Server Pro: SAML Config

Sharelatex SAML

Available in ShareLaTeX Server Pro is the ability to use a SAML server to manage users.

Configuration

In Sharelatex Server Pro, the SAML auth module is configured via environment variables.

Internally, the passport-saml module is used, and these config values are passed along to passport-saml.

• SHARELATEX_SAML_IDENTITY_SERVICE_NAME

  • Display name for the Identity service, used on the login page

• SHARELATEX_SAML_ENTRYPOINT

  • Entrypoint url for the SAML Identity Service

• SHARELATEX_SAML_CALLBACK_URL

  • Callback URL for Sharelatex service. Should be the full URL of the /saml/callback path. Example: http://sharelatex.example.com/saml/callback

• SHARELATEX_SAML_EMAIL_FIELD_NAME

  • Name of the Email field in user profile, default to 'email'

• SHARELATEX_SAML_ISSUER

  • The Issuer name

• SHARELATEX_SAML_CERT

  • (optional) Identity Provider certificate, used to validate incoming SAML messages. Example: MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W== See full documentation

• SHARELATEX_SAML_PRIVATE_CERT

  • (optional) Path to a private key in pem format, used to sign auth requests sent by passport-saml Example: /some/path/cert.pm See full documentation

• SHARELATEX_SAML_DECRYPTION_PVK

  • Optional private key that will be used to attempt to decrypt any encrypted assertions that are received

• SHARELATEX_SAML_SIGNATURE_ALGORITHM

  • Optionally set the signature algorithm for signing requests, valid values are 'sha1' (default) or 'sha256'

• SHARELATEX_SAML_ADDITIONAL_PARAMS

  • JSON dictionary of additional query params to add to all requests

• SHARELATEX_SAML_ADDITIONAL_AUTHORIZE_PARAMS

  • JSON dictionary of additional query params to add to 'authorize' requests Example: {"some_key": "some_value"}

• SHARELATEX_SAML_IDENTIFIER_FORMAT

  • if present, name identifier format to request from identity provider (default: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

• SHARELATEX_SAML_ACCEPTED_CLOCK_SKEW_MS

  • Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. Default is 0.

• SHARELATEX_SAML_ATTRIBUTE_CONSUMING_SERVICE_INDEX

  • optional AttributeConsumingServiceIndex attribute to add to AuthnRequest to instruct the IDP which attribute set to attach to the response (link)

• SHARELATEX_SAML_AUTHN_CONTEXT

  • if present, name identifier format to request auth context (default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)

• SHARELATEX_SAML_FORCE_AUTHN

  • if true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.

• SHARELATEX_SAML_DISABLE_REQUESTED_AUTHN_CONTEXT

  • if true, do not request a specific auth context

• SHARELATEX_SAML_SKIP_REQUEST_COMPRESSION

  • if set to true, the SAML request from the service provider won't be compressed.

• SHARELATEX_SAML_AUTHN_REQUEST_BINDING

  • if set to HTTP-POST, will request authentication from IDP via HTTP POST binding, otherwise defaults to HTTP Redirect

• SHARELATEX_SAML_VALIDATE_IN_RESPONSE_TO

  • if truthy, then InResponseTo will be validated from incoming SAML responses

• SHARELATEX_SAML_REQUEST_ID_EXPIRATION_PERIOD_MS

  • Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the InResponseTo field. Default is 8 hours.

• SHARELATEX_SAML_CACHE_PROVIDER

  • Defines the implementation for a cache provider used to store request Ids generated in SAML requests as part of InResponseTo validation. Default is a built-in in-memory cache provider. See link

• SHARELATEX_SAML_LOGOUT_URL

  • base address to call with logout requests (default: entryPoint)

• SHARELATEX_SAML_LOGOUT_CALLBACK_URL

  • The value with which to populate the Location attribute in the SingleLogoutService elements in the generated service provider metadata.

• SHARELATEX_SAML_ADDITIONAL_LOGOUT_PARAMS

  • JSON dictionary of additional query params to add to 'logout' requests

Using Http Post

Note, if SHARELATEX_SAML_AUTHN_REQUEST_BINDING is set to HTTP-POST, then SHARELATEX_SAML_SKIP_REQUEST_COMPRESSION must also be set to true.

Configuration Example

SHARELATEX_SAML_ENTRYPOINT=https://your-saml-server.net/simplesaml/saml2/idp/SSOService.php
SHARELATEX_SAML_CALLBACK_URL=http://your-sharelatex-server.net/saml/callback
SHARELATEX_SAML_ISSUER=sharelatex-saml
SHARELATEX_SAML_IDENTITY_SERVICE_NAME=SAML

Metadata for the Identity Provider

The Identity Provider will need to be configured to recognize the ShareLaTeX server as a "Service Provider". Consult the documentation for your SAML server for instructions on how to do this.

Here is an example of appropriate Service Provider metadata, note the AssertionConsumerService.Location, EntityDescriptor.entityID and EntityDescriptor.ID properties, and set as appropriate.

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                  entityID="sharelatex-saml"
                  ID="sharelatex_saml">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <AssertionConsumerService index="1"
                              isDefault="true"
                              Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                              Location="http://sharelatex-host/saml/callback" />
  </SPSSODescriptor>
</EntityDescriptor>