...
Configuration of the corporate network for Syndeia SAML2 Authentication further requires that the chosen IdP be configured to recognize Syndeia Cloud as a legitimate SAML2 Service Provider.
Table of Contents |
---|
minLevel | 2 |
---|
maxLevel | 2 |
---|
outline | true |
---|
|
...
ssh log into the Syndeia Cloud server with a user that can perform “passwordless sudo” operations. Root access is not necessary, if sudo access has been established.
copy all of the following into silhouette.conf
, adding or replacing any existing saml2.
settings.
Replace all EXAMPLE values – like MYSP.COM:SPPORT
– with the values for your organization.
Expand |
---|
title | silhouette.conf template |
---|
|
Code Block |
---|
| # SAML2 Provider
# These settings are intentionally similar to what OneLogin needs for SAML2
# Service Providers and Identity Providers
# Compression settings. Note that these are determined by OASIS Standard for SAML2
# false => Base64 encoded, true => Deflated Base64 encoded (which is compressed)
# saml2.compress.request = true
# saml2.compress.response = true
saml2.security.authnrequest_signed = true
saml2.security.want_messages_signed = true
saml2.security.want_assertions_signed = true
saml2.security.want_xml_validation = true
saml2.security.signature_algorithm = "sha1"
saml2.security.requested_authncontext = "exact"
# CAC/PIV authentications might need something like this, which is IdP-specific
# saml2.security.requested_authncontext = "http://idmanagement.gov/ns/assurance/aal/3?hspd12=true"
# Identifier of the SP entity (must be a URI)
saml2.sp.entityid = "http://MYSP.COM:SPPORT"
# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
saml2.sp.assertion_consumer_service.url = "http://MYSP.com:SPPORT/authenticate/SAML2"
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
saml2.sp.assertion_consumer_service.binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
saml2.sp.single_logout_service.url = "http://MYSP.com:SPPORT/authenticate/SAML2"
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
saml2.sp.single_logout_service.binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
saml2.sp.nameidformat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters
saml2.sp.x509cert = "-----BEGIN CERTIFICATE-----BIGLONGSPPUBLICCERTSTRING-----END CERTIFICATE-----"
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
saml2.sp.privatekey = "-----BEGIN PRIVATE KEY-----BIGLONGSPPRIVATECERTSTRING-----END PRIVATE KEY-----"
# Identifier of the IdP entity (must be a URI)
saml2.idp.entityid = "http://OURIDP.COM:IDPPORT/SAMLIDP"
# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
saml2.idp.single_sign_on_service.url = "https://OURIDP.COM:IDPPORT/SSOPATH"
saml2.idp.single_sign_on_service.binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# Instead of using the whole x509cert you can use a fingerprint in order to
# validate a SAMLResponse (but you still need the x509cert to validate LogoutRequest and LogoutResponse using the HTTP-Redirect binding).
# But take in mind that the fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass,
# that why we don't recommend it use for production environments.
# (openssl x509 -noout -fingerprint -in "idp_crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
#saml2.idp.certfingerprint = "1234"
#saml2.idp_certfingerprint_algorithm = "sha1"
saml2.idp.x509cert = "-----BEGIN CERTIFICATE-----BIGLONGIDPPUBLICCERTSTRING-----END CERTIFICATE-----"
# These are the property keys used to retrieve Social Identity information from the SAML2 Response which an IdP
# sends back to an SP. The names of the keys are standardized but are configurable here to support internationalization
# and quirks by IdP vendors like Microsoft
saml2.social.attribute.key.uid = "uid"
saml2.social.attribute.key.firstname = "first_name"
saml2.social.attribute.key.lastname = "last_name"
saml2.social.attribute.key.fullname = "fullname"
saml2.social.attribute.key.email = "email" |
|
...
ssh log into the Syndeia Cloud server with a user that can perform “passwordless sudo” operations. Root access is not necessary, if sudo access has been established.
copy all of the following into application.conf
, adding or altering the following Akka Play HTTP settings.
Replace all EXAMPLE values – like OURIDP.COM:IDPPORT
– with the values for your organization.
Expand |
---|
title | application.conf template |
---|
|
Code Block |
---|
| play.filters.enabled += play.filters.hosts.AllowedHostsFilter
play.filters.hosts {
# You can use the "." pattern to match all hosts (not recommended in production).
# Note that the filter also strips the dot character from the end of the host, so the example.com pattern will match example.com.
# Uncomment to allow requests to intercax.com, its subdomains, and localhost:9000.
# allowed = [".intercax.com", "localhost:9000"]
allowed = ["."]
}
# CORSSecurity has to be enabled because modern browsers use it in fetch() calls and in user-agent "click" requests
# then allowedOrigins has to be null because browsers set Origin to null during Cross-Origin redirections
play.filters.enabled += play.filters.cors.CORSFilter
play.filters.cors {
pathPrefixes = ["/authenticate/SAML2"]
allowedOrigins = null
allowedHttpMethods = ["GET", "POST", "PUT", "OPTIONS"]
allowedHttpHeaders = ["Accept", "Authorization", "Content-Type"]
preflightMaxAge = 3 days
}
# Security Filter ConfigurationFilter Configuration - Content Security Policy
play.filters.headers {
contentSecurityPolicy = "default-src 'self';"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' https://OURIDP.COM:IDPPORT;"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self';"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline';"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' 'unsafe-inline';"
contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' 'unsafe-inline' 'unsafe-eval';"
}
# the /authenticate/SAML2 route needs this to be able to pass crucial Headers back
# to the frontend
play.filters.headers.allowActionSpecificHeaders = true |
|
...