SAML 2.0 in version 10.0

In this document, we use Azure SAML to show the steps to connect Seafile with SAML. Other SAML provider should be similar.

1. Install xmlsec1

$ apt update
$ apt install xmlsec1

2. Prepare Certs File

Create certs dir

$ mkdir -p /opt/seafile/seahub-data/certs

You can generate them by:

$ cd /opt/seafile/seahub-data/certs
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout sp.key -out sp.crt

3. Configure Seafile

Add the following configuration to seahub_settings.py and then restart Seafile:

ENABLE_ADFS_LOGIN = True
SAML_REMOTE_METADATA_URL = 'https://login.microsoftonline.com/xxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxx'
SAML_ATTRIBUTE_MAPPING = {
    'mail': 'contact_email',
    'name': 'display_name',
}

Note: If the xmlsec1 binary is not situated in /usr/bin/xmlsec1, you need to add the following configuration in seahub_settings.py:

SAML_XMLSEC_BINARY_PATH = '/path/to/xmlsec1'

View where the xmlsec1 binary is situated:

$ which xmlsec1

Note: If certificates are not placed in /opt/seafile/seahub-data/certs, you need to add the following configuration in seahub_settings.py:

SAML_CERTS_DIR = '/path/to/certs'

4. Configure Azure SAML

Add application: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal

Assign users: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users

Set up SSO with SAML:

5. Upload Azure AD certificate

Download base64 format signing certificate, rename to idp.crt, and then put it under the certs directory.

6. Log in to the Seafile homepage, click single sign-on, and use the user assigned to Azure SAML to perform a SAML login test.