Requirements

To use ADFS to log in to your Seafile, you need the following components:

  1. A Winodws Server with ADFS installed. For configuring and installing ADFS you can see this article.

  2. A valid SSL certificate for ADFS server, and here we use adfs-server.adfs.com as the domain name example.

  3. A valid SSL certificate for Seafile server, and here we use demo.seafile.com as the domain name example.

Prepare Certs File

  1. x.509 certs for SP (Service Provider)

    You can generate them by:

    1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt

    These x.509 certs are used to sign and encrypt elements like NameID and Metadata for SAML.

    Then copy these two files to /seahub-data/certs. (if the certs folder not exists, create it.)

  2. x.509 cert from IdP (Identity Provider)

    1. Log into the ADFS server and open the ADFS management.

    2. Double click Service and choose Certificates.

    3. Export the Token-Signing certificate:

      1. Right-click the certificate and select View Certificate.
      2. Select the Details tab.
      3. Click Copy to File (select DER encoded binary X.509).
    4. Convert this certificate to PEM format, rename it to idp.crt

    5. Then copy it to /seahub-data/certs.

Prepare IdP Metadata File

  1. Open https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml

  2. Save this xml file, rename it to idp_federation_metadata.xml

  3. Copy it to /seahub-data/certs.

Install Requirements on Seafile Server

  • For Ubuntu 16.04
    1. sudo apt install libxmlsec1
    2. sudo pip install cryptography djangosaml2==0.15.0

Config Seafile

Add the following lines to seahub_settings.py

  1. from os import path
  2. import saml2
  3. import saml2.saml
  4. CERTS_DIR = '<seafile-install-path>/seahub-data/certs'
  5. SP_SERVICE_URL = 'https://demo.seafile.com'
  6. XMLSEC_BINARY = '/usr/local/bin/xmlsec1'
  7. ATTRIBUTE_MAP_DIR = '<seafile-install-path>/seafile-server-latest/seahub-extra/seahub_extra/adfs_auth/attribute-maps'
  8. SAML_ATTRIBUTE_MAPPING = {
  9. 'DisplayName': ('display_name', ),
  10. 'ContactEmail': ('contact_email', ),
  11. 'Deparment': ('department', ),
  12. 'Telephone': ('telephone', ),
  13. }
  14. ENABLE_ADFS_LOGIN = True
  15. EXTRA_AUTHENTICATION_BACKENDS = (
  16. 'seahub_extra.adfs_auth.backends.Saml2Backend',
  17. )
  18. SAML_USE_NAME_ID_AS_USERNAME = True
  19. LOGIN_REDIRECT_URL = '/saml2/complete/'
  20. SAML_CONFIG = {
  21. # full path to the xmlsec1 binary programm
  22. 'xmlsec_binary': XMLSEC_BINARY,
  23. 'allow_unknown_attributes': True,
  24. # your entity id, usually your subdomain plus the url to the metadata view
  25. 'entityid': SP_SERVICE_URL + '/saml2/metadata/',
  26. # directory with attribute mapping
  27. 'attribute_map_dir': ATTRIBUTE_MAP_DIR,
  28. # this block states what services we provide
  29. 'service': {
  30. # we are just a lonely SP
  31. 'sp' : {
  32. "allow_unsolicited": True,
  33. 'name': 'Federated Seafile Service',
  34. 'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
  35. 'endpoints': {
  36. # url and binding to the assetion consumer service view
  37. # do not change the binding or service name
  38. 'assertion_consumer_service': [
  39. (SP_SERVICE_URL + '/saml2/acs/',
  40. saml2.BINDING_HTTP_POST),
  41. ],
  42. # url and binding to the single logout service view
  43. # do not change the binding or service name
  44. 'single_logout_service': [
  45. (SP_SERVICE_URL + '/saml2/ls/',
  46. saml2.BINDING_HTTP_REDIRECT),
  47. (SP_SERVICE_URL + '/saml2/ls/post',
  48. saml2.BINDING_HTTP_POST),
  49. ],
  50. },
  51. # attributes that this project need to identify a user
  52. 'required_attributes': ["uid"],
  53. # attributes that may be useful to have but not required
  54. 'optional_attributes': ['eduPersonAffiliation', ],
  55. # in this section the list of IdPs we talk to are defined
  56. 'idp': {
  57. # we do not need a WAYF service since there is
  58. # only an IdP defined here. This IdP should be
  59. # present in our metadata
  60. # the keys of this dictionary are entity ids
  61. 'https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml': {
  62. 'single_sign_on_service': {
  63. saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx',
  64. },
  65. 'single_logout_service': {
  66. saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/?wa=wsignout1.0',
  67. },
  68. },
  69. },
  70. },
  71. },
  72. # where the remote metadata is stored
  73. 'metadata': {
  74. 'local': [path.join(CERTS_DIR, 'idp_federation_metadata.xml')],
  75. },
  76. # set to 1 to output debugging information
  77. 'debug': 1,
  78. # Signing
  79. 'key_file': '',
  80. 'cert_file': path.join(CERTS_DIR, 'certs/idp.crt'), # from IdP
  81. # Encryption
  82. 'encryption_keypairs': [{
  83. 'key_file': path.join(CERTS_DIR, 'certs/sp.key'), # private part
  84. 'cert_file': path.join(CERTS_DIR, 'certs/sp.crt'), # public part
  85. }],
  86. 'valid_for': 24, # how long is our metadata valid
  87. }

Config ADFS Server

  1. Add Relying Party Trust

    Relying Party Trust is the connection between Seafile and ADFS.

    1. Log into the ADFS server and open the ADFS management.

    2. Double click Trust Relationships, then right click Relying Party Trusts, select Add Relying Party Trust….

    3. Select Import data about the relying party published online or one a local network, input https://demo.seafile.com/saml2/metadata/ in the Federation metadata address.

    4. Then Next until Finish.

  2. Add Relying Party Claim Rules

    Relying Party Claim Rules is used for attribute communication between Seafile and users in Windows Domain.

    Important: Users in Windows domain must have the E-mail value setted.

    1. Right-click on the relying party trust and select Edit Claim Rules…

    2. On the Issuance Transform Rules tab select Add Rules…

    3. Select Send LDAP Attribute as Claims as the claim rule template to use.

    4. Give the claim a name such as LDAP Attributes.

    5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.

    6. Select Finish.

    7. Click Add Rule… again.

    8. Select Transform an Incoming Claim.

    9. Give it a name such as Email to Name ID.

    10. Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1).

    11. The Outgoing claim type is Name ID (this is requested in Seafile settings policy 'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS).

    12. the Outgoing name ID format is Email.

    13. Pass through all claim values and click Finish.

Test

After re-starting the services, you may open a web browser and type in https://demo.seafile.com, there should be a ADFS button in login dialog, click that button will redirect you to the ADFS server (adfs-server.adfs.com), if username and password are correct, you will be redirect back to Seafile home page.

For descktop client, simply click “Shibboleth Login” in “Add a new account” window, type in https://demo.seafile.com, click OK button will open a new window display ADFS server login page, if username and password are correct, the window will be closed and show Seafile libraries panel.