This module is meant to activate SAML on one or multiples Jahia websites.
Deploy the module and install it on your site.
You can manually create a keystore that will be used to communicate with the IdP.
keytool -genkeypair -alias jahiakeystorealias -keypass changeit -keystore sp.jks -storepass changeit -keyalg RSA -keysize 2048 -validity 3650Important Input Step :
- What is your first and last name?: jahia.server.name
This value must match your Jahia site domain name
The configuration will be stored in a file in karaf/etc folder. There is one configuration file per site.
A dedicated Site Setting is available to edit the configuration.
You will have to fill the following entries :
-
Identity Provider MetaData file : The Identity Provider Metadata file is provided by the Identity Provider (IdP), for example Shibboleth or Google. This XML file must be uploaded here.
-
Relying Party Identifier : This is the identifier of your Service Provider, which will be sent to the IdP.
-
Incoming Target Url : This is the URL when the IdP will return the SAML response. Its default value is /home.samlCallback.do
-
Keystore, Keystore type, Alias, Password of the Keystore and Password of the Private Key Those value must match the one defined when creating the server key and certificate. You can also let the keystore empty and fill in the other values to automatically generate a new keystore. Note that it will use the hostname for the CN entry of the certificate
-
Redirect after successful login : This is the DX relative URL where the user will be redirect after successfully authentication. (For example /home.html)
-
Maximum authentication lifetime : The maximum age of the authentication on the IdP. User will be asked to reauthenticate if the session on the IdP is older than the specified time.
-
Force authentication : If set, authentication will be asked everytime even if the user has already a session on the IdP.
-
Passive : The user will transparently log in, without any interaction. User will be authenticated only if the IdP is able to do it without asking the user. This cannot be used along with
Force authentication -
Sign authentication request : Sign the request sent to the IdP.
-
Requires signed assertions : Will only accept signed assertions from the IdP.
-
Binding type : SAML binding type used to communicate with the IdP.
-
User mapper : How to map the user data to a user in Jahia. By default ,
SAML IDwill try to find a user with the same ID as the one sent by the IdP. It also possible to choose a specific mapper that will create a new user in the JCR or in LDAP.
Then click on the save button on the top right of the screen.
If needed, you can download the Service Provider Metadata based on the configuration by clicking on Open service provider metadata in the header. This can be required to configure the IdP.
# SAML Configuration file - autogenerated
siteKey = digitall
enabled = true
identityProviderMetadata = ...
relyingPartyIdentifier = test-local
keyStore = ...
keyStoreAlias = saml2clientconfiguration
keyStorePass = changeit
privateKeyPass = changeit
incomingTargetUrl = /home.samlCallback.do
postLoginPath = /
maximumAuthenticationLifetime = 86400
forceAuth = false
passive = false
requireSignedAssertions = false
signAuthnRequest = true
bindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
keyStoreType = PKCS12
mapperName = jcrOAuthProvider
In order to dispatch the login to the SAML IdP, the user need to call the connectToSAML action on a page.
This can be done by adding a simple link in the page ( for example http://localhost/sites/mySite/home.connectToSAML.do ), or by adding an HTML form.
A simple form component ("SAML2 Login") is also provided with the module. It will display a simple login button, which will call the action.
The user will be redirect to the IdP with the SAML login request from Jahia. Once logged id, IdP will redirect to Jahia with a signed assertion containing the user information.
- More details on configuration options can be found in the pac4j library documentation : http://www.pac4j.org/3.2.x/docs/clients/saml.html