38a46e68ea
* feat: added implementation for group mapping in SAML strategies --------- Co-authored-by: Abderraouf El Gasser <abderraouf.elgasser@iktos.com> Co-authored-by: Nicolas Giard <github@ngpixel.com>
177 lines
6.0 KiB
YAML
177 lines
6.0 KiB
YAML
key: saml
|
|
title: SAML 2.0
|
|
description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
|
|
author: requarks.io
|
|
logo: https://static.requarks.io/logo/saml.svg
|
|
color: red darken-3
|
|
website: https://wiki.oasis-open.org/security/FrontPage
|
|
isAvailable: true
|
|
useForm: false
|
|
props:
|
|
entryPoint:
|
|
type: String
|
|
title: Entry Point
|
|
hint: Identity provider entrypoint (URL)
|
|
order: 1
|
|
issuer:
|
|
type: String
|
|
title: Issuer
|
|
hint: Issuer string to supply to Identity Provider
|
|
order: 2
|
|
audience:
|
|
type: String
|
|
title: Audience
|
|
hint: Expected SAML response Audience (if not provided, audience won't be verified)
|
|
order: 3
|
|
cert:
|
|
type: String
|
|
title: Certificate
|
|
hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
|
|
multiline: true
|
|
order: 4
|
|
privateKey:
|
|
type: String
|
|
title: Private Key
|
|
hint: PEM formatted key used to sign the certificate.
|
|
multiline: true
|
|
order: 5
|
|
decryptionPvk:
|
|
type: String
|
|
title: Decryption Private Key
|
|
hint: (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received.
|
|
multiline: true
|
|
order: 6
|
|
signatureAlgorithm:
|
|
type: String
|
|
title: Signature Algorithm
|
|
hint: Signature algorithm used for signing requests
|
|
maxWidth: 400
|
|
order: 7
|
|
default: sha1
|
|
enum:
|
|
- sha1
|
|
- sha256
|
|
- sha512
|
|
digestAlgorithm:
|
|
type: String
|
|
title: Digest Algorithm
|
|
hint: Digest algorithm used to provide a digest for the signed data object
|
|
maxWidth: 400
|
|
order: 8
|
|
default: sha1
|
|
enum:
|
|
- sha1
|
|
- sha256
|
|
- sha512
|
|
identifierFormat:
|
|
type: String
|
|
title: Name Identifier format
|
|
default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
|
|
order: 20
|
|
wantAssertionsSigned:
|
|
type: Boolean
|
|
title: Always sign assertions
|
|
hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
|
|
default: false
|
|
order: 21
|
|
acceptedClockSkewMs:
|
|
type: Number
|
|
title: Accepted Clock Skew Milleseconds
|
|
hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
|
|
default: 0
|
|
order: 22
|
|
disableRequestedAuthnContext:
|
|
type: Boolean
|
|
title: Disable Requested Auth Context
|
|
hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
|
|
default: false
|
|
order: 23
|
|
authnContext:
|
|
type: String
|
|
title: Auth Context
|
|
hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol.
|
|
default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
|
|
order: 24
|
|
racComparison:
|
|
type: String
|
|
title: RAC Comparison Type
|
|
hint: Requested Authentication Context comparison type.
|
|
maxWidth: 400
|
|
order: 25
|
|
default: exact
|
|
enum:
|
|
- exact
|
|
- minimum
|
|
- maximum
|
|
- better
|
|
forceAuthn:
|
|
type: Boolean
|
|
title: Force Initial Re-authentication
|
|
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
|
|
default: false
|
|
order: 26
|
|
passive:
|
|
type: Boolean
|
|
title: Passive
|
|
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
|
|
default: false
|
|
order: 27
|
|
providerName:
|
|
type: String
|
|
title: Provider Name
|
|
hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
|
|
default: wiki.js
|
|
order: 28
|
|
skipRequestCompression:
|
|
type: Boolean
|
|
title: Skip Request Compression
|
|
hint: If enabled, the SAML request from the service provider won't be compressed.
|
|
default: false
|
|
order: 29
|
|
authnRequestBinding:
|
|
type: String
|
|
title: Request Binding
|
|
hint: Binding used for request authentication from IDP.
|
|
maxWidth: 400
|
|
order: 30
|
|
default: 'HTTP-POST'
|
|
enum:
|
|
- HTTP-Redirect
|
|
- HTTP-POST
|
|
mappingUID:
|
|
title: Unique ID Field Mapping
|
|
type: String
|
|
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
|
|
hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
|
|
order: 40
|
|
mappingEmail:
|
|
title: Email Field Mapping
|
|
type: String
|
|
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
|
|
hint: The field storing the user email. Can be a variable name or a URI-formatted string.
|
|
order: 41
|
|
mappingDisplayName:
|
|
title: Display Name Field Mapping
|
|
type: String
|
|
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
|
|
hint: The field storing the user display name. Can be a variable name or a URI-formatted string.
|
|
order: 42
|
|
mappingPicture:
|
|
title: Avatar Picture Field Mapping
|
|
type: String
|
|
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
|
|
hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
|
|
order: 43
|
|
mapGroups:
|
|
type: Boolean
|
|
title: Map Groups
|
|
hint: Map groups matching names from the provider user groups. User Groups Field Mapping must also be defined for this to work. Note this will remove any groups the user has that doesn't match any group from the provider.
|
|
default: false
|
|
order: 44
|
|
mappingGroups:
|
|
title: User Groups Field Mapping
|
|
type: String
|
|
default: 'memberOf'
|
|
hint: The field storing the user groups attribute (when Map Groups is enabled). Can be a variable name or a URI-formatted string.
|
|
order: 45
|