飞色网站商城怎么做,大数据获客系统,婚恋网站策划,天河区建设水务局网站要求要想使用 ADFS 登陆到 Seafile#xff0c;需要以下组件#xff1a;1、安装了 ADFS 的windows服务器。安装 ADFS 和相关配置详情请参考 本文。2、对于 ADFS 服务器的SSL有效证书#xff0c;在这里我们使用 adfs-server.adfs.com 作为域名示例。3、对于 seafile 服务器的S…要求要想使用 ADFS 登陆到 Seafile需要以下组件1、安装了 ADFS 的windows服务器。安装 ADFS 和相关配置详情请参考 本文。2、对于 ADFS 服务器的SSL有效证书在这里我们使用 adfs-server.adfs.com 作为域名示例。3、对于 seafile 服务器的SSL有效证书在这里我们使用 demo.seafile.com 作为域名示例。准备证书文件1、SP(Service Provider) 的 x.509 证书可以通过以下方式获取openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crtx.509 证书用来签署和加密诸如SAML的NameID和Metadata等元素。然后将这两个文件复制到 /seahub-data/certs。如果证书文件夹不存在请创建它。2、IdP(Identity Provider) 的 x.509 证书登陆到 ADFS 服务器并且打开 ADFS 管理。双击 Service 并选择 Certificates。导出 Token-Signing 证书右击证书并选择 View Certificate。选择 Details 选项卡。单击 Copy to File (选择 DER encoded binary X.509)。将此证书转换为PEM格式重命名为 idp.crt复制它到 /seahub-data/certs。准备 IdP 元数据文件在 seafile 服务器上安装对于 Ubuntu 16.04sudo apt install libxmlsec1sudo pip install cryptography djangosaml2配置seafile添加以下配置到 seahub_settings.pyfrom os import pathimport saml2import saml2.samlCERTS_DIR /seahub-data/certsSP_SERVICE_URL https://demo.seafile.comXMLSEC_BINARY /usr/local/bin/xmlsec1ATTRIBUTE_MAP_DIR /seafile-server-latest/seahub-extra/seahub_extra/adfs_auth/attribute-mapsSAML_ATTRIBUTE_MAPPING {DisplayName: (display_name, ),ContactEmail: (contact_email, ),Deparment: (department, ),Telephone: (telephone, ),}ENABLE_ADFS_LOGIN TrueEXTRA_AUTHENTICATION_BACKENDS (seahub_extra.adfs_auth.backends.Saml2Backend,)SAML_USE_NAME_ID_AS_USERNAME TrueLOGIN_REDIRECT_URL /saml2/complete/SAML_CONFIG {# full path to the xmlsec1 binary programmxmlsec_binary: XMLSEC_BINARY,allow_unknown_attributes: True,# your entity id, usually your subdomain plus the url to the metadata viewentityid: SP_SERVICE_URL /saml2/metadata/,# directory with attribute mappingattribute_map_dir: ATTRIBUTE_MAP_DIR,# this block states what services we provideservice: {# we are just a lonely SPsp : {allow_unsolicited: True,name: Federated Seafile Service,name_id_format: saml2.saml.NAMEID_FORMAT_EMAILADDRESS,endpoints: {# url and binding to the assetion consumer service view# do not change the binding or service nameassertion_consumer_service: [(SP_SERVICE_URL /saml2/acs/,saml2.BINDING_HTTP_POST),],# url and binding to the single logout service view# do not change the binding or service namesingle_logout_service: [(SP_SERVICE_URL /saml2/ls/,saml2.BINDING_HTTP_REDIRECT),(SP_SERVICE_URL /saml2/ls/post,saml2.BINDING_HTTP_POST),],},# attributes that this project need to identify a userrequired_attributes: [uid],# attributes that may be useful to have but not requiredoptional_attributes: [eduPersonAffiliation, ],# in this section the list of IdPs we talk to are definedidp: {# we do not need a WAYF service since there is# only an IdP defined here. This IdP should be# present in our metadata# the keys of this dictionary are entity idshttps://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml: {single_sign_on_service: {saml2.BINDING_HTTP_REDIRECT: https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx,},single_logout_service: {saml2.BINDING_HTTP_REDIRECT: https://adfs-server.adfs.com/adfs/ls/?wawsignout1.0,},},},},},# where the remote metadata is storedmetadata: {local: [path.join(CERTS_DIR, idp_federation_metadata.xml)],},# set to 1 to output debugging informationdebug: 1,# Signingkey_file: ,cert_file: path.join(CERTS_DIR, certs/idp.crt), # from IdP# Encryptionencryption_keypairs: [{key_file: path.join(CERTS_DIR, certs/sp.key), # private partcert_file: path.join(CERTS_DIR, certs/sp.crt), # public part}],valid_for: 24, # how long is our metadata valid}配置 ADFS 服务添加 Relying Party TrustRelying Party Trust 是 Seafile 和 ADFS 之间的连接。登陆到 ADFS 服务器并打开 ADFS 管理界面。双击 Trust Relationships然后右键 Relying Party Trusts选择 Add Relying Party Trust…。选择 Import data about the relying party published online or one a local network在 Federation metadata address 中输入 https://demo.seafile.com/saml2/metadata/然后 Next 直到 Finish。添加 Relying Party Claim RulesRelying Party Claim Rules 是用于windows域中seafile和用户的通信。Important在windows域中的用户必须要设置了 E-mail 值。右键点击 relying party trust 并且选择 Edit Claim Rules…。在 Issuance Transform Rules Add Rules…选择 Send LDAP Attribute as Claims 作为申请规则模版来用。给 claim 一个名称例如LDAP Attributes。将 Attribute Store 设置为 Active DirectoryLDAP Attribute 设置为 E-Mail-Addresses,Outgoing Claim Type 设置为 E-mail Address。选择 Finish。再次单击 Add Rule…。选择 Transform an Incoming Claim。给它一个名字例如Email to Name ID。输入的 claim 类型应该是 E-mail Address (它必须跟 rule #1 中的Outgoing Claim Type 相匹配)。Outgoing claim 的类型是 Name ID (这是seafile配置策略中的要求 name_id_format: saml2.saml.NAMEID_FORMAT_EMAILADDRESS)。Outgoing name ID 格式为 Email。通过所有的 claim 的值 并且单击 Finish。测试重启服务后你可以打开一个web浏览器并且输入 https://demo.seafile.com,在登陆对话框中应该有一个 adfs 按钮。单击该按钮将重定向到 ADFS 服务器(adfs-server.adfs.com),如果用户名密码正确你将被重定向到seafile主页。对于descktop客户端只需要在”Add a new account”窗口点击”Shibboleth Login”输入 https://demo.seafile.com,单击 OK 按钮将会打开一个新的窗口显示ADFS服务的登录页面如果用户名和密码正确窗口将关闭并显示seafile资料库面板。
