Authentication: SSO with SAML2 / ADFS
Linkurious Enterprise supports any SAML2 compatible provider as external authentication providers.
Configuration
To set up Linkurious Enterprise authentication with a SAML2 provider, you need to obtain the following parameters from the provider:
url: The URL of the SAML2 endpoint of the identity provider (e.g.
"https://example.com/adfs/ls"`),identityProviderCertificate
: The certificate of the identity provider in PEM format (e.g."/Users/example/linkurious/samlIdentityProvider.pem"
)groupAttribute
(optional): The attribute in which the groups of the users is stored (e.g."Groups"
)emailAttribute
(optional): The attribute in which the email of the users is stored
groupAttribute
is the attribute of the SAML response containing the array of groups a user belongs to.
emailAttribute
is the attribute of the SAML response that should contain the email address if the NameID
format
of the SAML response is not already an email.
Example access.saml2
configuration with any SAML2 provider:
"access": // [...] "saml2": "enabled": true "url": "https://example.com/adfs/ls" "identityProviderCertificate": "/Users/example/linkurious/saml.pem" "groupAttribute": "Groups"
Assertion consumer service
To complete the login process, you need to configure your identity provider
to return the SAML response to Linkurious Enterprise at the following URL:
http(s)://HOST:PORT/api/auth/sso/return
.
Please note that encrypted assertions are not supported by Linkurious Enterprise.
ADFS Configuration
In particular, ADFS (Active Directory Federation Services) is a SAML2 provider that offers Single-Sign-On towards an Active Directory service, see more on Microsoft documentation.
To set up Linkurious Enterprise authentication with ADFS, Linkurious Enterprise has to be configured as a Relying Party Trust in ADFS (see how to configure the ADFS on the Microsoft documentation).
To set up group mapping, the list of groups associated to a user should be passed in the SAML2 response. See how to configure a claim for the groups on the Microsoft documentation.