SAML 2.0 in version 10.0¶
In this document, we use Azure SAML to show the steps to connect Seafile with SAML. Other SAML provider should be similar.
1. Install xmlsec1
$ apt update
$ apt install xmlsec1
2. Prepare Certs File
Create certs dir
$ mkdir -p /opt/seafile/seahub-data/certs
You can generate them by:
$ cd /opt/seafile/seahub-data/certs
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout sp.key -out sp.crt
3. Configure Seafile
Add the following configuration to seahub_settings.py and then restart Seafile:
ENABLE_ADFS_LOGIN = True
SAML_REMOTE_METADATA_URL = 'https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxx'
SAML_ATTRIBUTE_MAPPING = {
'mail': 'contact_email',
'name': 'display_name',
}
Note: If the xmlsec1 binary is not situated in /usr/bin/xmlsec1
, you need to add the following configuration in seahub_settings.py:
SAML_XMLSEC_BINARY_PATH = '/path/to/xmlsec1'
View where the xmlsec1 binary is situated:
$ which xmlsec1
Note: If certificates are not placed in /opt/seafile/seahub-data/certs
, you need to add the following configuration in seahub_settings.py:
SAML_CERTS_DIR = '/path/to/certs'
4. Configure Azure SAML
Add application: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
Assign users: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users
Set up SSO with SAML:
5. Upload Azure AD certificate
Download base64 format signing certificate, rename to idp.crt, and then put it under the certs directory.
6. Log in to the Seafile homepage, click single sign-on, and use the user assigned to Azure SAML to perform a SAML login test.