LL::NG can act as an SAML 2.0 Identity Provider, that can allow one to federate LL::NG with:
See SAML service configuration chapter.
Go in General Parameters » Issuer modules » SAML and configure:
Tip
For example, to allow only users with a strong authentication level:
$authenticationLevel > 2
After configuring SAML Service, you can export metadata to your partner Service Provider.
They are available at the Metadata URL, by default: http://auth.example.com/saml/metadata.
You can also use http://auth.example.com/saml/metadata/idp to have only IDP related metadata.
In both cases, the entityID of the LemonLDAP::NG server is http://auth.example.com/saml/metadata
In the Manager, select node SAML service providers and click on Add SAML SP.
The SP name is asked, enter it and click OK.
Now you have access to the SP parameters list.
You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP).
Tip
You can also edit the metadata directly in the textarea
For each attribute, you can set:
<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
SessionNotOnOrAfter="2014-07-21T15:47:08Z">
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>
<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
NotOnOrAfter="2014-07-21T12:48:08Z">
Attention
There is a time tolerance of 60 seconds in <Conditions>
These options override service signature options (see SAML service configuration).
You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
The following environment variables are available in SAML access rules and macros:
New in version 2.0.10.
The IDP Initiated URL is the SSO SAML URL with GET parameters:
For example: http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp
The URL specified in spDest must be present in the Service Provider metadata registered in LemonLDAP::NG. This is only useful if your Service Provider is reachable over multiple URLs.
Using both Issuer::SAML and Auth::SAML on the same LLNG may have some side-effects on single-logout.