#2 Add guide for SAML without with Redmine
Merged 7 years ago by puiterwijk. Opened 7 years ago by marlinc.
marlinc/ipsilon-website redmine-guide  into  master

@@ -0,0 +1,96 @@ 

+ ### Set up Redmine

+ 

+ Configuring Redmine to authenticate with SAML2 enterprise authentication using Ipsilon.

+ 

+ This guide describes how to set up Redmine to authenticate against Ipsilon as a SAML2 SP.

+ 

+ This guide has been tested with:

+ 

+ - Ubuntu Server 16.04

+ - Ipsilon 1.2.0

+ 

+ but is known to work with other versions.

+ 

+ #### Install the SAML plugin

+ 

+ Install the SAML plugin for Redmine by cloning it using Git into the `plugins` directory.

+ 

+ `git clone git@github.com:chrodriguez/redmine_omniauth_saml.git`

+ 

+ Install the required dependencies from the root of the installation:

+ 

+ `bundle install`

+ 

+ Copy assets from plugin to Redmine assets:

+ 

+ `RAILS_ENV=production bundle exec rake redmine:plugins`

+ 

+ Restart the Redmine instance.

+ 

+ #### Configure Ipsilon

+ 

+ Go to your Ipsilon web management URL, and login as an administrator account.

+ Then go to **Administration -> Identity Providers -> SAML2 -> Manage, and click Add New**.

+ For name you can enter anything you like, for Metadata text enter (replacing "mydomain.com" twice with your Google Apps domain name):

+ 

+     <?xml version="1.0"?>

+     <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

+                          validUntil="2016-07-12T21:27:27Z"

+                          cacheDuration="PT1468790847S"

+                          entityID="https://redmine.cvo-technologies.com">

+         <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

+             <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>

+             <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

+                                          Location="https://redmine.cvo-technologies.com/auth/saml/callback"

+                                          index="1" />

+         </md:SPSSODescriptor>

+     </md:EntityDescriptor>

+ 

+ Now click Add.

+ 

+ #### Configure Redmine

+ 

+ Create a file in `config/initializers` called `saml.rb` with the following contents:

+ 

+     Redmine::OmniAuthSAML::Base.configure do |config|

+         config.saml = {

+             :assertion_consumer_service_url => "https://redmine.mydomain.com",

+             :issuer                         => "https://redmine.mydomain.com",

+             :idp_sso_target_url             => "https://ipsilon.mydomain.com/idp/saml2/SSO/Redirect",

+             :idp_cert_fingerprint           => "F7:0B:F9:.............",                                            # SSO ssl certificate fingerprint

+             :name_identifier_format         => "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",

+             :signout_url                    => "http/://ipsilon.mydomain.com/idp/saml2/SLO/Redirect?ReturnTo=",

+             :idp_slo_target_url             => "https://ipsilon.mydomain.com/idp/saml2/SLO/Redirect",

+             :name_identifier_value          => "mail",

+             :attribute_mapping              => {

+                 # How will we map attributes from SSO to redmine attributes

+                 :login      => 'extra.raw_info.username',

+                 :firstname  => 'extra.raw_info.first_name',

+                 :lastname   => 'extra.raw_info.last_name',

+                 :mail       => 'extra.raw_info.email'

+             }

+         }

+ 

+         config.on_login do |omniauth_hash, user|

+             # Implement any hook you want here

+         end

+     end

+ 

+ Make sure to replace the hostnames and get the fingerprint from `openssl x509 -noout -in /var/lib/ipsilon/idp/saml2/idp.pem -fingerprint`.

+ 

+ Restart the Redmine instance.

+ 

+ #### Configure SAML plugin

+ 

+ Go to **Administration -> Plugins -> Redmine Omniauth SAML plugin -> Configure**.

+ 

+ Click to enable SAML authentication and change the settings to your wish

+ 

+ #### Try it out

+ 

+ Log out if you are logged in. Go to the login page and click on the green login button.

+ You should now be forwarded to Ipsilon to log in, and afterwards sent back to Redmine, logged in.

+ 

+ #### References

+ 

+ * [Redmine SAML plugin](https://github.com/chrodriguez/redmine_omniauth_saml)

I'm still working on the guide.

rebased

7 years ago

Have you managed and progress?

If you don't have any comments then I'm think its quite nice now

Pull-Request has been merged by puiterwijk

7 years ago
Metadata