At line 2 added 4 lines |
\\ |
!__Prerequisits:__ on the Preferences panel [Misc page|Misc] need to set the __Remember invalid usernames__ parameter value to __0__ and clear the __HTTP Redirect Base__ field value. This is a __must__ with any plugin integration scenario. |
\\ |
\\ |
At line 4 changed one line |
This plugin is for advanced users in an organization using SAML. While this config is generic in its description for all SAML providers, see the Microsoft ADFS config example for specifics on it. *[SAMLSSO_ADFS]*\\ |
This plugin is for advanced users in an organization using SAML. While this config is generic (from [Okta]) in its description to all SAML providers, see the Microsoft ADFS config example for specifics on ADFS. *[SAMLSSO_ADFS]* Another example is *[SAMLSSO_AZURE]* config example.\\ |
''Okta calls their generic config 'SAML Service Provider'.''\\ |
!For a generic config, you can get these items from the 'config.xml' (Keycloak for example):\\ |
{{{ |
CrushFTP:Redirect URL = HTTP-POST URL |
CrushFTP:SAML Provider URL = EntityID |
CrushFTP:SAML Issuer = ClientID (or ApplicationID) |
CrushFTP:Signing certificate = X.509 Certificate |
}}} |
At line 18 added 2 lines |
For configuring through a DMZ, this requires Crush 8.3.0_8+ and for both the DMZ instance and internal instance to have identical configurations. If you are using the groups attribute in SAML to specify group memberships, add them into the LDAP roles area using the same group name SAML returns. Set the cache timeout to be "-1" and it will skip connecting to the LDAP configured server info. (Which is what you want if using SAML groups.) If you don't have LDAP and don't have groups being passed through, you can add the special group name "-ALL_ROLES-" and it will allow all logins from SAML.\\ |
\\ |
At line 41 added 17 lines |
\\ |
\\ |
---- |
''__PLEASE NOTE!!!__\\ |
\\ |
Java 16 and above require a JVM flag to allow XML signing. So if you utilize XML signing of your AuthN request and you are using newer Java versions (you should be regardless), then add this JVM flag to allow signing to operate:\\ |
{{{ |
--add-opens=java.xml.crypto/org.jcp.xml.dsig.internal.dom=ALL-UNNAMED |
}}} |
|
For Java 17....edit the security file here: CrushFTP10\Java\conf\security\ directory, remove the lines |
{{{ |
disallowAlg http://www.w3.org/2000/09/xmldsig#sha1, |
disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1, |
}}} |
'' |
__These flags are not needed to be set no more, if CrushFTP is running under Java 21+.__ |