-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Server Pro: SAML Config
Available in Overleaf Server Pro is the ability to use a SAML server to manage users.
The Overleaf Toolkit contains a specific section for SAML configuration.
The information in this page is valid for both Overleaf Toolkit Users and legacy docker-compose.yml
users.
In Overleaf Server Pro, the SAML auth module is configured via environment variables.
Internally, the passport-saml module is used, and these config values are passed along to passport-saml
.
The environment variable EXTERNAL_AUTH=saml
is required to enable the SAML authentication module.
-
SHARELATEX_SAML_IDENTITY_SERVICE_NAME
- Display name for the Identity service, used on the login page
-
SHARELATEX_SAML_EMAIL_FIELD
- Name of the Email field in user profile, default to 'nameID'.
Alias:
SHARELATEX_SAML_EMAIL_FIELD_NAME
- Name of the Email field in user profile, default to 'nameID'.
Alias:
-
SHARELATEX_SAML_FIRST_NAME_FIELD
- Name of the firstName field in user profile, default to 'givenName'
-
SHARELATEX_SAML_LAST_NAME_FIELD
- Name of the lastName field in user profile, default to 'lastName'
-
SHARELATEX_SAML_UPDATE_USER_DETAILS_ON_LOGIN
- If set to
true
, will update the user first_name and last_name field on each login, and turn off the user-details form on/user/settings
page.
- If set to
-
SHARELATEX_SAML_ENTRYPOINT
-
Entrypoint url for the SAML Identity Service
Example:
https://idp.example.com/simplesaml/saml2/idp/SSOService.php
Azure Example:
https://login.microsoftonline.com/8b26b46a-6dd3-45c7-a104-f883f4db1f6b/saml2
-
-
SHARELATEX_SAML_CALLBACK_URL
-
Callback URL for Overleaf service. Should be the full URL of the
/saml/callback
path.Example:
https://sharelatex.example.com/saml/callback
-
-
SHARELATEX_SAML_ISSUER
- The Issuer name
-
SHARELATEX_SAML_CERT
- (required since
2.7.0
) Identity Provider's public signing certificate, used to validate incoming SAML messages, in single-line format.- Example:
MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh...W==
- See more information about passing keys and certificates.
- See full documentation for more information.
- Example:
- (required since
-
SHARELATEX_SAML_PRIVATE_CERT
- (optional) Path to a file containing a PEM-formatted private key used to sign auth requests sent by passport-saml.
- Note: This would be better called
PRIVATE_KEY_FILE
, butPRIVATE_CERT
is the current name. - See more information about passing keys and certificates.
- See full documentation for more information.
- Note: This would be better called
- (optional) Path to a file containing a PEM-formatted private key used to sign auth requests sent by passport-saml.
-
SHARELATEX_SAML_DECRYPTION_CERT
- (optional) Public certificate matching the
SHARELATEX_SAML_DECRYPTION_PVK
, used for the metadata endpoint.- See more information about passing keys and certificates for how to pass the certificate.
- See full documentation for more information.
- (optional) Public certificate matching the
-
SHARELATEX_SAML_DECRYPTION_PVK
- (optional) Private key that will be used to attempt to decrypt any encrypted assertions that are received, in PEM (multi-line) format.
- See more information about passing keys and certificates for how to pass the key in PEM format.
- See full documentation for more information.
- (optional) Private key that will be used to attempt to decrypt any encrypted assertions that are received, in PEM (multi-line) format.
-
SHARELATEX_SAML_SIGNATURE_ALGORITHM
- Optionally set the signature algorithm for signing requests, valid values are 'sha1' (default) or 'sha256'
-
SHARELATEX_SAML_ADDITIONAL_PARAMS
- JSON dictionary of additional query params to add to all requests
-
SHARELATEX_SAML_ADDITIONAL_AUTHORIZE_PARAMS
- JSON dictionary of additional query params to add to 'authorize' requests
Example:
{"some_key": "some_value"}
- JSON dictionary of additional query params to add to 'authorize' requests
Example:
-
SHARELATEX_SAML_IDENTIFIER_FORMAT
- if present, name identifier format to request from identity provider (default: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
-
SHARELATEX_SAML_ACCEPTED_CLOCK_SKEW_MS
- Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. Default is 0.
-
SHARELATEX_SAML_ATTRIBUTE_CONSUMING_SERVICE_INDEX
- optional
AttributeConsumingServiceIndex
attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response (link)
- optional
-
SHARELATEX_SAML_AUTHN_CONTEXT
- if present, name identifier format to request auth context
(default:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
)
- if present, name identifier format to request auth context
(default:
-
SHARELATEX_SAML_FORCE_AUTHN
- if
true
, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
- if
-
SHARELATEX_SAML_DISABLE_REQUESTED_AUTHN_CONTEXT
- if
true
, do not request a specific auth context
- if
-
SHARELATEX_SAML_SKIP_REQUEST_COMPRESSION
- if set to
true
, the SAML request from the service provider won't be compressed.
- if set to
-
SHARELATEX_SAML_AUTHN_REQUEST_BINDING
- if set to
HTTP-POST
, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect
- if set to
-
SHARELATEX_SAML_VALIDATE_IN_RESPONSE_TO
- if truthy, then InResponseTo will be validated from incoming SAML responses
-
SHARELATEX_SAML_REQUEST_ID_EXPIRATION_PERIOD_MS
- Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen
in a SAML response in the
InResponseTo
field. Default is 8 hours.
- Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen
in a SAML response in the
-
SHARELATEX_SAML_CACHE_PROVIDER
- Defines the implementation for a cache provider used to store request Ids generated in SAML requests as
part of
InResponseTo
validation. Default is a built-in in-memory cache provider. See link
- Defines the implementation for a cache provider used to store request Ids generated in SAML requests as
part of
-
SHARELATEX_SAML_LOGOUT_URL
- base address to call with logout requests (default:
entryPoint
)
- base address to call with logout requests (default:
-
SHARELATEX_SAML_LOGOUT_CALLBACK_URL
- The value with which to populate the
Location
attribute in theSingleLogoutService
elements in the generated service provider metadata.
- The value with which to populate the
-
SHARELATEX_SAML_ADDITIONAL_LOGOUT_PARAMS
- JSON dictionary of additional query params to add to 'logout' requests
Note, if SHARELATEX_SAML_AUTHN_REQUEST_BINDING
is set to HTTP-POST
, then SHARELATEX_SAML_SKIP_REQUEST_COMPRESSION
must also be set to true
.
# passed as docker parameters
--env SHARELATEX_SAML_ENTRYPOINT='https://idp.example.com/simplesaml/saml2/idp/SSOService.php'
--env SHARELATEX_SAML_CALLBACK_URL='https://sharelatex.example.com/saml/callback'
--env SHARELATEX_SAML_ISSUER='sharelatex-saml'
--env SHARELATEX_SAML_IDENTITY_SERVICE_NAME='SAML'
--env SHARELATEX_SAML_EMAIL_FIELD='email'
--env SHARELATEX_SAML_FIRST_NAME_FIELD='f_name'
--env SHARELATEX_SAML_LAST_NAME_FIELD='l_name'
# as a docker env file, or in Overleaf Toolkit's "variables.env" file
SHARELATEX_SAML_ENTRYPOINT=https://idp.example.com/simplesaml/saml2/idp/SSOService.php
SHARELATEX_SAML_CALLBACK_URL=https://sharelatex.example.com/saml/callback
SHARELATEX_SAML_ISSUER=sharelatex-saml
SHARELATEX_SAML_IDENTITY_SERVICE_NAME=SAML
SHARELATEX_SAML_EMAIL_FIELD=email
SHARELATEX_SAML_FIRST_NAME_FIELD=f_name
SHARELATEX_SAML_LAST_NAME_FIELD=l_name
## as part of the "environment" section in a "docker-compose.yml" file
environment:
SHARELATEX_SAML_ENTRYPOINT: 'https://idp.example.com/simplesaml/saml2/idp/SSOService.php'
SHARELATEX_SAML_CALLBACK_URL: 'https://sharelatex.example.com/saml/callback'
SHARELATEX_SAML_ISSUER: 'sharelatex-saml'
SHARELATEX_SAML_IDENTITY_SERVICE_NAME: 'SAML'
SHARELATEX_SAML_EMAIL_FIELD: 'email'
SHARELATEX_SAML_FIRST_NAME_FIELD: 'f_name'
SHARELATEX_SAML_LAST_NAME_FIELD: 'l_name'
As of Server Pro 2.7.0
:
- The value of the
SHARELATEX_SAML_CERT
environment variable cannot be empty if SAML is enabled (withEXTERNAL_AUTH=saml
, orSHARELATEX_SAML_ENTRYPOINT
is set).
As of Server Pro 2.5.0
:
- The value of the
SHARELATEX_SAML_CERT
environment variable must be passed in single-line format (without the begin and end lines from the PEM format; see below for more information). - The value of the
SHARELATEX_SAML_PRIVATE_CERT
environment variable should be a full path to a file which contains the private key in PEM format. - The value of the
SHARELATEX_SAML_DECRYPTION_PVK
environment variable must be passed in PEM format (multi-line). (But single-line may be supported soon.)
To pass a key or certificate in single-line format, you can just specify it as a string (don't include the begin or end lines, any internal whitespace, or any newline escapes, e.g. \n
, also do not add quotes):
SHARELATEX_SAML_CERT_2=MIIEowIBAAKCAQEAxmJWY0eJcuV2uBtLnQ4004fuknbODo5xIyRhkYNkls5n9OrBq4Lok6cjv7G2Q8mxAdlIUmzhTSyuNkrMMKZrPaMsAkNKE/aNpeWuSLXqcMs8T/8gYCDcEmC5KYEJakNtKb3ZX2FKwT4yHHpsNomLDzJD5DyJKbRpNBm2no7ggIy7TQRJ2H00mogQIQu8/fUANXVeGPshvLJU8MXEy/eiXkHJIT3DDA4VSr/C/tfP0tGJSNTM874urc4zej+4INuTuMPtesZS47J0AsPxQuxengS4M76cVt5cH+Iqd1nKe5UqiSKvLCXacPYg/T/Kdx0tBnwHIjKo/cbzZ+r+XynsCwIDAQABAoIBAFPWWwu5v6x+rJ1Ba8MDre93Eqty6cHdEJL5XQJRtMDGmcg3LYF94SwFBmaMg6pCIjvVx2qN+OjUaQsosQIeUlPKEV8jcLrfBx2E4xJ3Tow8V1C3UMdPG7Hojler4H633/oz8RkN1Lm1vxep5PFnTw0tAOQDcTPeulb6RuLbHqU0FEnf/jVOMhtPLcMAwJ3fkAJQ+ljFW2VKCQ83d+ci1p+NHY/dbGLSR4lK58mVghcRMO3zhe5scrbECHJMfT6fCb2TXdjaueFUGC6+fqUXvDj8HRfUilzTegNq8ZhwgMSw1HeX/PuiczSKc3aHYSsohMBugTErnkW+qF4ZkE+kxgECgYEA/sm7umcyFuZME+RWYL8Gsp8agH1OGEgsmIiMi1z6RTlTmdR8fN18ItzXyW+363VZln/1b5wCaPdLIxgASxybLAaxnKAXfmL7QvyVAaMwxj7N0ogvMQoNx2VuSGZSam2+LFVIMWHq1C+3fvVnCDLm6oHvIMK/zvEsPBBtz+L6rlECgYEAx1PrKogaGHCi1XgsrNv9aFaayRvmhzZbmiigF0iWKAd3KKww94BdyyGSVfMfyL23LAbMQDCrDNGpYAnpNZo/cL+OcGPYzlPsWDBrJub1HOA/H3WQlP4oEcfdbmJZhIkEwTGFHaCHynEu4ekiCrWz9+XVNCquTyqnmaVDEzAfEZsCgYA8jQbfUt0Vkh+sboyUq3FVC/jJZn4jyStICNOV3z/fKbOTkGsRZbW1t1RVHAbSn23uFXTn1GTCO1sQ+QhA0YiTGvgk5+sNb0qVbd+fpv/VbWGO0iyc8+24YIOoEyEtB+21LYNdsQ6U5M4wDvQwf6BfRQfmekIJVUmU8LaYPDIlMQKBgDSRiT/aTSeM7STnYMDl89sEnCXV2eJnD5mEhVQerJs5/M8ZOoDLtfDQlctdJ1DF1/0gfdWgADyNPuI5OuwMFhciLequKoufzoEjo97KonJPIdamJs9kiCTIVTm7bmhpyns5GCZMJAPb/cVOus+gRCpozuXHK9ltIm5/C0WQN2FpAoGBAOss6RN2krieqbn1mG8e2v5mMUd0CJkiJu2y5MnF3dYHXSQ3/ePAh/YgJOthpgYgBh+mV0DLqJhx/1DLS/xiqcoHDlndQDmYbtvvY7RlMo00+nGzkRVOfrqyhC+1KsYHGPbSQixNQXtvFbAAVMSo+RRBkVGINYGDFnlQUpkppYRk
To pass a key or certificate in multi-line format, wrap the entire value in double quotes and use new line characters (\n
) as usual:
SHARELATEX_SAML_DECRYPTION_PVK_2="-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxmJWY0eJcuV2uBtLnQ4004fuknbODo5xIyRhkYNkls5n9OrB
q4Lok6cjv7G2Q8mxAdlIUmzhTSyuNkrMMKZrPaMsAkNKE/aNpeWuSLXqcMs8T/8g
YCDcEmC5KYEJakNtKb3ZX2FKwT4yHHpsNomLDzJD5DyJKbRpNBm2no7ggIy7TQRJ
2H00mogQIQu8/fUANXVeGPshvLJU8MXEy/eiXkHJIT3DDA4VSr/C/tfP0tGJSNTM
874urc4zej+4INuTuMPtesZS47J0AsPxQuxengS4M76cVt5cH+Iqd1nKe5UqiSKv
LCXacPYg/T/Kdx0tBnwHIjKo/cbzZ+r+XynsCwIDAQABAoIBAFPWWwu5v6x+rJ1B
a8MDre93Eqty6cHdEJL5XQJRtMDGmcg3LYF94SwFBmaMg6pCIjvVx2qN+OjUaQso
sQIeUlPKEV8jcLrfBx2E4xJ3Tow8V1C3UMdPG7Hojler4H633/oz8RkN1Lm1vxep
5PFnTw0tAOQDcTPeulb6RuLbHqU0FEnf/jVOMhtPLcMAwJ3fkAJQ+ljFW2VKCQ83
d+ci1p+NHY/dbGLSR4lK58mVghcRMO3zhe5scrbECHJMfT6fCb2TXdjaueFUGC6+
fqUXvDj8HRfUilzTegNq8ZhwgMSw1HeX/PuiczSKc3aHYSsohMBugTErnkW+qF4Z
kE+kxgECgYEA/sm7umcyFuZME+RWYL8Gsp8agH1OGEgsmIiMi1z6RTlTmdR8fN18
ItzXyW+363VZln/1b5wCaPdLIxgASxybLAaxnKAXfmL7QvyVAaMwxj7N0ogvMQoN
x2VuSGZSam2+LFVIMWHq1C+3fvVnCDLm6oHvIMK/zvEsPBBtz+L6rlECgYEAx1Pr
KogaGHCi1XgsrNv9aFaayRvmhzZbmiigF0iWKAd3KKww94BdyyGSVfMfyL23LAbM
QDCrDNGpYAnpNZo/cL+OcGPYzlPsWDBrJub1HOA/H3WQlP4oEcfdbmJZhIkEwTGF
HaCHynEu4ekiCrWz9+XVNCquTyqnmaVDEzAfEZsCgYA8jQbfUt0Vkh+sboyUq3FV
C/jJZn4jyStICNOV3z/fKbOTkGsRZbW1t1RVHAbSn23uFXTn1GTCO1sQ+QhA0YiT
Gvgk5+sNb0qVbd+fpv/VbWGO0iyc8+24YIOoEyEtB+21LYNdsQ6U5M4wDvQwf6Bf
RQfmekIJVUmU8LaYPDIlMQKBgDSRiT/aTSeM7STnYMDl89sEnCXV2eJnD5mEhVQe
rJs5/M8ZOoDLtfDQlctdJ1DF1/0gfdWgADyNPuI5OuwMFhciLequKoufzoEjo97K
onJPIdamJs9kiCTIVTm7bmhpyns5GCZMJAPb/cVOus+gRCpozuXHK9ltIm5/C0WQ
N2FpAoGBAOss6RN2krieqbn1mG8e2v5mMUd0CJkiJu2y5MnF3dYHXSQ3/ePAh/Yg
JOthpgYgBh+mV0DLqJhx/1DLS/xiqcoHDlndQDmYbtvvY7RlMo00+nGzkRVOfrqy
hC+1KsYHGPbSQixNQXtvFbAAVMSo+RRBkVGINYGDFnlQUpkppYRk
-----END RSA PRIVATE KEY-----"
To pass a key or certificate in single-line format, you can just specify it as a string (don't include the begin or end lines, any internal whitespace, or any newline escapes, e.g. \n
):
SHARELATEX_SAML_CERT: MIIEowIBAAKCAQEAxmJWY0eJcuV2uBtLnQ4004fuknbODo5xIyRhkYNkls5n9OrBq4Lok6cjv7G2Q8mxAdlIUmzhTSyuNkrMMKZrPaMsAkNKE/aNpeWuSLXqcMs8T/8gYCDcEmC5KYEJakNtKb3ZX2FKwT4yHHpsNomLDzJD5DyJKbRpNBm2no7ggIy7TQRJ2H00mogQIQu8/fUANXVeGPshvLJU8MXEy/eiXkHJIT3DDA4VSr/C/tfP0tGJSNTM874urc4zej+4INuTuMPtesZS47J0AsPxQuxengS4M76cVt5cH+Iqd1nKe5UqiSKvLCXacPYg/T/Kdx0tBnwHIjKo/cbzZ+r+XynsCwIDAQABAoIBAFPWWwu5v6x+rJ1Ba8MDre93Eqty6cHdEJL5XQJRtMDGmcg3LYF94SwFBmaMg6pCIjvVx2qN+OjUaQsosQIeUlPKEV8jcLrfBx2E4xJ3Tow8V1C3UMdPG7Hojler4H633/oz8RkN1Lm1vxep5PFnTw0tAOQDcTPeulb6RuLbHqU0FEnf/jVOMhtPLcMAwJ3fkAJQ+ljFW2VKCQ83d+ci1p+NHY/dbGLSR4lK58mVghcRMO3zhe5scrbECHJMfT6fCb2TXdjaueFUGC6+fqUXvDj8HRfUilzTegNq8ZhwgMSw1HeX/PuiczSKc3aHYSsohMBugTErnkW+qF4ZkE+kxgECgYEA/sm7umcyFuZME+RWYL8Gsp8agH1OGEgsmIiMi1z6RTlTmdR8fN18ItzXyW+363VZln/1b5wCaPdLIxgASxybLAaxnKAXfmL7QvyVAaMwxj7N0ogvMQoNx2VuSGZSam2+LFVIMWHq1C+3fvVnCDLm6oHvIMK/zvEsPBBtz+L6rlECgYEAx1PrKogaGHCi1XgsrNv9aFaayRvmhzZbmiigF0iWKAd3KKww94BdyyGSVfMfyL23LAbMQDCrDNGpYAnpNZo/cL+OcGPYzlPsWDBrJub1HOA/H3WQlP4oEcfdbmJZhIkEwTGFHaCHynEu4ekiCrWz9+XVNCquTyqnmaVDEzAfEZsCgYA8jQbfUt0Vkh+sboyUq3FVC/jJZn4jyStICNOV3z/fKbOTkGsRZbW1t1RVHAbSn23uFXTn1GTCO1sQ+QhA0YiTGvgk5+sNb0qVbd+fpv/VbWGO0iyc8+24YIOoEyEtB+21LYNdsQ6U5M4wDvQwf6BfRQfmekIJVUmU8LaYPDIlMQKBgDSRiT/aTSeM7STnYMDl89sEnCXV2eJnD5mEhVQerJs5/M8ZOoDLtfDQlctdJ1DF1/0gfdWgADyNPuI5OuwMFhciLequKoufzoEjo97KonJPIdamJs9kiCTIVTm7bmhpyns5GCZMJAPb/cVOus+gRCpozuXHK9ltIm5/C0WQN2FpAoGBAOss6RN2krieqbn1mG8e2v5mMUd0CJkiJu2y5MnF3dYHXSQ3/ePAh/YgJOthpgYgBh+mV0DLqJhx/1DLS/xiqcoHDlndQDmYbtvvY7RlMo00+nGzkRVOfrqyhC+1KsYHGPbSQixNQXtvFbAAVMSo+RRBkVGINYGDFnlQUpkppYRk
To pass a key or certificate in multi-line format, use the YAML "block literal style with chomping indicator", |-
:
SHARELATEX_SAML_DECRYPTION_PVK: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxmJWY0eJcuV2uBtLnQ4004fuknbODo5xIyRhkYNkls5n9OrB
q4Lok6cjv7G2Q8mxAdlIUmzhTSyuNkrMMKZrPaMsAkNKE/aNpeWuSLXqcMs8T/8g
YCDcEmC5KYEJakNtKb3ZX2FKwT4yHHpsNomLDzJD5DyJKbRpNBm2no7ggIy7TQRJ
2H00mogQIQu8/fUANXVeGPshvLJU8MXEy/eiXkHJIT3DDA4VSr/C/tfP0tGJSNTM
874urc4zej+4INuTuMPtesZS47J0AsPxQuxengS4M76cVt5cH+Iqd1nKe5UqiSKv
LCXacPYg/T/Kdx0tBnwHIjKo/cbzZ+r+XynsCwIDAQABAoIBAFPWWwu5v6x+rJ1B
a8MDre93Eqty6cHdEJL5XQJRtMDGmcg3LYF94SwFBmaMg6pCIjvVx2qN+OjUaQso
sQIeUlPKEV8jcLrfBx2E4xJ3Tow8V1C3UMdPG7Hojler4H633/oz8RkN1Lm1vxep
5PFnTw0tAOQDcTPeulb6RuLbHqU0FEnf/jVOMhtPLcMAwJ3fkAJQ+ljFW2VKCQ83
d+ci1p+NHY/dbGLSR4lK58mVghcRMO3zhe5scrbECHJMfT6fCb2TXdjaueFUGC6+
fqUXvDj8HRfUilzTegNq8ZhwgMSw1HeX/PuiczSKc3aHYSsohMBugTErnkW+qF4Z
kE+kxgECgYEA/sm7umcyFuZME+RWYL8Gsp8agH1OGEgsmIiMi1z6RTlTmdR8fN18
ItzXyW+363VZln/1b5wCaPdLIxgASxybLAaxnKAXfmL7QvyVAaMwxj7N0ogvMQoN
x2VuSGZSam2+LFVIMWHq1C+3fvVnCDLm6oHvIMK/zvEsPBBtz+L6rlECgYEAx1Pr
KogaGHCi1XgsrNv9aFaayRvmhzZbmiigF0iWKAd3KKww94BdyyGSVfMfyL23LAbM
QDCrDNGpYAnpNZo/cL+OcGPYzlPsWDBrJub1HOA/H3WQlP4oEcfdbmJZhIkEwTGF
HaCHynEu4ekiCrWz9+XVNCquTyqnmaVDEzAfEZsCgYA8jQbfUt0Vkh+sboyUq3FV
C/jJZn4jyStICNOV3z/fKbOTkGsRZbW1t1RVHAbSn23uFXTn1GTCO1sQ+QhA0YiT
Gvgk5+sNb0qVbd+fpv/VbWGO0iyc8+24YIOoEyEtB+21LYNdsQ6U5M4wDvQwf6Bf
RQfmekIJVUmU8LaYPDIlMQKBgDSRiT/aTSeM7STnYMDl89sEnCXV2eJnD5mEhVQe
rJs5/M8ZOoDLtfDQlctdJ1DF1/0gfdWgADyNPuI5OuwMFhciLequKoufzoEjo97K
onJPIdamJs9kiCTIVTm7bmhpyns5GCZMJAPb/cVOus+gRCpozuXHK9ltIm5/C0WQ
N2FpAoGBAOss6RN2krieqbn1mG8e2v5mMUd0CJkiJu2y5MnF3dYHXSQ3/ePAh/Yg
JOthpgYgBh+mV0DLqJhx/1DLS/xiqcoHDlndQDmYbtvvY7RlMo00+nGzkRVOfrqy
hC+1KsYHGPbSQixNQXtvFbAAVMSo+RRBkVGINYGDFnlQUpkppYRk
-----END RSA PRIVATE KEY-----
(The above private key is an example key from the xml-encryption
library's test suite. Do not use this key.)
Since version 2.6.0
Overleaf Server Pro includes and endpoint to retrieve Service Provider Metadata: http://my-overleaf-instance.com/saml/meta
The Identity Provider will need to be configured to recognize the Overleaf server as a "Service Provider". Consult the documentation for your SAML server for instructions on how to do this.
Here is an example of appropriate Service Provider metadata, note the AssertionConsumerService.Location
, EntityDescriptor.entityID
and EntityDescriptor.ID
properties, and set as appropriate.
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="sharelatex-saml"
ID="sharelatex_saml">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sharelatex.example.com/saml/callback" />
</SPSSODescriptor>
</EntityDescriptor>
- Quickstart Guide (Overleaf Toolkit)
- Hardware Requirements
- Database & Dependencies
- Creating and managing users
- General configuration
- Configuring Email
- SSL & Nginx reverse proxy
- Data and Backups
- Configuring Headers, Footers & Logo
- Password Restrictions
- i18n Languages
- Logging
- Common Config Options
- F.A.Q
- Troubleshooting
- Full Project History Migration