Requirements

To use ADFS to log in to your Seafile, you need the following components:

  1. A Winodws Server with ADFS installed. For configuring and installing ADFS you can see this article.

  2. A valid SSL certificate for ADFS server, and here we use adfs-server.adfs.com as the domain name example.

  3. A valid SSL certificate for Seafile server, and here we use demo.seafile.com as the domain name example.

Prepare Certs File

  1. x.509 certs for SP (Service Provider)

    You can generate them by:

    1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt

    These x.509 certs are used to sign and encrypt elements like NameID and Metadata for SAML.

    Then copy these two files to /seahub-data/certs. (if the certs folder not exists, create it.)

  2. x.509 cert from IdP (Identity Provider)

    1. Log into the ADFS server and open the ADFS management.

    2. Double click Service and choose Certificates.

    3. Export the Token-Signing certificate:

      1. Right-click the certificate and select View Certificate.
      2. Select the Details tab.
      3. Click Copy to File (select DER encoded binary X.509).

    4. Convert this certificate to PEM format, rename it to idp.crt

    5. Then copy it to /seahub-data/certs.

Prepare IdP Metadata File

  1. Open https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml

  2. Save this xml file, rename it to idp_federation_metadata.xml

  3. Copy it to /seahub-data/certs.

Install Requirements on Seafile Server

  • For Ubuntu 16.04
    1. sudo apt install xmlsec1
    2. sudo pip install cryptography djangosaml2==0.15.0

Config Seafile

Add the following lines to seahub_settings.py

  1. from os import path
  2. import saml2
  3. import saml2.saml
  5. # update following lines according to your situation
  6. CERTS_DIR = '<seafile-install-path>/seahub-data/certs'
  7. SP_SERVICE_URL = 'https://demo.seafile.com'
  8. XMLSEC_BINARY = '/usr/local/bin/xmlsec1'
  9. ATTRIBUTE_MAP_DIR = '<seafile-install-path>/seafile-server-latest/seahub-extra/seahub_extra/adfs_auth/attribute-maps'
  10. SAML_ATTRIBUTE_MAPPING = {
  11.     'DisplayName': ('display_name', ),
  12.     'ContactEmail': ('contact_email', ),
  13.     'Deparment': ('department', ),
  14.     'Telephone': ('telephone', ),
  15. }
  17. # update the 'idp' section in SAMPL_CONFIG according to your situation, and leave others as default
  18. ENABLE_ADFS_LOGIN = True
  19. EXTRA_AUTHENTICATION_BACKENDS = (
  20.     'seahub_extra.adfs_auth.backends.Saml2Backend',
  21. )
  22. SAML_USE_NAME_ID_AS_USERNAME = True
  23. LOGIN_REDIRECT_URL = '/saml2/complete/'
  24. SAML_CONFIG = {
  25.     # full path to the xmlsec1 binary programm
  26.     'xmlsec_binary': XMLSEC_BINARY,
  28.       'allow_unknown_attributes': True,
  30.     # your entity id, usually your subdomain plus the url to the metadata view
  31.     'entityid': SP_SERVICE_URL + '/saml2/metadata/',
  33.     # directory with attribute mapping
  34.     'attribute_map_dir': ATTRIBUTE_MAP_DIR,
  36.     # this block states what services we provide
  37.     'service': {
  38.         # we are just a lonely SP
  39.         'sp' : {
  40.             "allow_unsolicited": True,
  41.             'name': 'Federated Seafile Service',
  42.             'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS,
  43.             'endpoints': {
  44.                 # url and binding to the assetion consumer service view
  45.                 # do not change the binding or service name
  46.                 'assertion_consumer_service': [
  47.                     (SP_SERVICE_URL + '/saml2/acs/',
  48.                      saml2.BINDING_HTTP_POST),
  49.                 ],
  50.                 # url and binding to the single logout service view
  51.                 # do not change the binding or service name
  52.                 'single_logout_service': [
  53.                     (SP_SERVICE_URL + '/saml2/ls/',
  54.                      saml2.BINDING_HTTP_REDIRECT),
  55.                     (SP_SERVICE_URL + '/saml2/ls/post',
  56.                      saml2.BINDING_HTTP_POST),
  57.                 ],
  58.             },
  60.             # attributes that this project need to identify a user
  61.             'required_attributes': ["uid"],
  63.             # attributes that may be useful to have but not required
  64.             'optional_attributes': ['eduPersonAffiliation', ],
  66.             # in this section the list of IdPs we talk to are defined
  67.             'idp': {
  68.                 # we do not need a WAYF service since there is
  69.                 # only an IdP defined here. This IdP should be
  70.                 # present in our metadata
  72.                 # the keys of this dictionary are entity ids
  73.                 'https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml': {
  74.                     'single_sign_on_service': {
  75.                         saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx',
  76.                     },
  77.                   'single_logout_service': {
  78.                       saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/?wa=wsignout1.0',
  79.                   },
  80.                 },
  81.             },
  82.         },
  83.     },
  85.     # where the remote metadata is stored
  86.     'metadata': {
  87.         'local': [path.join(CERTS_DIR, 'idp_federation_metadata.xml')],
  88.     },
  90.     # set to 1 to output debugging information
  91.     'debug': 1,
  93.     # Signing
  94.     'key_file': '', 
  95.     'cert_file': path.join(CERTS_DIR, 'idp.crt'),  # from IdP
  97.     # Encryption
  98.     'encryption_keypairs': [{
  99.         'key_file': path.join(CERTS_DIR, 'sp.key'),  # private part
  100.         'cert_file': path.join(CERTS_DIR, 'sp.crt'),  # public part
  101.     }],
  103.     'valid_for': 24,  # how long is our metadata valid
  104. }

Config ADFS Server

  1. Add Relying Party Trust

    Relying Party Trust is the connection between Seafile and ADFS.

    1. Log into the ADFS server and open the ADFS management.

    2. Double click Trust Relationships, then right click Relying Party Trusts, select Add Relying Party Trust….

    3. Select Import data about the relying party published online or one a local network, input https://demo.seafile.com/saml2/metadata/ in the Federation metadata address.

    4. Then Next until Finish.

  2. Add Relying Party Claim Rules

    Relying Party Claim Rules is used for attribute communication between Seafile and users in Windows Domain.

    Important: Users in Windows domain must have the E-mail value setted.

    1. Right-click on the relying party trust and select Edit Claim Rules…

    2. On the Issuance Transform Rules tab select Add Rules…

    3. Select Send LDAP Attribute as Claims as the claim rule template to use.

    4. Give the claim a name such as LDAP Attributes.

    5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.

    6. Select Finish.

    7. Click Add Rule… again.

    8. Select Transform an Incoming Claim.

    9. Give it a name such as Email to Name ID.

    10. Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1).

    11. The Outgoing claim type is Name ID (this is requested in Seafile settings policy 'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS).

    12. the Outgoing name ID format is Email.

    13. Pass through all claim values and click Finish.