update: Keycloak SAML 2.0 in 13.0

manual/config/saml2.md

@@ -1,10 +1,13 @@
-# SAML 2.0 Authentication
+# SAML 2.0 in version 10.0+
 
-In this document, we use Microsoft Azure SAML single sign-on app and Microsoft on-premise ADFS to show how Seafile integrate SAML 2.0. Other SAML 2.0 provider should be similar.
+In this document, we demonstrate how to integrate Seafile with SAML single sign-on. We will use the Microsoft Azure SAML single sign-on app, Microsoft on-premise ADFS, and Keycloak as three examples. Other SAML 2.0 providers should follow a similar approach.
 
 ## Preparations for SAML 2.0
 
-**First**, install xmlsec1 package:
+### Install xmlsec1 package (binary deployment only)
+
+!!! note "This step is not needed for Docker based deployment"
+
 
 ```
 $ apt update
@@ -12,26 +15,38 @@ $ apt install xmlsec1
 $ apt install dnsutils  # For multi-tenancy feature
 ```
 
-**Second**, prepare SP(Seafile) certificate directory and SP certificates:
+### Prepare SP(Seafile) certificate directory and SP certificates
 
-Create certs dir
+Create certs dir：
 
-```
-$ mkdir -p /opt/seafile/seahub-data/certs
-```
+=== "Docker Deployment"
+    The default deployment path for Seafile is **/opt/seafile**, and the corresponding default path for seafile-data is **/opt/seafile-data**. If you do not deploy Seafile to this directory, you can check the **SEAFILE_VOLUME** variable in the env to confirm the path of your seafile-data.
+    ```sh
+    cd /opt/seafile-data/seafile/seahub-data
+    mkdir certs
+    ```
+
+=== "Binary Deployment"
+    If you deploy Seafile using the binary package, the default installation and data path is **/opt/seafile**. If you do not deploy Seafile to this directory, please check your actual deployment path.
+    ```sh
+    cd /opt/seafile/seahub-data
+    mkdir certs
+    ```
 
 The SP certificate can be generated by the openssl command, or you can apply to the certificate manufacturer, it is up to you. For example, generate the SP certs using the following command:
 
-```
-$ cd /opt/seafile/seahub-data/certs
-$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout sp.key -out sp.crt
+```sh
+cd certs
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout sp.key -out sp.crt
 ```
 
 !!! tip "The `days` option indicates the validity period of the generated certificate. The unit is day. The system admin needs to update the certificate regularly"
 
-## Integration with ADFS/SAML single sign-on
+## Integrate with Identity Provider
 
-### Microsoft Azure SAML single sign-on app
+In the following examples, we assume Seafile is deployed at `https://demo.seafile.top`. You should change the domain in the exmapels to the domain of your Seafile server. 
+
+### Example 1: Microsoft Azure SAML single sign-on app
 
 If you use Microsoft Azure SAML app to achieve single sign-on, please follow the steps below:
 
@@ -49,7 +64,7 @@ If you use Microsoft Azure SAML app to achieve single sign-on, please follow the
 
 ![](../images/auto-upload/0a693563-d511-4c3c-ac30-82a26d10cfab.png)
 
-and put it under the certs directory(`/opt/seafile/seahub-data/certs`).
+and put it under the certs directory(`/opt/seafile-data/seafile/seahub-data/certs`).
 
 **Next**, copy the metadata URL of the SAML app:
 
@@ -65,6 +80,7 @@ SAML_REMOTE_METADATA_URL = 'https://login.microsoftonline.com/xxx/federationmeta
 
 ```python
 ENABLE_ADFS_LOGIN = True
+LOGIN_REDIRECT_URL = '/saml2/complete/'
 SAML_ATTRIBUTE_MAPPING = {
     'name': ('display_name', ),
     'mail': ('contact_email', ),
@@ -88,15 +104,10 @@ SAML_REMOTE_METADATA_URL = 'https://login.microsoftonline.com/xxx/federationmeta
     $ which xmlsec1
     ```
 
-    - If certificates are **not placed in** `/opt/seafile/seahub-data/certs`, you need to add the following configuration in seahub_settings.py:
-
-    ```python
-    SAML_CERTS_DIR = '/path/to/certs'
-    ```
 
 **Finally**, open the browser and enter the Seafile login page, click `Single Sign-On`, and use the user assigned to SAML app to perform a SAML login test.
 
-### On-premise ADFS
+### Example 2: On-premise ADFS
 
 If you use Microsoft ADFS to achieve single sign-on, please follow the steps below:
 
@@ -134,6 +145,7 @@ If you use Microsoft ADFS to achieve single sign-on, please follow the steps bel
 
 ```python
 ENABLE_ADFS_LOGIN = True
+LOGIN_REDIRECT_URL = '/saml2/complete/'
 SAML_ATTRIBUTE_MAPPING = {
     'name': ('display_name', ),
     'mail': ('contact_email', ),
@@ -187,3 +199,87 @@ SAML_REMOTE_METADATA_URL = 'https://temp.adfs.com/federationmetadata/2007-06/fed
 !!! tip "When creating claims rule, you can also select other LDAP Attributes, such as E-Mail-Addresses, depending on your ADFS service"
 
 **Finally**, open the browser and enter the Seafile login page, click `Single Sign-On` to perform ADFS login test.
+
+
+### Example 3: Keycloak SAML 2.0
+
+In this part, we use Keycloak SAML single sign-on app to show how Seafile integrate SAML 2.0.
+
+
+#### In Keycloak
+
+**First**, Create a new Client: 
+
+* Client type: Choose `SAML`；
+
+* Client ID:  Fill in the SAML metadata address of Seafile (e.g.,**https://demo.seafile.top/saml2/metadata/**)
+![](../images/auto-upload/image-NyZkNZ91T_K7Gywl0KHGrQ.png)
+
+* Root URL and Home URL: Root Directory/Homepage, fill in the Seafile web service address (e.g.,**https://demo.seafile.top/**)
+
+* Valid redirect URIs: Valid Redirect URIs, fill in all URLs of the Seafile web service (e.g.,**https://demo.seafile.top/***)
+![](../images/auto-upload/image-JK3df4mzSmO-amDFvQ9Fqg.png)
+
+**Next**, open the client you just created and make the following modifications; leave all other settings as default.
+
+* Settings - SAML capabilities: Set the **Name ID Format** to **email**, and only keep **Include AuthnStatement** enabled, disable all other settings.
+![](../images/auto-upload/image-KC0ARnH5RIq08sLwsv81Rg.png)
+
+* Settings - Signature and Encryption: The default encryption algorithm is RSA_SHA256, so no changes are required.
+![](../images/auto-upload/image-drasTIeIT2iAC6nt6IzPrw.png)
+
+* Keys : Confirm that the Signing keys config is in the disabled state.
+![](../images/auto-upload/image-cW5cH6pNQJi_1NNcBMOrfA.png)
+
+* Client scopes:  Configure the protocol mapping to map user information.
+![](../images/auto-upload/image-CNf9Wb68RrGEa4pXIs9M7Q.png)
+
+**Next**, choose the custom configuration **By configuration**:
+![](../images/auto-upload/image-BpWVpuZASrCa9xLuQNFeSw.png)
+
+![](../images/auto-upload/image-NBUD7HlRQxGkpmLjZXwyDQ.png)
+
+![](../images/auto-upload/image-eG-wA0OnRaORksGEX_IhLA.png)
+
+![](../images/auto-upload/image-Nv_9Yw3qSw2BM4wOdef2MA.png)
+
+**Next**, ensure that the above two attributes are added. After adding them, the result is as follows:
+![](../images/auto-upload/image-ayUp4emgTk2hOSNw-_X9sA.png)
+
+* Advanced - Fine Grain SAML Endpoint Configuration
+
+    * Assertion Consumer Service POST Binding URL: Send the SAML assertion request to the SP using the POST method, and set it to the SAML ACS address of Seafile (e.g.,**https://demo.seafile.top/saml2/acs/**).
+
+    * Assertion Consumer Service Redirect Binding URL: Send the SAML assertion request to the SP via the redirect method, and set it to Seafile's SAML ACS address (same as the Assertion Consumer Service POST Binding URL).
+
+    * Logout Service POST Binding URL: The address for sending a logout request to the SP via the POST method. Fill in the SAML logout POST address of Seafile (e.g.,**https://demo.seafile.top/saml2/ls/post/**).
+
+    * Logout Service Redirect Binding URL: The address for sending a logout request to the SP via the redirect method. Fill in Seafile's SAML logout address (e.g.,**https://demo.seafile.top/saml2/ls/**).
+![](../images/auto-upload/image-RaLdQDv6QpuQvAdqF4idvA.png)
+
+* Advanced - Authentication flow overrides: Bind the authenticator (the default account-password login uses the `Browser` flow).
+![](../images/auto-upload/image-Vg_4N-6GT8mL7-5yVrTvyw.png)
+
+#### Seafile configuration 
+
+```sh
+cd /opt/seafile-data/seafile/conf/
+vim seahub_settings.py 
+
+
+ENABLE_ADFS_LOGIN = True
+#SAML_CERTS_DIR is a path inside the container and does not need to be changed.
+SAML_CERTS_DIR = '/opt/seafile/seahub-data/certs'
+#The configuration format of SAML_REMOTE_METADATA_URL is '{idp_server_url}/realms/{realm}/protocol/saml/descriptor' 
+#idp_server_url: The URL of the Keycloak service
+#realm: Realm name
+SAML_REMOTE_METADATA_URL = 'https://keycloak.seafile.com/realms/haiwen/protocol/saml/descriptor'
+SAML_ATTRIBUTE_MAPPING = {
+    'name': ('display_name', ),
+    'mail': ('contact_email', ),
+}
+
+```
+
+**Finally**, open the browser and enter the Seafile login page, click Single Sign-On, and use the user assigned to SAML app to perform a SAML login test.
+![](../images/auto-upload/image-S_qgKCybSBifWLgYRiWagQ.png)