All versions of this manual
X
 

Access control: SSO with SAML2 / ADFS

Linkurious supports any SAML2 compatible provider as external authentication providers.

Configuration

To set up Linkurious authentication with a SAML2 provider, you need to obtain the following parameters from the provider:

  • url: The URL of the SAML2 endpoint of the identity provider (e.g."https://example.com/adfs/ls"`),
  • identityProviderCertificate: The certificate of the identity provider in PEM format (e.g. "/Users/example/linkurious/samlIdentityProvider.pem")
  • groupAttribute (optional): The attribute in which the groups of the users is stored (e.g. "Groups")
  • emailAttribute (optional): The attribute in which the email of the users is stored

groupAttribute is the attribute of the SAML response containing the array of groups a user belongs to.

emailAttribute is the attribute of the SAML response that should contain the email address if the NameID format of the SAML response is not already an email.

Example access.saml2 configuration with any SAML2 provider:

"access": {
  // [...] 
  "saml2": {
    "enabled": true,
    "url": "https://example.com/adfs/ls",
    "identityProviderCertificate": "/Users/example/linkurious/saml.pem",
    "groupAttribute": "Groups"
  },
}

Assertion consumer service

To complete the login process, you need to configure your identity provider to return the SAML response to Linkurious at the following URL: http(s)://HOST:PORT/api/auth/sso/return.

ADFS Configuration

In particular, ADFS (Active Directory Federation Services) is a SAML2 provider that offers Single-Sign-On towards an Active Directory service.

To set up Linkurious authentication with ADFS, Linkurious has to be configured as a Relying Party Trust in ADFS.