-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Server Pro: SAML Config
Available in ShareLaTeX Server Pro is the ability to use a SAML server to manage users.
In Sharelatex Server Pro, the SAML auth module is configured via environment variables.
Internally, the passport-saml module is used, and these config values are passed along to passport-saml
.
-
SHARELATEX_SAML_IDENTITY_SERVICE_NAME
- Display name for the Identity service, used on the login page
-
SHARELATEX_SAML_ENTRYPOINT
- Entrypoint url for the SAML Identity Service
-
SHARELATEX_SAML_CALLBACK_URL
- Callback URL for Sharelatex service. Should be the full URL of the
/saml/callback
path. Example:http://sharelatex.example.com/saml/callback
- Callback URL for Sharelatex service. Should be the full URL of the
-
SHARELATEX_SAML_EMAIL_FIELD_NAME
- Name of the Email field in user profile, default to 'email'
-
SHARELATEX_SAML_ISSUER
- The Issuer name
-
SHARELATEX_SAML_CERT
- (optional) Identity Provider certificate, used to validate incoming SAML messages.
Example:
MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==
See full documentation
- (optional) Identity Provider certificate, used to validate incoming SAML messages.
Example:
-
SHARELATEX_SAML_PRIVATE_CERT
- (optional) Path to a private key in pem format, used to sign auth requests sent by passport-saml
Example:
/some/path/cert.pm
See full documentation
- (optional) Path to a private key in pem format, used to sign auth requests sent by passport-saml
Example:
-
SHARELATEX_SAML_DECRYPTION_PVK
- Optional private key that will be used to attempt to decrypt any encrypted assertions that are received
-
SHARELATEX_SAML_SIGNATURE_ALGORITHM
- Optionally set the signature algorithm for signing requests, valid values are 'sha1' (default) or 'sha256'
-
SHARELATEX_SAML_ADDITIONAL_PARAMS
- JSON dictionary of additional query params to add to all requests
-
SHARELATEX_SAML_ADDITIONAL_AUTHORIZE_PARAMS
- JSON dictionary of additional query params to add to 'authorize' requests
Example:
{"some_key": "some_value"}
- JSON dictionary of additional query params to add to 'authorize' requests
Example:
-
SHARELATEX_SAML_IDENTIFIER_FORMAT
- if present, name identifier format to request from identity provider (default: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
-
SHARELATEX_SAML_ACCEPTED_CLOCK_SKEW_MS
- Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. Default is 0.
-
SHARELATEX_SAML_ATTRIBUTE_CONSUMING_SERVICE_INDEX
- optional
AttributeConsumingServiceIndex
attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response (link)
- optional
-
SHARELATEX_SAML_AUTHN_CONTEXT
- if present, name identifier format to request auth context
(default:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
)
- if present, name identifier format to request auth context
(default:
-
SHARELATEX_SAML_FORCE_AUTHN
- if
true
, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
- if
-
SHARELATEX_SAML_DISABLE_REQUESTED_AUTHN_CONTEXT
- if
true
, do not request a specific auth context
- if
-
SHARELATEX_SAML_SKIP_REQUEST_COMPRESSION
- if set to
true
, the SAML request from the service provider won't be compressed.
- if set to
-
SHARELATEX_SAML_AUTHN_REQUEST_BINDING
- if set to
HTTP-POST
, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect
- if set to
-
SHARELATEX_SAML_VALIDATE_IN_RESPONSE_TO
- if truthy, then InResponseTo will be validated from incoming SAML responses
-
SHARELATEX_SAML_REQUEST_ID_EXPIRATION_PERIOD_MS
- Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen
in a SAML response in the
InResponseTo
field. Default is 8 hours.
- Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen
in a SAML response in the
-
SHARELATEX_SAML_CACHE_PROVIDER
- Defines the implementation for a cache provider used to store request Ids generated in SAML requests as
part of
InResponseTo
validation. Default is a built-in in-memory cache provider. See link
- Defines the implementation for a cache provider used to store request Ids generated in SAML requests as
part of
-
SHARELATEX_SAML_LOGOUT_URL
- base address to call with logout requests (default:
entryPoint
)
- base address to call with logout requests (default:
-
SHARELATEX_SAML_LOGOUT_CALLBACK_URL
- The value with which to populate the
Location
attribute in theSingleLogoutService
elements in the generated service provider metadata.
- The value with which to populate the
-
SHARELATEX_SAML_ADDITIONAL_LOGOUT_PARAMS
- JSON dictionary of additional query params to add to 'logout' requests
Note, if SHARELATEX_SAML_AUTHN_REQUEST_BINDING
is set to HTTP-POST
, then SHARELATEX_SAML_SKIP_REQUEST_COMPRESSION
must also be set to true
.
SHARELATEX_SAML_ENTRYPOINT=https://your-saml-server.net/simplesaml/saml2/idp/SSOService.php
SHARELATEX_SAML_CALLBACK_URL=http://your-sharelatex-server.net/saml/callback
SHARELATEX_SAML_ISSUER=sharelatex-saml
SHARELATEX_SAML_IDENTITY_SERVICE_NAME=SAML
The Identity Provider will need to be configured to recognize the ShareLaTeX server as a "Service Provider". Consult the documentation for your SAML server for instructions on how to do this.
Here is an example of appropriate Service Provider metadata, note the AssertionConsumerService.Location
, EntityDescriptor.entityID
and EntityDescriptor.ID
properties, and set as appropriate.
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="sharelatex-saml"
ID="sharelatex_saml">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://sharelatex-host/saml/callback" />
</SPSSODescriptor>
</EntityDescriptor>
- Quickstart Guide (Overleaf Toolkit)
- Hardware Requirements
- Database & Dependencies
- Creating and managing users
- General configuration
- Configuring Email
- SSL & Nginx reverse proxy
- Data and Backups
- Configuring Headers, Footers & Logo
- Password Restrictions
- i18n Languages
- Logging
- Common Config Options
- F.A.Q
- Troubleshooting
- Full Project History Migration