Configuration - Authentication and Authorization Service

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <link rel="icon" href="../../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.3.1, mkdocs-material-8.5.3"> <title>Configuration - Authentication and Authorization Service</title> <link rel="stylesheet" href="../../../assets/stylesheets/main.7a952b86.min.css"> <link rel="stylesheet" href="../../../assets/stylesheets/palette.cbb835fc.min.css"> <link rel="stylesheet" href="../../../stylesheets/fonts.css"> <link rel="stylesheet" href="../../../stylesheets/kuri-kuri.css"> <script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#how-to-configure-your-saml-applications" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href="../../.." title="Authentication and Authorization Service" class="md-header__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Authentication and Authorization Service </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> Configuration </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../../.." title="Authentication and Authorization Service" class="md-nav__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Authentication and Authorization Service </label> <div class="md-nav__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../.." class="md-nav__link"> CERN Authentication and Authorization Services </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" > <label class="md-nav__link" for="__nav_2"> User authentication <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="User authentication" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> User authentication </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../authentication-options/" class="md-nav__link"> Authentication options </a> </li> <li class="md-nav__item"> <a href="../../two-factor-authentication/" class="md-nav__link"> Two factor authentication </a> </li> <li class="md-nav__item"> <a href="../../kerberos-authentication/" class="md-nav__link"> Kerberos </a> </li> <li class="md-nav__item"> <a href="../../time-limits/" class="md-nav__link"> Time limits </a> </li> <li class="md-nav__item"> <a href="../../autologon/" class="md-nav__link"> Autologon </a> </li> <li class="md-nav__item"> <a href="../../account-lifecycle/" class="md-nav__link"> Account Lifecycle </a> </li> <li class="md-nav__item"> <a href="../../unconfirmed-identities/" class="md-nav__link"> Unconfirmed identities </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" checked> <label class="md-nav__link" for="__nav_3"> Securing applications <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Securing applications" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> Securing applications </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../applications/application-configuration/" class="md-nav__link"> Configuring your application </a> </li> <li class="md-nav__item"> <a href="../../../applications/adding-application/" class="md-nav__link"> Adding your application to the service </a> </li> <li class="md-nav__item"> <a href="../../../applications/permission-scheme/" class="md-nav__link"> Defining the permissions scheme </a> </li> <li class="md-nav__item"> <a href="../../../applications/role-based-permissions/" class="md-nav__link"> Role based permissions (recommended) </a> </li> <li class="md-nav__item"> <a href="../../../applications/group-based-permissions/" class="md-nav__link"> Group based permissions </a> </li> <li class="md-nav__item"> <a href="../../../applications/sso-registration/" class="md-nav__link"> Registering your application to SSO </a> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" checked> <label class="md-nav__link" for="__nav_3_7"> SAML <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="SAML" data-md-level="2"> <label class="md-nav__title" for="__nav_3_7"> <span class="md-nav__icon md-icon"></span> SAML </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../saml/" class="md-nav__link"> About </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> Configuration <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> Configuration </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#examples" class="md-nav__link"> Examples </a> </li> <li class="md-nav__item"> <a href="#migration-guidelines" class="md-nav__link"> Migration Guidelines </a> </li> <li class="md-nav__item"> <a href="#configurationtroubleshooting-checklist" class="md-nav__link"> Configuration/Troubleshooting checklist </a> </li> <li class="md-nav__item"> <a href="#what-will-be-in-your-tokens" class="md-nav__link"> What will be in your tokens? </a> </li> <li class="md-nav__item"> <a href="#metadata" class="md-nav__link"> Metadata </a> <nav class="md-nav" aria-label="Metadata"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#saml-nameid" class="md-nav__link"> SAML NameID </a> </li> <li class="md-nav__item"> <a href="#logout" class="md-nav__link"> Logout </a> </li> <li class="md-nav__item"> <a href="#signing-and-encryption" class="md-nav__link"> Signing and Encryption </a> <nav class="md-nav" aria-label="Signing and Encryption"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#how-to-signal-that-you-are-signing-authentication-requests" class="md-nav__link"> How to signal that you are signing Authentication Requests </a> </li> <li class="md-nav__item"> <a href="#how-to-request-encrypted-tokens" class="md-nav__link"> How to request encrypted tokens </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../shibboleth-integration/" class="md-nav__link"> Shibboleth integration </a> </li> <li class="md-nav__item"> <a href="../shibboleth-migration/" class="md-nav__link"> Shibboleth migration from the old SSO </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" > <label class="md-nav__link" for="__nav_3_8"> OIDC <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="OIDC" data-md-level="2"> <label class="md-nav__title" for="__nav_3_8"> <span class="md-nav__icon md-icon"></span> OIDC </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../oidc/oidc/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../../oidc/token-requests/" class="md-nav__link"> Token Requests </a> </li> <li class="md-nav__item"> <a href="../../oidc/scopes/" class="md-nav__link"> Scopes </a> </li> <li class="md-nav__item"> <a href="../../oidc/config/" class="md-nav__link"> OIDC configuration and usage </a> </li> <li class="md-nav__item"> <a href="../../oidc/apache/" class="md-nav__link"> Apache configuration </a> </li> <li class="md-nav__item"> <a href="../../oidc/securing-apis/" class="md-nav__link"> Securing APIs </a> </li> <li class="md-nav__item"> <a href="../../oidc/api-access/" class="md-nav__link"> API Access </a> </li> <li class="md-nav__item"> <a href="../../oidc/exchange-for-api/" class="md-nav__link"> Token Exchange </a> </li> <li class="md-nav__item"> <a href="../../oidc/device-code/" class="md-nav__link"> Device Code </a> </li> <li class="md-nav__item"> <a href="../../oidc/libraries/" class="md-nav__link"> Suggested libraries </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../../applications/examples/" class="md-nav__link"> Examples </a> </li> <li class="md-nav__item"> <a href="../../../applications/qa-environment/" class="md-nav__link"> QA Environment </a> </li> <li class="md-nav__item"> <a href="../../../applications/command-line-tools/" class="md-nav__link"> Command line tools </a> </li> <li class="md-nav__item"> <a href="../../faqs/" class="md-nav__link"> FAQs </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" > <label class="md-nav__link" for="__nav_4"> Group Management System <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Group Management System" data-md-level="1"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Group Management System </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../roadmap/group-missing-features/" class="md-nav__link"> Missing features </a> </li> <li class="md-nav__item"> <a href="../../../groups/special-groups/" class="md-nav__link"> Special groups </a> </li> <li class="md-nav__item"> <a href="../../../groups/dynamic-guidance/" class="md-nav__link"> Dynamic groups </a> </li> <li class="md-nav__item"> <a href="../../../groups/csv/" class="md-nav__link"> CSV </a> </li> <li class="md-nav__item"> <a href="../../../groups/e-groups-to-gms-sync-scenario/" class="md-nav__link"> E-Groups to GMS transition </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" > <label class="md-nav__link" for="__nav_5"> Resources lifecycle and eligibility <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Resources lifecycle and eligibility" data-md-level="1"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Resources lifecycle and eligibility </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../resources/resources/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../../resources/resource-lifecycle-integration/" class="md-nav__link"> Integration </a> </li> <li class="md-nav__item"> <a href="../../../resources/resource-states/" class="md-nav__link"> Resource States </a> </li> <li class="md-nav__item"> <a href="../../../resources/push-rest-api/" class="md-nav__link"> Resources REST API (push) </a> </li> <li class="md-nav__item"> <a href="../../../resources/policies/" class="md-nav__link"> Custom Resource Policies </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6"> Documents <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Documents" data-md-level="1"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Documents </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../documents/why-keycloak/" class="md-nav__link"> Why Keycloak </a> </li> <li class="md-nav__item"> <a href="../../../documents/presentations/" class="md-nav__link"> Presentations </a> </li> <li class="md-nav__item"> <a href="../../../documents/our-contributions/" class="md-nav__link"> Our contributions to Keycloak </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" > <label class="md-nav__link" for="__nav_7"> Services <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Services" data-md-level="1"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Services </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../services/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../../services/instances/" class="md-nav__link"> Links to instances </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" > <label class="md-nav__link" for="__nav_7_3"> Authorization Service API <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Authorization Service API" data-md-level="2"> <label class="md-nav__title" for="__nav_7_3"> <span class="md-nav__icon md-icon"></span> Authorization Service API </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../authzsvc/overview/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../../authzsvc/managed-applications/" class="md-nav__link"> Managing applications for other users </a> </li> <li class="md-nav__item"> <a href="../../../authzsvc/roles/" class="md-nav__link"> Role definitions </a> </li> <li class="md-nav__item"> <a href="../../../authzsvc/model/" class="md-nav__link"> Model (attributes) </a> </li> <li class="md-nav__item"> <a href="../../../authzsvc/examples/" class="md-nav__link"> Examples </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" > <label class="md-nav__link" for="__nav_8"> Help <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Help" data-md-level="1"> <label class="md-nav__title" for="__nav_8"> <span class="md-nav__icon md-icon"></span> Help </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../trouble-shooting/edugain-authentication/" class="md-nav__link"> eduGAIN Authentication </a> </li> <li class="md-nav__item"> <a href="../../../trouble-shooting/2fa-tips/" class="md-nav__link"> 2FA Tips </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../../privacy-notice/" class="md-nav__link"> Privacy notice </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" > <label class="md-nav__link" for="__nav_10"> Migration notes <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Migration notes" data-md-level="1"> <label class="md-nav__title" for="__nav_10"> <span class="md-nav__icon md-icon"></span> Migration notes </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../../migrations/keycloak24/" class="md-nav__link"> Keycloak 24 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../../contact/" class="md-nav__link"> Contact </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#examples" class="md-nav__link"> Examples </a> </li> <li class="md-nav__item"> <a href="#migration-guidelines" class="md-nav__link"> Migration Guidelines </a> </li> <li class="md-nav__item"> <a href="#configurationtroubleshooting-checklist" class="md-nav__link"> Configuration/Troubleshooting checklist </a> </li> <li class="md-nav__item"> <a href="#what-will-be-in-your-tokens" class="md-nav__link"> What will be in your tokens? </a> </li> <li class="md-nav__item"> <a href="#metadata" class="md-nav__link"> Metadata </a> <nav class="md-nav" aria-label="Metadata"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#saml-nameid" class="md-nav__link"> SAML NameID </a> </li> <li class="md-nav__item"> <a href="#logout" class="md-nav__link"> Logout </a> </li> <li class="md-nav__item"> <a href="#signing-and-encryption" class="md-nav__link"> Signing and Encryption </a> <nav class="md-nav" aria-label="Signing and Encryption"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#how-to-signal-that-you-are-signing-authentication-requests" class="md-nav__link"> How to signal that you are signing Authentication Requests </a> </li> <li class="md-nav__item"> <a href="#how-to-request-encrypted-tokens" class="md-nav__link"> How to request encrypted tokens </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs/-/blob/master/docs/user-documentation/saml/config.md" title="Edit this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg> </a> <h1 id="how-to-configure-your-saml-applications">How to Configure your SAML Applications</h1> <h2 id="examples">Examples</h2> <p>Some examples can be found at <a href="https://gitlab.cern.ch/authzsvc/docs/keycloak-sso-examples">CERN's Gitlab</a> or in the <a href="https://www.keycloak.org/docs/latest/securing_apps/index.html">Keycloak Documentation</a>.</p> <h2 id="migration-guidelines">Migration Guidelines</h2> <ul> <li>Here are some <a href="../shibboleth-integration/">guidelines for Shibboleth migration</a> to the new SSO</li> </ul> <h2 id="configurationtroubleshooting-checklist">Configuration/Troubleshooting checklist</h2> <p>Usually, SAML Service Providers (i.e. your SAML application) require minimal configuration beyond trusting CERN's Identity Provider metadata. If you're experiencing issues, please follow the list below.</p> <ul> <li>For SAML Service Providers on a non-CERN domains<ul> <li>I need to have the domain added to the listed of trusted domains (<em>Please <a href="https://cern.service-now.com/service-portal?id=sc_cat_item&name=request&se=SSO-Service">send a request</a> to the SSO Service</em>)</li> </ul> </li> <li>For all SAML Service Providers<ul> <li>If I am using signing certificates, my metadata identifies the key that will be used for signing by adding a tag <code><md:KeyDescriptor use="signing"></code></li> <li>The entityID in my metadata matches the Issuer of the SAML requests sent by my service</li> <li>I have created an application in the <a href="https://application-portal.web.cern.ch">Application Portal</a> and added a SAML SSO Registration where I have pasted my metadata. If you're using Shibboleth, see the dedicated guidelines for Shibboleth migration for how to <a href="https://gitlab.cern.ch/authzsvc/docs/shibboleth-configuration/-/blob/master/README.md#generate-your-metadata">generate your metadata</a>.</li> <li>I am trusting <a href="https://auth.cern.ch/auth/realms/cern/protocol/saml/descriptor">CERN's Identity Provider metadata</a> (either by downloading it or specifying the url: <code>https://auth.cern.ch/auth/realms/cern/protocol/saml/descriptor</code>)</li> </ul> </li> </ul> <h2 id="what-will-be-in-your-tokens">What will be in your tokens?</h2> <p><em>Please note: although the attributes are considered fixed, the values may change slightly as the infrastructure evolves. Additional attributes may be added.</em></p> <table> <thead> <tr> <th>Field</th> <th>Example</th> <th>Usage Note</th> </tr> </thead> <tbody> <tr> <td>upn</td> <td>mcurie</td> <td>User Principal Name, this is <strong>unique</strong> and can be used to identify a user.</td> </tr> <tr> <td>PersonID</td> <td>754321</td> <td>CERN PersonID, for known CERN users</td> </tr> <tr> <td>Firstname</td> <td>Marie</td> <td></td> </tr> <tr> <td>Lastname</td> <td>Curie</td> <td></td> </tr> <tr> <td>displayName</td> <td>Marie Curie</td> <td>Display purposes</td> </tr> <tr> <td>EmailAddress</td> <td>marie.curie@cern.ch</td> <td>Communication</td> </tr> <tr> <td>PreferredLanguage</td> <td>FR</td> <td>EN or FR, CERN Official Language</td> </tr> <tr> <td>eduPersonOrcid</td> <td>0000-0002-1825-0097</td> <td>Only returned if the user has linked an ORCID to their Identity</td> </tr> <tr> <td>uidNumber</td> <td>55555</td> <td>Unix ID, for CERN account holders only</td> </tr> <tr> <td>gidNumber</td> <td>5555</td> <td>Unix group ID, for CERN account holders only</td> </tr> <tr> <td>CernRoles</td> <td>"user", "editor"</td> <td>Roles are defined per application and assigned to groups. Use this for access control.</td> </tr> <tr> <td>CernRolesMissingLoa</td> <td>"app-user"</td> <td>Roles that the current user has, but are not assigned because the user must log in using an account with a higher Level of Assurance (e.g. a CERN account instead of a social account)</td> </tr> <tr> <td>CernRolesMissingMfa</td> <td>"manager"</td> <td>Roles that the current user has, but are not assigned because the user must log in using a Two-factor Authentication method (i.e. Authenticator App or Yubikey)</td> </tr> <tr> <td>CernMailUpn</td> <td>mcurie@cern.ch</td> <td>A claim in the format "[login]@cern.ch" exclusively for CERN accounts. It can be used as an alternative identifier. The name of this claim might change in the future.</td> </tr> <tr> <td>HomeInstitute</td> <td>University of Paris</td> <td>Home institute, when available: for CERN account holders, users and associates</td> </tr> </tbody> </table> <h2 id="metadata">Metadata</h2> <p>Metadata is normally generated by your Service Provider software, but you may wish to generate it yourself. You can use a tool such as <a href="https://www.samltool.com/sp_metadata.php">onelogin SAML Developer Tools</a> to construct metadata manually.</p> <h3 id="saml-nameid">SAML NameID</h3> <p>You can modify the value returned in the SAML token subject by requesting a particular NameID Format in your SAML Metadata. If you specify multiple, the first will apply. The following are supported:</p> <div class="highlight"><pre><span></span><code><span class="nt"><md:NameIDFormat></span>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress<span class="nt"></md:NameIDFormat></span> <span class="nt"><md:NameIDFormat></span>urn:oasis:names:tc:SAML:2.0:nameid-format:transient<span class="nt"></md:NameIDFormat></span> <span class="nt"><md:NameIDFormat></span>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent<span class="nt"></md:NameIDFormat></span> <span class="nt"><md:NameIDFormat></span>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified<span class="nt"></md:NameIDFormat></span> </code></pre></div> <h3 id="logout">Logout</h3> <p>If you want to include a Logout button from your application, be sure to include metadata for the endpoint where the logout response will be returned e.g.</p> <p><div class="highlight"><pre><span></span><code><span class="nt"><md:SingleLogoutService</span><span class="w"> </span><span class="na">Binding=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"</span><span class="w"> </span><span class="na">Location=</span><span class="s">"http://cern.ch/testapp"</span><span class="nt">/></span> </code></pre></div> We do not recommend forcibly logging people out of SSO as this causes significant confusion for users; if you need to restrict access to your application after a specific period that is shorter than the SSO session lifetime, please handle it within your application logic.</p> <h3 id="signing-and-encryption">Signing and Encryption</h3> <p>We strongly recommend that your SAML Service Provider signs its Authentication Requests, this mitigates the risk of impersonation. Similarly, requesting encrypted tokens adds a layer of security. CERN's Identity Provider will require signature, and encrypt tokens, based on the certificates included in your metadata.</p> <h4 id="how-to-signal-that-you-are-signing-authentication-requests">How to signal that you are signing Authentication Requests</h4> <p>If your metadata includes a signing certificate (see example below, note the <code>signing</code> element), CERN's Identity Provider will require all Authentication Requests from your SAML Service Provider to be signed. If you do not include this signing certificate, CERN's Identity Provider will accept unsigned Authentication Requests.</p> <div class="highlight"><pre><span></span><code><span class="nt"><md:KeyDescriptor</span><span class="w"> </span><span class="na">use=</span><span class="s">"signing"</span><span class="nt">></span> <span class="w"> </span><span class="nt"><ds:KeyInfo</span><span class="w"> </span><span class="na">xmlns:ds=</span><span class="s">"http://www.w3.org/2000/09/xmldsig#"</span><span class="nt">></span> <span class="w"> </span><span class="nt"><ds:X509Data></span> <span class="w"> </span><span class="nt"><ds:X509Certificate></span>MIID2zCCAs...MONRk1/jw4w==<span class="nt"></ds:X509Certificate></span> <span class="w"> </span><span class="nt"></ds:X509Data></span> <span class="w"> </span><span class="nt"></ds:KeyInfo></span> <span class="w"> </span><span class="nt"></md:KeyDescriptor></span> </code></pre></div> <h4 id="how-to-request-encrypted-tokens">How to request encrypted tokens</h4> <p>If your metadata includes an encryption certificate (see example below, note the <code>encryption</code> element), CERN's Identity Provider will encrypt tokens issued to your SAML Service Provider. If one is not included, tokens will be sent unencrypted.</p> <div class="highlight"><pre><span></span><code><span class="nt"><md:KeyDescriptor</span><span class="w"> </span><span class="na">use=</span><span class="s">"encryption"</span><span class="nt">></span> <span class="w"> </span><span class="nt"><ds:KeyInfo</span><span class="w"> </span><span class="na">xmlns:ds=</span><span class="s">"http://www.w3.org/2000/09/xmldsig#"</span><span class="nt">></span> <span class="w"> </span><span class="nt"><ds:X509Data></span> <span class="w"> </span><span class="nt"><ds:X509Certificate></span>MIID2zCCA...JMONRk1/jw4w==<span class="nt"></ds:X509Certificate></span> <span class="w"> </span><span class="nt"></ds:X509Data></span> <span class="w"> </span><span class="nt"></ds:KeyInfo></span> <span class="w"> </span><span class="nt"></md:KeyDescriptor></span> </code></pre></div> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../saml/" class="md-footer__link md-footer__link--prev" aria-label="Previous: About" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> About </div> </div> </a> <a href="../shibboleth-integration/" class="md-footer__link md-footer__link--next" aria-label="Next: Shibboleth integration" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> Shibboleth integration </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "../../..", "features": [], "search": "../../../assets/javascripts/workers/search.5bf1dace.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../../../assets/javascripts/bundle.37e9125f.min.js"></script> </body> </html>

CINXE.COM

Configuration - Authentication and Authorization Service