More information on metadata for SAML2 authentication

[nwintering]

Hi, we are running a Shibboleth Identity Provider and would like to authenticate Cryptpad user via SAML2. I would like to know where to find all the metadata about the Cryptpad Service Provider in order to attach it to our Identity Provider. Things I need to know:

• What is the entityID of our Cryptpad Service Provider?
• Which user attributes are required for authentication?
• Which endpoint receives the SAML-assertions from the IdP?
• Where to find the encryption and signing certificates of the Service Provider?

There might be further required metadata. I am not sure.

Could someone elaborate on the documentation?

[yflory]

Hi,

The documentation for SAML2 is indeed incomplete and we welcome any suggestion or pull request to improve it. We don't have a SAML expert in the team so if some cases are not handled properly, please tell us and we'll improve the plugin to support it.

Once the sso plugin is installed in the cryptpad plugin directory, you can make a copy of the sso example and base your config on the SAML example:

• The "issuer" field is the entityID
• We only need a display name for the user
  • I just made a change to have this attribute configurable in the config file above using the field username_attr
  • It will fall back to nameID if it can't find a displayName field or the configured field
• The IdP is supposed to redirect to https://your-cryptpad-url/ssoauth
• You can generate a signing certificate for the Service provider and store it in your cryptpad repo
  • You must then specify its path in the signingCert field of the copnfiguration: fs.readFileSync("./your/signing/cert/location", "utf-8"),
  • This path is relative to the root of the cryptpad repo
  • You can also add the private key using the privateKey field
  • And your IdP cert can be added as a string or a file using the cert field of the config

When your configuration file is ready, you can run node lib/plugins/sso/get-saml-metadata.js from the root of the cryptpad repo to print the xml containing the Service Provider metadata.

Example config:

const fs = require('node:fs');
module.exports = { 
    // Enable SSO login on this instance
    enabled: true,
    // Block registration for non-SSO users on this instance
    enforced: false,
    // Allow users to add an additional CryptPad password to their SSO account
    cpPassword: true,
    // You can also force your SSO users to add a CryptPad password
    forceCpPassword: false,
    // List of SSO providers
    list: [{
        name: 'Your SSO name', // displayed as a login option in the UI
        type: 'saml',
        url: 'https://your-saml-idp/sso', // the SSO url
        issuer: 'your-cryptpad-issuer-id', // entityD
        cert: fs.readFileSync("./your-idp-cert.txt", "utf-8"),
        privateKey: fs.readFileSync("./your-private-key", "utf-8"),
        signingCert: fs.readFileSync("./your-signing-cert", "utf-8"),
    }]   
};

Please tell us if this answers your questions or if something is still unclear and we'll update the documentation later.

[nwintering]

Thanks! This gives me good starting point for testing. I will try this out on occasion.