Requirements¶
To use ADFS to log in to your Seafile, you need the following components:
-
A Winodws Server with ADFS installed. For configuring and installing ADFS you can see this article.
-
A valid SSL certificate for ADFS server, and here we use adfs-server.adfs.com as the domain name example.
-
A valid SSL certificate for Seafile server, and here we use demo.seafile.com as the domain name example.
Prepare Certs File¶
- x.509 certs for SP (Service Provider)
You can generate them by:
``` openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt
These x.509 certs are used to sign and encrypt elements like NameID and Metadata for SAML.
Then copy these two files to **<seafile-install-path>/seahub-data/certs**. (if the certs folder not exists, create it.)
2. x.509 cert from IdP (Identity Provider)
1. Log into the ADFS server and open the ADFS management.
1. Double click **Service** and choose **Certificates**.
1. Export the **Token-Signing** certificate:
1. Right-click the certificate and select **View Certificate**.
1. Select the **Details** tab.
1. Click **Copy to File** (select **DER encoded binary X.509**).
1. Convert this certificate to PEM format, rename it to **idp.crt**
1. Then copy it to **<seafile-install-path>/seahub-data/certs**.
### Prepare IdP Metadata File
1. Open https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml
1. Save this xml file, rename it to **idp_federation_metadata.xml**
1. Copy it to **<seafile-install-path>/seahub-data/certs**.
### Install Requirements on Seafile Server
- For Ubuntu 16.04
### Config Seafile
Add the following lines to **seahub_settings.py**
update following lines according to your situation¶
CERTS_DIR = '
update the 'idp' section in SAMPL_CONFIG according to your situation, and leave others as default¶
ENABLE_ADFS_LOGIN = True EXTRA_AUTHENTICATION_BACKENDS = ( 'seahub_extra.adfs_auth.backends.Saml2Backend', ) SAML_USE_NAME_ID_AS_USERNAME = True LOGIN_REDIRECT_URL = '/saml2/complete/' SAML_CONFIG = { # full path to the xmlsec1 binary programm 'xmlsec_binary': XMLSEC_BINARY,
'allow_unknown_attributes': True,
# your entity id, usually your subdomain plus the url to the metadata view
'entityid': SP_SERVICE_URL + '/saml2/metadata/',
# directory with attribute mapping
'attribute_map_dir': ATTRIBUTE_MAP_DIR,
# this block states what services we provide
'service': {
# we are just a lonely SP
'sp' : {
"allow_unsolicited": True,
'name': 'Federated Seafile Service',
'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
'endpoints': {
# url and binding to the assetion consumer service view
# do not change the binding or service name
'assertion_consumer_service': [
(SP_SERVICE_URL + '/saml2/acs/',
saml2.BINDING_HTTP_POST),
],
# url and binding to the single logout service view
# do not change the binding or service name
'single_logout_service': [
(SP_SERVICE_URL + '/saml2/ls/',
saml2.BINDING_HTTP_REDIRECT),
(SP_SERVICE_URL + '/saml2/ls/post',
saml2.BINDING_HTTP_POST),
],
},
# attributes that this project need to identify a user
'required_attributes': ["uid"],
# attributes that may be useful to have but not required
'optional_attributes': ['eduPersonAffiliation', ],
# in this section the list of IdPs we talk to are defined
'idp': {
# we do not need a WAYF service since there is
# only an IdP defined here. This IdP should be
# present in our metadata
# the keys of this dictionary are entity ids
'https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml': {
'single_sign_on_service': {
saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx',
},
'single_logout_service': {
saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/?wa=wsignout1.0',
},
},
},
},
},
# where the remote metadata is stored
'metadata': {
'local': [path.join(CERTS_DIR, 'idp_federation_metadata.xml')],
},
# set to 1 to output debugging information
'debug': 1,
# Signing
'key_file': '',
'cert_file': path.join(CERTS_DIR, 'idp.crt'), # from IdP
# Encryption
'encryption_keypairs': [{
'key_file': path.join(CERTS_DIR, 'sp.key'), # private part
'cert_file': path.join(CERTS_DIR, 'sp.crt'), # public part
}],
'valid_for': 24, # how long is our metadata valid
}
```
Config ADFS Server¶
- Add Relying Party Trust
Relying Party Trust is the connection between Seafile and ADFS.
-
Log into the ADFS server and open the ADFS management.
-
Double click Trust Relationships, then right click Relying Party Trusts, select Add Relying Party Trust….
-
Select Import data about the relying party published online or one a local network, input
https://demo.seafile.com/saml2/metadata/in the Federation metadata address. -
Then Next until Finish.
-
Add Relying Party Claim Rules
Relying Party Claim Rules is used for attribute communication between Seafile and users in Windows Domain.
Important: Users in Windows domain must have the E-mail value setted.
-
Right-click on the relying party trust and select Edit Claim Rules...
-
On the Issuance Transform Rules tab select Add Rules...
-
Select Send LDAP Attribute as Claims as the claim rule template to use.
-
Give the claim a name such as LDAP Attributes.
-
Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
-
Select Finish.
-
Click Add Rule... again.
-
Select Transform an Incoming Claim.
-
Give it a name such as Email to Name ID.
-
Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1).
-
The Outgoing claim type is Name ID (this is required in Seafile settings policy
'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS). -
the Outgoing name ID format is Email.
-
Pass through all claim values and click Finish.
-
https://support.zendesk.com/hc/en-us/articles/203663886-Setting-up-single-sign-on-using-Active-Directory-with-ADFS-and-SAML-Plus-and-Enterprise-
-
http://wiki.servicenow.com/?title=Configuring_ADFS_2.0_to_Communicate_with_SAML_2.0#gsc.tab=0
-
https://github.com/rohe/pysaml2/blob/master/src/saml2/saml.py