Wiki source code of Authentification SAMLv2

Last modified by Aurelie Bertrand on 2026/01/12 16:46

version	line-number	content
1.1	1	{{ddtoc/}}
	2
86.1	3	Appendix
2.1	4
3.1	5	{{ddchildren}}{{/ddchildren}}
	6
1.1	7	----
	8
86.1	9	This document describes the implementation of a SAMLv2 authentication valve for DigDash Enterprise.
4.1	10
66.2	11	(% class="box warningmessage" %)
	12	(((
86.1	13	The use of SSO/SAML2 is not recommended when integrating a dashboard into a web page (via iframe).
66.2	14	)))
	15
86.1	16	= Prerequisites =
1.1	17
86.1	18	* The acronyms used below are listed in the glossary at the end of this document.
	19	* Have configured the server with an SSL/TLS (HTTPS) connector (this authentication method requires secure exchanges).
	20	* Have the <Install DD>/add-ons/valve_saml2 folder containing all the files needed to set up the SAMLv2 authentication valve in the Tomcat server. The placement of these files is described in this document.
	21	The apache-tomcat folder: transposed to /etc/tomcat9/ under Linux and C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf **under Windows
	22	*** The lib sub-folder: libraries and log configuration file to be placed in:
	23	** Under Linux: /usr/share/tomcat9/lib/**
	24	** Under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib**
	25	*** The sub-folder webapps : ACS in a .war to be placed in :
	26	** Under Linux: /home/digdash/webapps/default**
	27	** Under Windows: E:/digdash/webapps/default**
	28	** The resources_samples folder: examples of IdP metadata XML files and security parameter .properties files to be edited and placed in the desired location.
	29	** The sp_metadata folder: The SP DigDash metadata XML file.
1.1	30
86.1	31	* For the moment, only SP-initiated disconnection (SP-Initiated SLO) is supported.
	32	* The following operations must be carried out with the DigDash server stopped.
	33	* The user to be authenticated must exist in both the IdP and the LDAP.
66.2	34	* (((
86.1	35	If a reverse proxy is used, check header transmission: the reverse proxy used must allow X-Forwarded-Proto and X-Forwarded-Host headers to communicate.
66.2	36	)))
1.1	37
	38	(% class="box warningmessage" %)
	39	(((
86.1	40	It is advisable to have at least one user with the right to add users to the LDAP before installing the SAMLv2 valve, in order to avoid SSO authentication failures on the first connections due to the absence of such a user in the LDAP.
1.1	41	)))
	42
86.1	43	Mutual exchange of SP and IdP metadata
1.1	44
86.1	45	The two parties (Identity Provider and Service Provider) must first exchange their respective metadata in the form of XML files. This metadata will make it possible to know their respective entry points and the details of secure exchanges.
1.1	46
86.1	47	= Configuring the DigDash server =
1.1	48
86.1	49	== Copying libraries ==
1.1	50
86.1	51	Copy the libraries and the log configuration file from the <install DD>/add-ons/valve_saml2/apache-tomcat/lib folder to the :
1.1	52
9.2	53	(% class="box" %)
	54	(((
86.1	55	* under Linux: /usr/share/tomcat9/lib/
	56	* under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\lib
9.2	57	)))
1.1	58
86.1	59	Files to copy :
9.3	60
1.1	61	\|saml2-valve.jar\|slf4j-api-1.7.12.jar
	62	\|commons-codec-1.10.jar\|log4j-1.2.15.jar
	63	\|commons-lang3-3.4.jar\|slf4j-log4j12-1.7.7.jar
	64	\|commons-logging-1.2.jar\|xmlsec-2.0.7.jar
	65	\|joda-time-2.9.4.jar\|log4j.properties
	66
86.1	67	== Adding the SAMLv2 authentication valve ==
1.1	68
86.1	69	Activate the SAMLv2 authentication valve in the server.xml file located in the :
1.1	70
9.4	71	(% class="box" %)
	72	(((
86.1	73	* under Linux: /etc/tomcat9/
	74	* under Windows : C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
9.4	75	)))
1.1	76
86.1	77	To do this, look for the <Host ...> element in the file, uncomment or add the <Valve ...> element below:
1.1	78
	79	(((
61.1	80	{{code language="XML" cssClass="notranslate"}}
12.1	81	<Valve className="com.onelogin.saml2.SAML2SSOValve"
38.1	82	allowAddr="localhost,127.0.0.*,0:0:0:0:0:0:0:1"
58.1	83	fallbackAuth="LDAP"
38.1	84	idPMetadataPath="C:\idp_md.xml"
	85	securitySettingsPath="C:\saml2.sec.properties"
	86	uid="email"
	87	sharedPasswd="sharedPassword" ></Valve>
1.1	88	{{/code}}
	89
86.1	90	The value of the //className //attribute is invariant.
1.1	91
86.1	92	The values of the other attributes (allowAddr, idPMetadataPath, ...) are variable depending on the installation.
1.1	93	)))
	94
86.1	95	\|(% style="width:247px" %)Attribute\|(% style="width:1173px" %)Description
	96	\|(% style="width:247px" %)className\|(% style="width:1173px" %)Name of the Java class implementing the org.apache.catalina.Valve interface, to be used as Valve here. This attribute is mandatory, as it is used to select the Valve to be used. There are in fact several implementations provided by Tomcat.
	97	\|(% style="width:247px" %)allowAddr\|(% style="width:1173px" %)IP address of the server.
	98	\|(% style="width:247px" %)fallbackAuth\|(% style="width:1173px" %)The fallback authentication method
	99	\|(% style="width:247px" %)idPMetadataPath\|(% style="width:1173px" %)The absolute path of the XML file containing the IdP's metadata
	100	\|(% style="width:247px" %)securitySettingsPath\|(% style="width:1173px" %)The absolute path to the .properties file with the security settings
	101	\|(% style="width:247px" %)uid\|(% style="width:1173px" %)One of the attributes returned by the IdP in the SAMLv2 response to identify the authenticating user. If this attribute is not mentioned, the nameId from the SAMLv2 response is used to identify the user.
	102	\|(% style="width:247px" %)sharedPasswd\|(% style="width:1173px" %)The password shared and verified at authentication. A hash in SSHA512 format can be used to avoid writing the password in the plaintext file (a tool such as pwdhash can be used under Linux to generate this hash).
	103	\|(% style="width:247px" %)//ldapForPaths//\|(% style="width:1173px" %)//Optional//, these are regular expressions for URLs whose resources are authorised to pass the valve, thereby switching to LDAP authentication mode. Example: "http:~/~/localhost:8080/.*"
	104	\|(% style="width:247px" %)//excludedPaths//\|(% style="width:1173px" %)//Optional,// these are the regular expressions of the paths whose resources are authorised to pass the valve, thus switching to LDAP authentication mode. Example: "/.*"
36.1	105	\|(% style="width:247px" %)//cookieTimeOut//\|(% style="width:1173px" %)(((
86.1	106	//Optional//, this is the time (in seconds) after which the SSO cookie will expire. Defaults to 1800 seconds (30 minutes).
	107	Otherwise, the cookie will expire after the specified number of seconds.
1.1	108
86.1	109	A negative value means that the cookie will expire when the browser is closed.
	110	A value of 0 means that the cookie will be deleted directly (not recommended).
62.1	111
86.1	112	Example: cookieTimeOut="3600" (1 hour)
1.1	113	)))
86.1	114	\|(% style="width:247px" %)//print_debug//\|(% style="width:1173px" %)//Optional//, set to false by default, otherwise add print_debug="true" for more verbose traces.
1.1	115
86.1	116	== Add the .war file corresponding to the Service Provider ACS ==
1.1	117
86.1	118	Add the ddacs.war archive from the <install DD>/add-ons/valve_saml2/apache-tomcat/webapps folder to the :
1.1	119
9.4	120	(% class="box" %)
	121	(((
86.1	122	* under Linux: /home/digdash/webapps/default
	123	* under Windows: E:/digdash/webapps/default
9.4	124	)))
1.1	125
	126	(% class="box infomessage" %)
	127	(((
86.1	128	This is the ACS entry point for the SP accessed by the IdP.
1.1	129	)))
	130
86.1	131	== Adding security constraints ==
1.1	132
86.1	133	Uncomment or add the security constraints to the web.xml file located in the :
1.1	134
9.4	135	(% class="box" %)
	136	(((
86.1	137	* under Linux: /etc/tomcat9/
	138	* under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
9.4	139	)))
1.1	140
61.1	141	{{code language="XML" cssClass="notranslate"}}
1.1	142	<web-app ...>
	143	...
	144	<security-role>
	145	<role-name>CUSTOM</role-name>
	146	</security-role>
	147
	148	<security-constraint>
	149	<display-name>CUSTOM Security Constraint</display-name>
	150
	151	<web-resource-collection>
	152	<web-resource-name>Protected Area</web-resource-name>
	153	<url-pattern>/*</url-pattern>
	154	</web-resource-collection>
	155
	156	<auth-constraint>
	157	<role-name>CUSTOM</role-name>
	158	</auth-constraint>
	159	</security-constraint>
	160
	161	<security-constraint>
	162	<web-resource-collection>
	163	<web-resource-name>Non-Protected Area</web-resource-name>
	164	<url-pattern>/vjdbc</url-pattern>
	165	</web-resource-collection>
	166	</security-constraint>
	167	...
	168	</web-app>
	169	{{/code}}
	170
	171
86.1	172	= Application configuration =
1.1	173
86.1	174	To do this, modify the digdash.properties file in <install DD> or /etc/digdash (under Linux) or in the folder you have configured.
1.1	175
	176
86.1	177	== Server configuration (ddenterprise.war) ==
1.1	178
86.1	179	In the digdash.properties file:
11.1	180
86.1	181	In the //ddenterpriseapi.war// box, find and uncomment the following lines with the values shown:
11.1	182
61.1	183	{{code language="properties" cssClass="notranslate"}}
31.1	184	ddenterpriseapi.authMethod=External
	185	{{/code}}
11.1	186
	187
86.1	188	== Dashboard configuration (digdash_dashboard.war) ==
11.1	189
86.1	190	In the digdash.properties file :
11.1	191
86.1	192	In the //digdash_dashbord.war// box, find and uncomment the following lines with the values shown:
11.1	193
61.1	194	{{code language="properties" cssClass="notranslate"}}
31.1	195	digdash_dashboard.SERVERURL=http://localhost:8080
	196	digdash_dashboard.DOMAIN=ddenterpriseapi
	197	digdash_dashboard.FORCEDOMAIN=true
	198	digdash_dashboard.FORCESERVERURL=true
	199	digdash_dashboard.sharedPasswd=<la valeur de l'attribut sharedPasswd dans l'élément Valve>
	200	{{/code}}
11.1	201
1.1	202	(% class="box infomessage" %)
	203	(((
86.1	204	The example value for the //digdash_dashboard.SERVERURL// parameter will almost always refer to localhost, when the dashboard and the server are placed in the same Tomcat server, which represents almost 99.9% of usage. Naturally, you will need to refer to the address of the external server if these two elements are located on different servers.
1.1	205	)))
	206
74.1	207
86.1	208	== Studio configuration (studio.war) ==
1.1	209
86.1	210	In the digdash.properties file :
1.1	211
86.1	212	In the //studio.war// box, find and uncomment the following lines with the values shown:
1.1	213
61.1	214	{{code language="properties" cssClass="notranslate"}}
31.1	215	studio.SERVERURL=http://localhost:8080
	216	studio.DOMAIN=ddenterpriseapi
	217	studio.FORCEDOMAIN=true
	218	studio.FORCESERVERURL=true
	219	studio.PUBLICSERVERURL=<votre adresse URL publique>
	220	studio.sharedPasswd=<la valeur de l'attribut sharedPasswd dans l'élément Valve>
	221	{{/code}}
1.1	222
11.1	223	(% class="box infomessage" %)
	224	(((
86.1	225	The parameter //studio.PUBLICSERVERURL//is optional when installing an SSO.
75.1	226
86.1	227	The example value for this parameter will almost always refer to localhost, when the Studio and the server are placed in the same Tomcat server, which represents almost 99.9% of usage. Naturally, reference will have to be made to the address of the external server if these two elements are placed on different servers.
11.1	228	)))
	229
86.1	230	== Configuring the Identity Provider ==
41.1	231
86.1	232	The IdP will need to register DigDash as an SP in its list of SPs so that DigDash can take advantage of Single Sign-On.
	233	The IdP will need to use the metadata file provided by the SP for its configuration. Among other things, this file mentions the DigDash SP entry points (ACS URLs).
1.1	234
86.1	235	== Service Provider metadata ==
1.1	236
86.1	237	The SP metadata will either be supplied directly and physically (by email, USB key, etc.) or by generation via the SP. It will be accessible via the following URL once the valve has been set up:
1.1	238
	239	(% class="box infomessage" %)
	240	(((
86.1	241	https:~/~/<address of DigDash server>:<port>/?spmetadata=display
1.1	242	)))
	243
86.1	244	= Configuring the Service Provider =
1.1	245
86.1	246	The SP must load the IdP metadata into its application.
1.1	247
86.1	248	== Identity Provider metadata ==
1.1	249
86.1	250	Place the file in XML format supplied by the IdP corresponding to the IdP metadata in the directory of your choice.
1.1	251
	252	(% class="box infomessage" %)
	253	(((
86.1	254	The absolute path of this file must be known and must be entered as the value of the //idPMetadataPath //attribute of the Valve element in Tomcat.
1.1	255	)))
	256
86.1	257	If the .xml metadata file is not read by the IdP, the following parameters must be set as indicated below:
66.3	258
86.1	259	* entity id: https:~/~/[serveur_url]/?spmetadata=display
	260	* reply: https:~/~/[serveur_url]/ddacs/acs
66.3	261
86.1	262	= Configuring security parameters =
1.1	263
86.1	264	Place the saml2.sec.properties file in the <Install DD>/add-ons/valve_saml2/resources_samples folder corresponding to the security parameters in the directory of your choice.
1.1	265
	266	(% class="box infomessage" %)
	267	(((
86.1	268	The absolute path of this file must be known and must be entered as the value of the //securitySettingsPath //attribute of the Valve element in Tomcat.
1.1	269	)))
	270
86.1	271	The following tables show the various properties for setting security parameters:
1.1	272
86.1	273	== General properties ==
1.1	274
86.1	275	\|(% style="width:279px" %)General property\|(% style="width:808px" %)Description\|(% style="width:332px" %)Possible values
	276	\|(% style="width:279px" %)onelogin.saml2.strict\|(% style="width:808px" %)If true, the SP is in strict mode and will reject all unencrypted or unsigned messages if the SP expects them to be.\|(% style="width:332px" %)true,false
	277	\|(% style="width:279px" %)onelogin.saml2.debug\|(% style="width:808px" %)If true, debug mode will be enabled.\|(% style="width:332px" %)true,false
1.1	278
86.1	279	== Service Provider properties ==
1.1	280
23.1	281	(% class="box infomessage" %)
	282	(((
86.1	283	The default values for these properties are automatically loaded. You can uncomment certain properties as required to make values more explicit.
1.1	284	)))
	285
86.1	286	\|(% style="width:364px" %)Service Provider properties\|(% style="width:592px" %)Description\|(% style="width:507px" %)Possible values
	287	\|(% style="width:364px" %)onelogin.saml2.sp.entityid\|(% style="width:592px" %)the identifier of the Service Provider entity\|?spmetadata=display
	288	\|(% style="width:364px" %)onelogin.saml2.sp.assertion_consumer_service.url\|(% style="width:592px" %)SP entry point. This is the URL to which the IdP's SAML <Response> will be returned.\|ddacs/acs
23.1	289	\|(% style="width:364px" %)onelogin.saml2.sp.assertion_consumer_service.binding\|(% style="width:592px" %)(((
86.1	290	SAML protocol binding used when returning the <Response> message. Onelogin supports HTTP-POST binding only for this endpoint.
23.1	291	)))\|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
86.1	292	\|(% style="width:364px" %)onelogin.saml2.sp.single_logout_service.url\|(% style="width:592px" %)Specifies where and how the <Logout Response> message should be returned to the requester, in this case the SP.\|ddacs/slo
	293	\|(% style="width:364px" %)onelogin.saml2.sp.single_logout_service.binding\|(% style="width:592px" %)SAML protocol binding used when returning the <LogoutResponse> or sending the <LogoutRequest> message. Onelogin supports HTTP-Redirect binding only for this endpoint.\|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
	294	\|(% style="width:364px" %)onelogin.saml2.sp.nameidformat\|(% style="width:592px" %)Specifies constraints on the NameID to be used to represent the user to be authenticated.\|urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
	295	\|(% style="width:364px" %)onelogin.saml2.sp.x509cert\|(% style="width:592px" %)The Service Provider's public key (or certificate).\|See documentation [[SAMLv2 Authentication - Configuration>>doc:.config_auth_saml2_sec.WebHome]]
	296	\|(% style="width:364px" %)onelogin.saml2.sp.privatekey\|(% style="width:592px" %)The Service Provider's private key.\|See documentation [[SAMLv2 Authentication - Configuration>>doc:.config_auth_saml2_sec.WebHome]]
1.1	297
86.1	298	== Security properties ==
1.1	299
86.1	300	\|(% style="width:411px" %)Security properties\|(% style="width:690px" %)Description\|(% style="width:319px" %)Possible values
	301	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.nameid_encrypted\|(% style="width:690px" %)Specifies whether the nameID of the <samlp:logoutRequest> sent by the SP should be encrypted.\|(% style="width:319px" %)true,false
	302	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.authnrequest_signed\|(% style="width:690px" %)Indicates whether <samlp:AuthnRequest> messages sent by this SP are signed. The metadata indicates this information.\|(% style="width:319px" %)true,false
	303	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.logoutrequest_signed\|(% style="width:690px" %)Indicates whether <samlp:logoutRequest> messages sent by this SP are signed.\|(% style="width:319px" %)true,false
	304	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.logoutresponse_signed\|(% style="width:690px" %)Indicates whether <samlp:logoutResponse> messages sent by this SP are signed.\|(% style="width:319px" %)true,false
	305	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.want_messages_signed\|(% style="width:690px" %)Indicates whether responses should be signed.\|(% style="width:319px" %)true,false
	306	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.want_assertions_signed\|(% style="width:690px" %)Indicates whether <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> messages received by this SP must be signed.\|(% style="width:319px" %)true,false
	307	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.sign_metadata\|(% style="width:690px" %)Indicates the requirement for this SP's metadata to be signed.\|(% style="width:319px" %)true,false
	308	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.want_assertions_encrypted\|(% style="width:690px" %)Indicates that the assertions received by this SP must be encrypted.\|(% style="width:319px" %)true,false
	309	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.want_nameid_encrypted\|(% style="width:690px" %)Indicates that the nameID received by the SP must be encrypted.\|(% style="width:319px" %)true,false
	310	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.requested_authncontext\|(% style="width:690px" %)Authentication context.\|(% style="width:319px" %)urn:oasis:names:tc:SAML:2.0:ac:classes:Password
	311	or empty string if you do not want any context to be sent in the request.
	312	Several possible values, separated by commas.
	313	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.requested_authncontextcomparison\|(% style="width:690px" %)Enable authentication context comparison\|(% style="width:319px" %)exact
	314	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.want_xml_validation\|(% style="width:690px" %)Indicates whether the SP validates all XML responses received (if true, validation is only effective if this property and the 'onelogin.saml2.strict' property are also true).\|(% style="width:319px" %)true,false
	315	\|(% rowspan="1" style="width:411px" %)onelogin.saml2.security.signature_algorithm\|(% style="width:690px" %)Hash algorithm used for the signature.\|(% style="width:319px" %)[[http:~~/~~/www.w3.org/2000/09/xmldsig#rsa-sha1
25.1	316	http:~~/~~/www.w3.org/2000/09/xmldsig#dsa-sha1
	317	http:~~/~~/www.w3.org/2001/04/xmldsig-more#rsa-sha256
	318	http:~~/~~/www.w3.org/2001/04/xmldsig-more#rsa-sha384
	319	http:~~/~~/www.w3.org/2001/04/xmldsig-more#rsa-sha512>>http://www.w3.org/2000/09/xmldsig#rsa-sha1http://www.w3.org/2000/09/xmldsig#dsa-sha1http://www.w3.org/2001/04/xmldsig-more#rsa-sha256http://www.w3.org/2001/04/xmldsig-more#rsa-sha384http://www.w3.org/2001/04/xmldsig-more#rsa-sha512]]
1.1	320
85.1	321	(% class="wikigeneratedid" id="HConfigurationdel2019environnementJava" %)
86.1	322	(% style="color:inherit; font-family:inherit; font-size:max(23px, min(29px, 12.3333px + 1.38889vw))" %)Configuring the SAML 2 valve logs
1.1	323
86.1	324	In the server.xml file (located in the /etc/tomcat9/ folder under Linux or C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf under Windows), inside the host tag, add the following valve to obtain logs:
68.1	325
	326	{{code}}
	327	<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
86.1	328	prefix="localhost_access_log_test_header" suffix=".log"
	329	pattern="%h %l %u %t "%r" %s %b - X-Forwarded-Proto: %{X-Forwarded-Proto}i - X-Forwarded-For: %{X-Forwarded-For}i - X-Forwarded- Host : %{X-Forwarded-Host }i" ></Valve>
68.1	330	{{/code}}
	331
86.1	332	In the example above, the log files will start with "localhost_access_log_test_header". The prefix can be modified as required.
	333	The logs will be located in the Tomcat folder.
68.1	334
86.1	335	== Log level ==
1.1	336
86.1	337	You can customise the log level for the authentication valve.
1.1	338
86.1	339	By default, only errors are logged. However, if you want to have more details about the course of actions and exchanges between the various entities, you can assign the value 'DEBUG' instead of 'ERROR' in the log4j.properties file which has been imported into the Tomcat lib folder.
1.1	340
86.1	341	log4j.logger.com.onelogin.saml2=ERROR, stdout
	342	becomes
	343	log4j.logger.com.onelogin.saml2=DEBUG, stdout
1.1	344
86.1	345	= SAMLv2 and LDAP DigDash coexistence (optional) =
47.1	346
86.1	347	It is possible to use direct authentication via the DigDash LDAP directory while the SAMLv2 method is in place on your DigDash server.
47.1	348
86.1	349	== Prior configuration ==
48.1	350
86.1	351	In the digdash.properties file :
48.1	352
86.1	353	In the //studio.war// box, find and uncomment the following lines with the values shown:
48.1	354
61.1	355	{{code language="properties" cssClass="notranslate"}}
48.1	356	studio.allowLoginForm=true
	357	{{/code}}
	358
86.1	359	In the //digdash_dashboard.war// box, find and uncomment the following lines with the values shown:
48.1	360
61.1	361	{{code language="properties" cssClass="notranslate"}}
48.1	362	digdash_dashboard.allowLoginForm=true
	363	{{/code}}
	364
	365
86.1	366	== Enabling DigDash LDAP mode ==
47.1	367
86.1	368	To activate the DigDash LDAP authentication mode, simply add the loginForm parameter to the URL with the value (% style="color:#27ae60" %)true(%%).
47.1	369
86.1	370	So, if you need to authenticate to the dashboard directly using your DigDash LDAP credentials when SAMLv2 is already installed, the URL to use will be in the form :
53.1	371
	372	(% class="box" %)
	373	(((
86.1	374	https:~/~/<host>:<port>/digdash_dashboard/index.html?(% style="color:#27ae60" %)loginForm=true(%%)
53.1	375	)))
47.1	376
54.1	377	(% class="box warningmessage" %)
	378	(((
86.1	379	(% style="color:#e67e22" %)Please note (%%): in general, the loginForm parameter and its value should be specified on each domain independently of the others (ddenterpriseapi for the server, digdash_dashboard for the dashboard, studio for the web studio) in order to authenticate via LDAP.
	380	Activating the loginForm parameter on the dashboard (digdash_dashboard domain) will not automatically activate it on the web studio (studio domain), for example.
54.1	381	)))
47.1	382
86.1	383	== Re-enabling SAMLv2 mode ==
47.1	384
86.1	385	To deactivate the DigDash LDAP mode and return to a state where SAMLv2 SSO authentication is used, simply set the loginForm parameter to (% style="color:#c0392b" %)false(%%).
	386	If you need to authenticate to the dashboard via SAMLv2 when direct authentication via DigDash LDAP was previously used, the URL to use will be in the form :
53.1	387
	388	(% class="box" %)
	389	(((
86.1	390	https:~/~/<host>:<port>/digdash_dashboard/index.html?(% style="color:#c0392b" %)loginForm=false(%%)
53.1	391	)))
47.1	392
86.1	393	The previous warning note should also be taken into account in this case.\\
47.1	394
86.1	395	== Using a reverse proxy ==
69.3	396
86.1	397	When using a reverse proxy, the remote IP valve must be adapted.
69.3	398
86.1	399	Open the server.xml file located in the :
69.3	400
	401	(% class="box" %)
	402	(((
86.1	403	* under Linux: /etc/tomcat9/
	404	* under Windows: C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf
69.3	405	)))
	406
86.1	407	In this file, the remote IP valve is entered as follows:
69.3	408
86.1	409	{{{<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.0\.[0-1]\.1" remoteIpHeader="x-forwarded-for" requestAttributesEnabled="true" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https"/>}}}
69.3	410
86.1	411	Replace the value of the internalProxies property with the value of the reverse proxy IP as shown below.
69.3	412
86.1	413	{{{<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="<IP OF REVERSE PROXY>" remoteIpHeader="x-forwarded-for" requestAttributesEnabled="true" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https"/>}}}
69.3	414
86.1	415	= Glossary =
1.1	416
86.1	417	In this document we will refer to :
1.1	418
86.1	419	* ACS: Assertion Consumer Service
	420	* IdP: Identity Provider
	421	* SLO: Single LogOut
	422	* SP: Service Provider (DigDash)
	423	* SSO: Single Sign On; SAMLv2 is an SSO method
1.1	424
86.1	425	= References =
1.1	426
	427	[[https:~~/~~/www.oasis-open.org>>https://www.oasis-open.org]]
	428
86.1	429	//DigDash uses the onelogin OpenSource library from OneLogin Inc to support the SAMLv2 authentication method.//
1.1	430
	431	[[https:~~/~~/www.onelogin.com/>>https://www.onelogin.com/]]
	432
	433	[[https:~~/~~/github.com/onelogin/java-saml>>https://github.com/onelogin/java-saml]]

Wiki source code of Authentification SAMLv2

Sommaire