2018-03-20 09:44:01 -04:00
Authentication guide - SAML
===
2019-03-31 14:10:32 -04:00
**Note:** *This guide was written before the renaming. Just replace `HackMD` with `CodiMD` in your mind :smile: thanks!*
2018-06-24 08:04:35 -04:00
2018-03-20 09:44:01 -04:00
The basic procedure is the same as the case of OneLogin which is mentioned in [OneLogin-Guide ](./saml-onelogin.md ). If you want to match your IdP, you can use more configurations as below.
2019-02-14 15:09:28 -05:00
* If your IdP accepts metadata XML of the service provider to ease configuration, use this url to download metadata XML.
2018-03-20 09:44:01 -04:00
* {{your-serverurl}}/auth/saml/metadata
2019-02-14 15:09:28 -05:00
* _Note: If not accessible from IdP, download to local once and upload to IdP._
2018-03-20 09:44:01 -04:00
* Change the value of `issuer` , `identifierFormat` to match your IdP.
2019-03-31 14:10:32 -04:00
* `issuer` : A unique id to identify the application to the IdP, which is the base URL of your CodiMD as default
2018-03-20 09:44:01 -04:00
* `identifierFormat` : A format of unique id to identify the user of IdP, which is the format based on email address as default. It is recommend that you use as below.
* urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (default)
* urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
2019-03-31 14:10:32 -04:00
* `config.json` :
```javascript
2018-03-20 09:44:01 -04:00
{
"production": {
"saml": {
/* omitted */
2019-03-31 14:10:32 -04:00
"issuer": "mycodimd"
2018-03-20 09:44:01 -04:00
"identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
}
}
}
2019-03-31 14:10:32 -04:00
```
2018-03-20 09:44:01 -04:00
* environment variables
2019-03-31 14:10:32 -04:00
```
CMD_SAML_ISSUER=mycodimd
CMD_SAML_IDENTIFIERFORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
```
2018-03-20 09:44:01 -04:00
* Change mapping of attribute names to customize the displaying user name and email address to match your IdP.
* `attribute` : A dictionary to map attribute names
2019-03-31 14:10:32 -04:00
* `attribute.id` : A primary key of user table for your CodiMD
* `attribute.username` : Attribute name of displaying user name on CodiMD
2018-03-20 09:44:01 -04:00
* `attribute.email` : Attribute name of email address, which will be also used for Gravatar
* _Note: Default value of all attributes is NameID of SAML response, which is email address if `identifierFormat` is default._
2019-03-31 14:10:32 -04:00
* `config.json` :
```javascript
2018-03-20 09:44:01 -04:00
{
"production": {
"saml": {
/* omitted */
"attribute": {
"id": "sAMAccountName",
"username": "displayName",
"email": "mail"
}
}
}
}
2019-03-31 14:10:32 -04:00
```
2018-03-20 09:44:01 -04:00
* environment variables
2019-03-31 14:10:32 -04:00
```sh
CMD_SAML_ATTRIBUTE_ID=sAMAccountName
CMD_SAML_ATTRIBUTE_USERNAME=nickName
CMD_SAML_ATTRIBUTE_EMAIL=mail
```
2018-03-20 09:44:01 -04:00
2019-02-14 15:09:28 -05:00
* If you want to control permission by group membership, add group attribute name and required group (allowed) or external group (not allowed).
2018-03-20 09:44:01 -04:00
* `groupAttribute` : An attribute name of group membership
2019-03-31 14:10:32 -04:00
* `requiredGroups` : Group names array for allowed access to CodiMD. Use vertical bar to separate for environment variables.
* `externalGroups` : Group names array for not allowed access to CodiMD. Use vertical bar to separate for environment variables.
2018-03-20 09:44:01 -04:00
* _Note: Evaluates `externalGroups` first_
2019-03-31 14:10:32 -04:00
* `config.json` :
```javascript
2018-03-20 09:44:01 -04:00
{
"production": {
"saml": {
/* omitted */
"groupAttribute": "memberOf",
2019-03-31 14:10:32 -04:00
"requiredGroups": [ "codimd-users", "board-members" ],
2018-03-20 09:44:01 -04:00
"externalGroups": [ "temporary-staff" ]
}
}
}
2019-03-31 14:10:32 -04:00
```
2018-03-20 09:44:01 -04:00
* environment variables
2019-03-31 14:10:32 -04:00
```sh
CMD_SAML_GROUPATTRIBUTE=memberOf
CMD_SAML_REQUIREDGROUPS=codimd-users|board-members
CMD_SAML_EXTERNALGROUPS=temporary-staff
```