Skip to content

AD Federation Service or SAML 2.0 Integration

Note, this document is for Seafile version 9.0 or below. For version 10.0+, please follow the new document SAML 2.0 in version 10.0+.

This documentation describes how to integrate to ADFS with SAML 2.0 protocol. The procedure can also be used to integrate with other SAML 2.0 compliant service with minimal change.

Requirements

To use ADFS to log in to your Seafile, you need the following components:

  1. A Windows Server with ADFS installed. For configuring and installing ADFS you can see this article.
  2. A valid SSL certificate for ADFS server, and here we use adfs-server.adfs.com as the domain name example.
  3. A valid SSL certificate for Seafile server, and here we use demo.seafile.com as the domain name example.

Prepare Certs File

1、x.509 certs for SP (Service Provider)

You can generate them by:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt

These x.509 certs are used to sign and encrypt elements like NameID and Metadata for SAML.

Note: Do not use some special characters when generating a certificate

2、Then copy these two files to <seafile-install-path>/seahub-data/certs. (if the certs folder not exists, create it.)

  1. x.509 cert from IdP (Identity Provider)
  2. Log into the ADFS server and open the ADFS management.
  3. Double click Service and choose Certificates.
  4. Export the Token-Signing certificate:
  5. Right-click the certificate and select View Certificate.
  6. Select the Details tab.
  7. Click Copy to File (select DER encoded binary X.509).
  8. Convert this certificate to PEM format, rename it to idp.crt
  9. Then copy it to <seafile-install-path>/seahub-data/certs.

Prepare IdP Metadata File

  1. Open https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml
  2. Save this xml file, rename it to idp_federation_metadata.xml
  3. Copy it to <seafile-install-path>/seahub-data/certs.

Install Requirements on Seafile Server

  • For Ubuntu 18.04/20.04
sudo apt install libxmlsec1 xmlsec1
  • For Seafile 7.1.x
sudo pip install cryptography djangosaml2==0.18.1 pysaml2==4.6.0
  • For Seafile 8.0.x
sudo pip install cryptography djangosaml2==0.20.0 pysaml2==6.5.1

Config Seafile

Add the following lines to seahub_settings.py

from os import path
import saml2
import saml2.saml

CERTS_DIR = '<seafile-install-path>/seahub-data/certs'
SP_SERVICE_URL = 'https://demo.seafile.com'
XMLSEC_BINARY = '/usr/bin/xmlsec1'

# for 9.0 and later
ATTRIBUTE_MAP_DIR = '<seafile-install-path>/seafile-server-latest/seahub/seahub/adfs_auth/attribute-maps'

# for 8.0 and previous
ATTRIBUTE_MAP_DIR = '<seafile-install-path>/seafile-server-latest/seahub-extra/seahub_extra/adfs_auth/attribute-maps'

SAML_ATTRIBUTE_MAPPING = {
    'DisplayName': ('display_name', ),
    'ContactEmail': ('contact_email', ),
    'Department': ('department', ),
    'Telephone': ('telephone', ),
}

ENABLE_ADFS_LOGIN = True
EXTRA_AUTHENTICATION_BACKENDS = (

    # for 9.0 and later
    'seahub.adfs_auth.backends.Saml2Backend',

    # for 8.0 and previous
    'seahub_extra.adfs_auth.backends.Saml2Backend',
)
SAML_USE_NAME_ID_AS_USERNAME = True
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_CONFIG = {
    # full path to the xmlsec1 binary programm
    'xmlsec_binary': XMLSEC_BINARY,

    'allow_unknown_attributes': True,

    # your entity id, usually your subdomain plus the url to the metadata view
    'entityid': SP_SERVICE_URL + '/saml2/metadata/',

    # directory with attribute mapping
    'attribute_map_dir': ATTRIBUTE_MAP_DIR,

    # this block states what services we provide
    'service': {
        # we are just a lonely SP
        'sp' : {
            "allow_unsolicited": True,
            'name': 'Federated Seafile Service',
            'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
            'endpoints': {
                # url and binding to the assetion consumer service view
                # do not change the binding or service name
                'assertion_consumer_service': [
                    (SP_SERVICE_URL + '/saml2/acs/',
                     saml2.BINDING_HTTP_POST),
                ],
                # url and binding to the single logout service view
                # do not change the binding or service name
                'single_logout_service': [
                    (SP_SERVICE_URL + '/saml2/ls/',
                     saml2.BINDING_HTTP_REDIRECT),
                    (SP_SERVICE_URL + '/saml2/ls/post',
                     saml2.BINDING_HTTP_POST),
                ],
            },

            # attributes that this project need to identify a user
            'required_attributes': ["uid"],

            # attributes that may be useful to have but not required
            'optional_attributes': ['eduPersonAffiliation', ],

            # in this section the list of IdPs we talk to are defined
            'idp': {
                # we do not need a WAYF service since there is
                # only an IdP defined here. This IdP should be
                # present in our metadata

                # the keys of this dictionary are entity ids
                'https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml': {
                    'single_sign_on_service': {
                        saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx',
                    },
                  'single_logout_service': {
                      saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/?wa=wsignout1.0',
                  },
                },
            },
        },
    },

    # where the remote metadata is stored
    'metadata': {
        'local': [path.join(CERTS_DIR, 'idp_federation_metadata.xml')],
    },

    # set to 1 to output debugging information
    'debug': 1,

    # Signing
    'key_file': '', 
    'cert_file': path.join(CERTS_DIR, 'idp.crt'),  # from IdP

    # Encryption
    'encryption_keypairs': [{
        'key_file': path.join(CERTS_DIR, 'sp.key'),  # private part
        'cert_file': path.join(CERTS_DIR, 'sp.crt'),  # public part
    }],

    'valid_for': 24,  # how long is our metadata valid
}

Note: Users running the Seafile program should have permission to read all files under seahub-data/certs.

Role Map for ADFS

Since Pro 7.0.9, you are able to set user role with ADFS as with Shibboleth. Details about user role, please refer to role permissions.

To enable this, add the following configuration information to seahub_settings.py to define the role mapping:

SHIBBOLETH_AFFILIATION_ROLE_MAP = {
    'role@lian-adfs.local': 'can_generate_upload_link_false',
    'role1@lian-adfs.local': 'guest',
    'patterns': (
        ('*@lian-adfs.local', 'guest1'),
        ('*@*.local', 'guest2'),
        ('*', 'guest3'),
    ),
}

Config ADFS Server

  1. Add Relying Party Trust

Relying Party Trust is the connection between Seafile and ADFS.

  1. Log into the ADFS server and open the ADFS management.
  2. Double click Trust Relationships, then right click Relying Party Trusts, select Add Relying Party Trust….
  3. Select Import data about the relying party published online or one a local network, input https://demo.seafile.com/saml2/metadata/ in the Federation metadata address.
  4. Then Next until Finish.
  5. Add Relying Party Claim Rules

Relying Party Claim Rules is used for attribute communication between Seafile and users in Windows Domain.

Important: Users in Windows domain must have the E-mail value setted.

  1. Right-click on the relying party trust and select Edit Claim Rules...
  2. On the Issuance Transform Rules tab select Add Rules...
  3. Select Send LDAP Attribute as Claims as the claim rule template to use.
  4. Give the claim a name such as LDAP Attributes.
  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
  6. Select Finish.
  7. Click Add Rule... again.
  8. Select Transform an Incoming Claim.
  9. Give it a name such as Email to Name ID.
  10. Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1).
  11. The Outgoing claim type is Name ID (this is required in Seafile settings policy 'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS).
  12. the Outgoing name ID format is Email.
  13. Pass through all claim values and click Finish.

Test

After re-starting the services, you may open a web browser and type in https://demo.seafile.com, there should be a ADFS button in login dialog, click that button will redirect you to the ADFS server (adfs-server.adfs.com), if username and password are correct, you will be redirect back to Seafile home page.

For descktop client, simply click "Shibboleth Login" in "Add a new account" window, type in https://demo.seafile.com, click OK button will open a new window display ADFS server login page, if username and password are correct, the window will be closed and show Seafile libraries panel.