Skip to content

signarit/samleikin

This branch is up to date with minteo-io/samleikin:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

617c41a · May 18, 2024

History

14 Commits
May 18, 2024
May 18, 2024

Repository files navigation

Samleikin Setup Guide

This document provides technical instructions for the installation and configuration of Samleikin.

A repository containing relevant information from Klintra is available at https://bitbucket.org/klintra-ft/sp-demo/src/master/.

Prerequisites

Required Tools

Setup Instructions

Extract the private key and certificate(s) from the PKCS#12 bundle into separate files using Keystore Explorer.

Keycloak 24 configuration

Realm settings

  1. Realm settings -> General -> Unmanaged Attributes: Enabled
  2. Realm settings -> Keys -> Add providers -> Delete all providers of provider type: rsa-generated, rsa-enc-generated, rsa and rsa-enc if they exist
  3. Realm settings -> Keys -> Add providers -> Add provider -> rsa -> Drag your private key file to Private RSA Key and the certificates file to X509 Certificate -> Save
  4. Realm settings -> Keys -> Add providers -> Add provider -> rsa-enc -> Drag your private key file to Private RSA Key and the certificates file to X509 Certificate -> Save
  5. Realm settings -> User profile -> email -> Required field: Off
  6. Realm settings -> User profile -> firstName -> Required field: Off
  7. Realm settings -> User profile -> lastName -> Required field: Off

Authentication

  1. Authentication -> Flows -> Create flow
  2. Name: create user
  3. Flow type: Basic flow
  4. Create
  5. Add execution -> Create user if unique -> Add
  6. Create user if unique -> Requirement: Alternative

Identity providers

General settings

  1. Identity providers -> Add provider -> SAML v2.0
  2. Alias: samleikin
  3. Display name: Samleikin
  4. Service provider entity ID: https://[KEYCLOAK_URL]/realms/samleikin

SAML settings

Staging environment
  1. Identity provider entity ID: https://innrita.staging.samleiki.fo/idp/shibboleth
  2. Single Sign-On service URL: https://innrita.staging.samleiki.fo/idp/profile/SAML2/Redirect/SSO
  3. Single logout service URL: https://innrita.staging.samleiki.fo/idp/profile/SAML2/Redirect/SLO
Production environment
  1. Identity provider entity ID: https://innrita.samleiki.fo/idp/shibboleth
  2. Single Sign-On service URL: https://innrita.samleiki.fo/idp/profile/SAML2/Redirect/SSO
  3. Single logout service URL: https://innrita.samleiki.fo/idp/profile/SAML2/Redirect/SLO
  1. Backchannel logout: Off
  2. Send 'id_token_hint' in logout requests: On
  3. Send 'client_id' in logout requests: Off
  4. NameID policy format: Persistent
  5. Principal type: Subject NameID
  6. Allow create: On
  7. HTTP-POST binding response: On
  8. HTTP-POST binding for AuthnRequest: Off
  9. HTTP-POST binding logout: Off
  10. Want AuthnRequests signed: On
  11. Signature algorithm: RSA_SHA256
  12. SAML signature key name: KEY_ID
  13. Want Assertions signed: On
  14. Want Assertions encrypted: On
  15. Encryption Algorithm: RSA-OAEP
  16. Force authentication: Off
  17. Validate Signatures: On
  18. Use metadata descriptor URL: Off
  19. Validating X509 certificates: [SAMLEIKIN_SIGNING_CERT]
  20. Sign service provider metadata: Off
  21. Pass subject: Off
  22. Allowed clock skew: 180
  23. Attribute Consuming Service Index: 0

Requested AuthnContext Constraints

  1. Comparison: exact

Advanced settings

  1. Store tokens: Off
  2. Stored tokens readable: Off
  3. Trust Email: Off
  4. Account linking only: Off
  5. Hide on login page: Off
  6. First login flow override: create user
  7. Post login flow: None
  8. Sync mode: `Force
  9. Add/Save

Mappers

  1. Identity providers -> Samleikin -> Mappers -> Add mapper
  2. Name: givenName
  3. Sync mode override: Inherit
  4. Mapper type: Attribute importer
  5. Attribute Name: urn:oid:2.5.4.42
  6. Friendly Name: givenName
  7. Name Format: ATTRIBUTE_FORMAT_URI
  8. User Attribute Name: firstName

Repeat adding mappers for:

sn

Name: sn
Attribute Name: urn:oid:2.5.4.4
Friendly Name: sn
User Attribute Name: lastName

displayName

Name: displayName
Attribute Name: urn:oid:2.16.840.1.113730.3.1.241
Friendly Name: displayName
User Attribute Name: displayName (Custom Attribute...)

countryOfCitizenship

Name: countryOfCitizenship
Attribute Name: urn:oid:1.3.6.1.5.5.7.9.4
Friendly Name: countryOfCitizenship
User Attribute Name: countryOfCitizenship (Custom Attribute...)

dateOfBirth

Name: dateOfBirth
Attribute Name: urn:oid:1.3.6.1.5.5.7.9.1
Friendly Name: dateOfBirth
User Attribute Name: dateOfBirth (Custom Attribute...)

personalIdentityNumber

Name: personalIdentityNumber
Attribute Name: urn:oid:1.2.208.189.1.2.1
Friendly Name: personalIdentityNumber
User Attribute Name: personalIdentityNumber (Custom Attribute...)

Metadata to Samleikin

You must provide a metadata XML file to Samleikin.

Locate this file by navigating to: Identity providers -> Samleikin -> SAML 2.0 Service Provider Metadata

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%