15308555518/ seafile-admin-docs
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-admin-docs.git synced 2025-12-25 18:22:48 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
seafile-admin-docs/manual/deploy_pro/config_seafile_with_ADFS.md
2020-12-01 10:33:47 +08:00

7.6 KiB
Raw Blame History

Requirements

To use ADFS to log in to your Seafile, you need the following components:

  1. A Winodws Server with ADFS installed. For configuring and installing ADFS you can see this article.

  2. A valid SSL certificate for ADFS server, and here we use adfs-server.adfs.com as the domain name example.

  3. A valid SSL certificate for Seafile server, and here we use demo.seafile.com as the domain name example.

Prepare Certs File

  1. x.509 certs for SP (Service Provider)

You can generate them by:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt

These x.509 certs are used to sign and encrypt elements like NameID and Metadata for SAML.

Then copy these two files to /seahub-data/certs. (if the certs folder not exists, create it.)

  1. x.509 cert from IdP (Identity Provider)

  2. Log into the ADFS server and open the ADFS management.

  3. Double click Service and choose Certificates.

  4. Export the Token-Signing certificate:

    1. Right-click the certificate and select View Certificate.
    2. Select the Details tab.
    3. Click Copy to File (select DER encoded binary X.509).

  5. Convert this certificate to PEM format, rename it to idp.crt

  6. Then copy it to /seahub-data/certs.

Prepare IdP Metadata File

  1. Open https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml

  2. Save this xml file, rename it to idp_federation_metadata.xml

  3. Copy it to /seahub-data/certs.

Install Requirements on Seafile Server

  • For Ubuntu 16.04
sudo apt install xmlsec1
sudo pip install cryptography djangosaml2==0.15.0

Config Seafile

Add the following lines to seahub_settings.py

from os import path
import saml2
import saml2.saml

# update following lines according to your situation
CERTS_DIR = '<seafile-install-path>/seahub-data/certs'
SP_SERVICE_URL = 'https://demo.seafile.com'
XMLSEC_BINARY = '/usr/local/bin/xmlsec1'
ATTRIBUTE_MAP_DIR = '<seafile-install-path>/seafile-server-latest/seahub-extra/seahub_extra/adfs_auth/attribute-maps'
SAML_ATTRIBUTE_MAPPING = {
    'DisplayName': ('display_name', ),
    'ContactEmail': ('contact_email', ),
    'Deparment': ('department', ),
    'Telephone': ('telephone', ),
}

# update the 'idp' section in SAMPL_CONFIG according to your situation, and leave others as default
ENABLE_ADFS_LOGIN = True
EXTRA_AUTHENTICATION_BACKENDS = (
    'seahub_extra.adfs_auth.backends.Saml2Backend',
)
SAML_USE_NAME_ID_AS_USERNAME = True
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_CONFIG = {
    # full path to the xmlsec1 binary programm
    'xmlsec_binary': XMLSEC_BINARY,
	
  	'allow_unknown_attributes': True,

    # your entity id, usually your subdomain plus the url to the metadata view
    'entityid': SP_SERVICE_URL + '/saml2/metadata/',

    # directory with attribute mapping
    'attribute_map_dir': ATTRIBUTE_MAP_DIR,

    # this block states what services we provide
    'service': {
        # we are just a lonely SP
        'sp' : {
            "allow_unsolicited": True,
            'name': 'Federated Seafile Service',
            'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
            'endpoints': {
                # url and binding to the assetion consumer service view
                # do not change the binding or service name
                'assertion_consumer_service': [
                    (SP_SERVICE_URL + '/saml2/acs/',
                     saml2.BINDING_HTTP_POST),
                ],
                # url and binding to the single logout service view
                # do not change the binding or service name
                'single_logout_service': [
                    (SP_SERVICE_URL + '/saml2/ls/',
                     saml2.BINDING_HTTP_REDIRECT),
                    (SP_SERVICE_URL + '/saml2/ls/post',
                     saml2.BINDING_HTTP_POST),
                ],
            },

            # attributes that this project need to identify a user
            'required_attributes': ["uid"],

            # attributes that may be useful to have but not required
            'optional_attributes': ['eduPersonAffiliation', ],

            # in this section the list of IdPs we talk to are defined
            'idp': {
                # we do not need a WAYF service since there is
                # only an IdP defined here. This IdP should be
                # present in our metadata

                # the keys of this dictionary are entity ids
                'https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml': {
                    'single_sign_on_service': {
                        saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx',
                    },
                  'single_logout_service': {
                      saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/?wa=wsignout1.0',
                  },
                },
            },
        },
    },

    # where the remote metadata is stored
    'metadata': {
        'local': [path.join(CERTS_DIR, 'idp_federation_metadata.xml')],
    },

    # set to 1 to output debugging information
    'debug': 1,

    # Signing
    'key_file': '', 
    'cert_file': path.join(CERTS_DIR, 'idp.crt'),  # from IdP

    # Encryption
    'encryption_keypairs': [{
        'key_file': path.join(CERTS_DIR, 'sp.key'),  # private part
        'cert_file': path.join(CERTS_DIR, 'sp.crt'),  # public part
    }],
	
    'valid_for': 24,  # how long is our metadata valid
}

Config ADFS Server

  1. Add Relying Party Trust

Relying Party Trust is the connection between Seafile and ADFS.

  1. Log into the ADFS server and open the ADFS management.

  2. Double click Trust Relationships, then right click Relying Party Trusts, select Add Relying Party Trust….

  3. Select Import data about the relying party published online or one a local network, input https://demo.seafile.com/saml2/metadata/ in the Federation metadata address.

  4. Then Next until Finish.

  5. Add Relying Party Claim Rules

Relying Party Claim Rules is used for attribute communication between Seafile and users in Windows Domain.

Important: Users in Windows domain must have the E-mail value setted.

  1. Right-click on the relying party trust and select Edit Claim Rules...

  2. On the Issuance Transform Rules tab select Add Rules...

  3. Select Send LDAP Attribute as Claims as the claim rule template to use.

  4. Give the claim a name such as LDAP Attributes.

  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.

  6. Select Finish.

  7. Click Add Rule... again.

  8. Select Transform an Incoming Claim.

  9. Give it a name such as Email to Name ID.

  10. Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1).

  11. The Outgoing claim type is Name ID (this is requested in Seafile settings policy 'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS).

  12. the Outgoing name ID format is Email.

  13. Pass through all claim values and click Finish.