div>
</li>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for <abbr title="Single Sign On">SSO</abbr> request and response.</div>
</li>
</ul>

<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Artifact</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
</ul>

</div>

<h4 id="artifact_resolution">Artifact Resolution</h4>
<div class="level4">

<p>
The only authorized binding is SOAP. This should be set as Default.
</p>

</div>
<!-- EDIT12 SECTION "Service Provider" [5899-6953] -->
<h3 class="sectionedit13" id="identity_provider">Identity Provider</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Service Provider metadata section:
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;IDPSSODescriptor<span class="re2">&gt;</span></span></span>
  ...
<span class="sc3"><span class="re1">&lt;/IDPSSODescriptor<span class="re2">&gt;</span></span></span></pre>

</div>
</div>

<h4 id="general_parameters">General parameters</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Want Authentication Request Signed</strong>: set to On to require that received authentication request are signed.</div>
</li>
</ul>
<div class="notetip">This option can then be overridden for each Service Provider.
</div>
</div>

<h4 id="single_sign_on">Single Sign On</h4>
<div class="level4">

<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for <abbr title="Single Sign On">SSO</abbr> request.</div>
</li>
<li class="level1"><div class="li"> <strong>Response Location</strong>: Access Point for <abbr title="Single Sign On">SSO</abbr> response.</div>
</li>
</ul>

<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Redirect</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
<li class="level1"><div class="li"> HTTP Artifact</div>
</li>
<li class="level1"><div class="li"> HTTP SOAP</div>
</li>
</ul>

</div>

<h4 id="single_logout1">Single Logout</h4>
<div class="level4">

<p>
For each binding you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Location</strong>: Access Point for SLO request.</div>
</li>
<li class="level2"><div class="li"> <strong>Response Location</strong>: Access Point for SLO response.</div>
</li>
</ul>

<p>
Available bindings are:
</p>
<ul>
<li class="level1"><div class="li"> HTTP Redirect</div>
</li>
<li class="level1"><div class="li"> HTTP POST</div>
</li>
<li class="level1"><div class="li"> HTTP SOAP</div>
</li>
</ul>

</div>

<h4 id="artifact_resolution1">Artifact Resolution</h4>
<div class="level4">

<p>
The only authorized binding is SOAP. This should be set as Default.
</p>

</div>
<!-- EDIT13 SECTION "Identity Provider" [6954-7942] -->
<h3 class="sectionedit14" id="attribute_authority">Attribute Authority</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Attribute Authority metadata section
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;AttributeAuthorityDescriptor<span class="re2">&gt;</span></span></span>
  ...
<span class="sc3"><span class="re1">&lt;/AttributeAuthorityDescriptor<span class="re2">&gt;</span></span></span></pre>

</div>
</div>

<h4 id="attribute_service">Attribute Service</h4>
<div class="level4">

<p>
This is the only service to configure, and it accept only the SOAP binding.
</p>

<p>
Response Location should be empty, as SOAP responses are directly returned (synchronous binding).
</p>

</div>
<!-- EDIT14 SECTION "Attribute Authority" [7943-8354] -->
<h3 class="sectionedit15" id="advanced">Advanced</h3>
<div class="level3">

<p>
These parameters are not mandatory to run <abbr title="Security Assertion Markup Language">SAML</abbr> service, but can help to customize it:
</p>
<ul>
<li class="level1"><div class="li"> <strong>IDP resolution cookie name</strong>: by default, it&#039;s the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie name suffixed by <code>idp</code>, for example: <code>lemonldapidp</code>.</div>
</li>
<li class="level1"><div class="li"> <strong>UTF8 metadata conversion</strong>: set to On to force  partner&#039;s metadata conversion.</div>
</li>
</ul>

</div>

<h4 id="saml_sessions_module_name_and_options">SAML sessions module name and options</h4>
<div class="level4">

<p>
By default, the main session module is used to store <abbr title="Security Assertion Markup Language">SAML</abbr> temporary data (like relay-states), but <abbr title="Security Assertion Markup Language">SAML</abbr> sessions need to use a session module compatible with the <a href="documentation/features.html#session_restrictions" class="wikilink1" title="documentation:features">sessions restrictions feature</a>.
</p>

<p>
This is not the case of <a href="memcachedsessionbackend.html" class="wikilink1" title="documentation:1.9:memcachedsessionbackend">Memcached</a> for example. In this case, you can choose a different module to manage <abbr title="Security Assertion Markup Language">SAML</abbr> sessions.
</p>
<div class="notetip">You can also choose a different session module to split <abbr title="Single Sign On">SSO</abbr> sessions and <abbr title="Security Assertion Markup Language">SAML</abbr> sessions.
</div><ul>
<li class="level1"><div class="li"> <strong>RelayState session timeout</strong>: timeout for RelayState sessions. By default, the RelayState session is deleted when it is read. This timeout allows to purge sessions of lost RelayState.</div>
</li>
<li class="level1"><div class="li"> <strong>Use specific query_string method</strong>: the CGI query_string method may break invalid <abbr title="Uniform Resource Locator">URL</abbr> encoded signatures (issued for example by ADFS). This option allows to use a specific method to extract query string, that should be compliant with non standard <abbr title="Uniform Resource Locator">URL</abbr> encoded parameters.</div>
</li>
</ul>

</div>

<h4 id="common_domain_cookie">Common Domain Cookie</h4>
<div class="level4">
<div class="noteclassic">Common Domain Cookie is also know as <a href="http://www.switch.ch/aai/support/tools/wayf.html" class="urlextern" title="http://www.switch.ch/aai/support/tools/wayf.html"  rel="nofollow">WAYF Service</a>.
</div>
<p>
The common domain is used by <a href="authsaml.html" class="wikilink1" title="documentation:1.9:authsaml">SAML SP</a> to find an Identity Provider for the user, and by <a href="idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML IDP</a> to register itself in user&#039;s IDP list.
</p>

<p>
Configuration parameters are:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: Set to On to enable Common Domain Cookie support.</div>
</li>
<li class="level1"><div class="li"> <strong>Common domain</strong>: Name of the common domain (where common cookie is available).</div>
</li>
<li class="level1"><div class="li"> <strong>Reader <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> used by <abbr title="Security Assertion Markup Language">SAML</abbr> SP to read the cookie. Leave blank to deactivate the feature.</div>
</li>
<li class="level1"><div class="li"> <strong>Writer <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> used by <abbr title="Security Assertion Markup Language">SAML</abbr> IDP to write the cookie. Leave blank to deactivate the feature.</div>
</li>
</ul>

</div>
<!-- EDIT15 SECTION "Advanced" [8355-] --></div>
</body>
</html>