Lychee SAML Authentication

❏ What is Lychee SAML Authentication?

Lychee SAML Authentication is a plugin which allows Redmine and an IdP (Identity Provider) to communicate with SAML authentication information, thereby enabling single-sign-on.
Compatible IdPs are OneLogin and ADSF (Active Directory Federation Services).

❏ OneLogin

1. IdP (Identity Provider) Settings

1. Display the Configuration screen of the application registered for use with Redmine
   In the Administration > Applications menu, go to [Applications] > Application registered for Redmine > Configuration.

2. Input the following and click [Save]

   Field	Value
   Audience	Part of the URL ending in "metadata" found under [Issuer URL] on the SSO screen For the URL "https://app. onelogin.com/saml/metadata/abcdefg-hijklmn", enter: 　https://app. onelogin.com/saml/metadata
   Recipient	URL displayed under "Recipient" on the SAML Authentication screen. It has the following format: 　Redmine's URL/auth/one_login/callback
   ACS (Consumer) URL Validator	Regular expression for "ACS URL Validator" displayed on SAML Authentication screen.
   ACS (Consumer) URL	"ACS URL" displayed on SAML Authentication screen.

2. Plugin Settings

1. Display the SAML Authentication screen
   Administration > SAML authentication
2. Click the [SAML Authentication] link
   The SAML Authentication screen will be displayed
3. Click [+SAML Authentication] in the top right of the screen
   New authentication form

4. Enter the following and click the [Create] button

   Field	Value
   Type	One Login
   Name	Any name
   Domain	Redmine's URL
   App ID	Part of the URL path after "metadata/" found under [Issuer URL] on the SSO screen(*1). For the URL "https://app. onelogin.com/saml/metadata/abcdefg-hijklmn", enter: "abcdefg-hijklmn"
   SSP slo ID	Part of the URL path after "slo/" found under [SLO Endpoint(HTTP)] on the SSO screen(*1). For the URL "https://example.onelogin.com/trust/saml2/http-redirect/ slo/1234567890", enter: "1234567890"
   IDP Cert Algorithm	The same algorithm found under [SAML Signature Algorithm] on the SSO screen(*1)
   IDP Cert Fingerprint	The value found under [Fingerprint] on the Certificates screen(*2)

   1 In the Administration > Applications menu, go to [Applications] > Application registered for Redmine > SSO 2 In the Administration > Applications menu, go to [Applications] > Application registered for Redmine > SSO > [X.509 Certificate], and click the [View Details] link

   

5. Setup information will appear in OneLogin's Configuration
   The following information will appear on the SAML Authentication screen:

   • Recipient
   • ACS URL Validator

   • ACS URL

     

❏ ADFS（Active Directory Federation Services）

1. IdP (Identity Provider) Settings

1. Display the application registered for use with Redmine Home > Azure Active Directory > Application Registration > Application registered for Redmine

2. Display [Brand], enter the following in [Homepage URL], and click [Save]
   Enter the URL using the following format:

    Redmine's URL/auth/adfs
   

   

3. Display [Authentication], enter the following in [Web > Redirect URI], and click [Save]

   Field	Value
   Web > Redirect URI	URI with the following format: Redmine's URL/auth/adfs/callback
   Web > Logout URL	URL with the following format: Redmine's URL/logout

   

4. Display [Certificates and Secrets] and upload the certificate

2. Plugin Settings

1. Display the SAML Authentication screen
   Administration > SAML authentication
2. Click the [SAML Authentication] link
   The SAML Authentication screen will be displayed
3. Click [+SAML Authentication] in the top right of the screen
   New authentication form

4. Enter the following and click the [Create] button

   Field	Value
   Type	ADFS
   Name	Any name
   Domain	Redmine's URL
   App ID	[Application (Client) ID] on the Overview screen(*1) of the application registered for Redmine
   SSP slo ID	[Directory (Tenant) ID] on the Overview screen(*1) of the application registered for Redmine
   IDP Cert Algorithm	Algorithm used when creating the Fingerprint
   IDP Cert Fingerprint	Fingerprint for token-signing certificate

   *1 Azure Home > Application Registration > Application for Redmine > Overview

   

3. Requesting a Fingerprint for a Token-signing Certificate

1. Check the Federation Metadata endpoint
   Application Registration > Endpoint > Federation Metadata Endpoint

   

2. Access the endpoint
   Metadata XML will be displayed.

3. Copy the entire metadata and paste it in a text editor
   Copying only theX509Certificate value can sometimes fails, so copy the entire screen and paste it in a text editor.

4. Create a CRT file
   Create a CRT file using the X509Certificate value subordinate to the KeyDescriptor element which has signing as its use property.
   The CRT file's structure is as follows:

   • Line 1: -----BEGIN CERTIFICATE-----
   • Line 2: X509Certificate 's value

   • Line 3: -----END CERTIFICATE-----

     

5. Request a Fingerprint from the CRT file created in (4)
   If you are using OpenSSL , request it using the following command:

      openssl x509 -[hash algorithm] -fingerprint -in [path of CRT file generated in (4)] -noout
   

   Example: If the hash algorithm is "sha512" and the path of the CRT file created in (4) is "path/to/x509.crt"

    openssl x509 -sha512 -fingerprint -in path/to/x509.crt -noout