SAML

This can be used to log into fylr with users from e.g. Shibboleth and Azure ActiveDirectory.

Background

SAML with mocksaml.com

Follow this example to get into the workflow of configuring SAML with fylr.

First you need to generate a certificate and private key.

Background: The certificate will be entered in the fylr frontend's form fields and then be given to the Identity Provider as part of the metadata, so that requests coming from fylr are accepted. It is in addition to fylr's https certificate and not to be confused with that.

Generate Certificate

This can be done where ever openssl is installed as a command line utility.

openssl genrsa -out private.key 3072
openssl req -new -x509 -key private.key -out publickey.cer -days 365

Now you can view the contents of the files private.key and publickey.cer and put that into fylr's frontend: (Certificate and Key fields) as in this screenshot:

Base Config

• We recommend to set the checkmark at Log Steps. This will write log events to debug SAML connections. In case of an error, the connection attempt is always logged.

• In User Mapping define how the SAML user is created in fylr. Upon each login the SAML users are mapped to fylr users. If an user already exists, an update is performed. Working with mocksaml.com:

  • Target: Reference: %(email)s

  • Target: Email: %(email)s

Test Connection

Now go to the fylr login page (e.g. by logging out or using a second browser or private tab) and click on SAML Login in the login dialog. This sends you to the login page of the Identify Provider. Login using any name and password (as written on that test login page). fylr will log the user in with no further rights (unless configured). Optionally check the User Manager in fylr to see that the user record has been created (you can only view this as a privileged user, e.g. root).

What you might need with other providers

mocksaml.com is simplified. Here are some details you might need with other identity providers:

fylr SAML Metadata

Other URLs

Attributes and user matching

• Target: Login: This can be used to determine the username during login, as in: The pair of username and Password used to log in. Example value: %(login)s. Or %(sAMAccountName)s. Has to match an attribute name that is actually present in your IDP's data.

• Target: Display Name: Example value: %(displayName)s. Has to match an attribute name that is actually present in your IDP's data.

• Target: Email: Note that email addresses in fylr have to be unique. The same email address cannot be used by two fylr users under any circumstances. fylr will not allow the email address to be saved a second time, preventing the login via SAML, if the email address is already present in fylr.

• Target: Reference: Make sure this is adjusted to your data. Do not just copy and paste. It can be very different from the above simple example. Another example: %(urn:oasis:names:tc:SAML:attribute:subject-id)s

  • By default, Reference is used to determine whether a user already exists in fylr or whether to create a new one as a SAML user logs in. You may think of it as the unique ID.

• User update: Set the attribute which is used to determine whether the SAML user (who is logging in) already has a matching account in fylr. If it has a matching account, that user is logged in (and attributes may get overwritten with the current values in SAML). If it has no matching account in fylr yet, a new one is being created. By default, the used attribute is Reference. But you can choose the attributes Email or Login, instead. Example: Assume that the chosen attribute for Benutzer-Update is Email and that Alice logs in the first time with her SAML user alice@example.com. Company policy changes and thus her email address (in SAML) changes to alice.lastname@example.com. During her next login into fylr, a new user is being created, as there is no user yet with alice.lastname@example.com. Now Alice has two user accounts in fylr and can only log in to the second one.

Replacing strings in attributes

Our attribute syntax can replace strings. This syntax is part of our attribute matching (fylr 6.20 and newer):

%(key||search||replacement)s

Where search is the regexp matching what is then replaced with replacement.

The regular expressions syntax rules: https://pkg.go.dev/regexp#Regexp.ReplaceAllString.

Example: %(email||^.*=||)s, in context:

When a user logs in with attribute email equal to urn:campus:1:mail=ben@example.com and attribute mapping Target:Email %(email||^.*=||)s then his email address in fylr will be just ben@example.com, because the search part matches all up to the equal sign and the replacement is empty.

Signed AuthnRequest

Checkbox: ☑︎ Sign requests (default off)

Some environments have the requirement that the SPs (in this case fylr) must sign the authentication requests.

Needs at least fylr v6.12.0.

MS Entra

This section was contributed by partners and customers, we did not verify this.

Group Mapping

Users of production Identity providers often have an attribute that groups user accounts together and can be used to give permissions in fylr to a whole group. We will assume an attribute called role to demonstrate a group mapping:

Mapping goal of the following example: Every role that ends in the letters samltest.id shall be automatically member of the fylr group testidp.

1. In fylr-URL/configmanager > User management > SAML add into the form field Group Mapping the value %(role)s (see following screenshot).

1. In fylr-URL/groupmanager add a group named testidp. Give that group some system rights that are visible after logging in.

2. In this group's configuration > AUTHENTICATION SERVICES > below Single-Sign-On add an entry with Method Regular Expression and Input .*samltest.id (see following screenshot).

1. Save. Test the login as a SAML user with a matching role. The user now has the rights given to the group testidp.