paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 13:33:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0814fb88c191fa02fb63162d2b86f199680693b4
zulip/help/saml-authentication.md
Mateusz Mandera 94cc413016 docs: Renaming AzureAD to Entra ID, part two. 
This is a follow-up to #32693, which missed a bunch of places due to
varying ways of typing Azure AD. (Azure AD, Azure Active Directory etc.)

In the diff there's an apparent inconsistency with renaming, in some
places renaming to just "Microsoft Entra ID" and in others
"Microsoft Entra ID (AzureAD)".
The idea is to add (AzureAD) in ordinary documentation, as it can help
clarity since many people still think of this as AzureAD, while sticking
with brevity and cleanliness of just using the official name in
marketing focused material.
2024-12-15 08:22:30 -08:00

223 lines
7.6 KiB
Markdown
Raw Blame History

# SAML authentication
{!admin-only.md!}
Zulip supports using SAML authentication for single sign-on, both for Zulip
Cloud and self-hosted Zulip servers. SAML Single Logout is also supported.
This page describes how to configure SAML authentication with several common providers:
* Okta
* OneLogin
* Entra ID (AzureAD)
* Keycloak
* Auth0
Other SAML providers are supported as well.
If you are [self-hosting](/self-hosting/) Zulip, please follow the detailed setup instructions in
the [SAML configuration for self-hosting][saml-readthedocs]. The documentation
on this page may be a useful reference for how to set up specific SAML
providers.
{!cloud-plus-only.md!}
## Configure SAML
{start_tabs}
{tab|okta}
{!upgrade-to-plus-if-needed.md!}
1. Set up SAML authentication by following
[Okta's documentation](https://developer.okta.com/docs/guides/saml-application-setup/overview/).
Specify the following fields, skipping **Default RelayState** and **Name ID format**:
* **Single sign on URL**: `https://auth.zulipchat.com/complete/saml/`
* **Audience URI (SP Entity ID)**: `https://zulipchat.com`
* **Application username format**: `Email`
* **Attribute statements**:
* `email` to `user.email`
* `first_name` to `user.firstName`
* `last_name` to `user.lastName`
1. Assign the appropriate accounts in the **Assignments** tab. These are the users
that will be able to log in to your Zulip organization.
1. {!send-us-info.md!}
1. Your organization's URL
1. The **Identity Provider metadata** provided by Okta for the application.
To get the data, click the **View SAML setup instructions button** in
the right sidebar in the **Sign on** tab.
Copy the IdP metadata shown at the bottom of the page.
{!saml-login-button.md!}
{tab|onelogin}
{!upgrade-to-plus-if-needed.md!}
1. Navigate to the OneLogin **Applications** page, and click **Add App**.
1. Search for the **SAML Custom Connector (Advanced)** app and select it.
1. Set a name and logo and click **Save**. This doesn't affect anything in Zulip,
but will be shown on your OneLogin **Applications** page.
1. In the **Configuration** section, specify the following fields. Leave the
remaining fields as they are, including blank fields.
* **Audience**: `https://zulipchat.com`
* **Recipient**: `https://auth.zulipchat.com/complete/saml/`
* **ACS URL**: `https://auth.zulipchat.com/complete/saml/`
* **ACS URL Validator**: `https://auth.zulipchat.com/complete/saml/`
1. In the **Parameters** section, add the following custom parameters. Set the
**Include in SAML assertion** flag on each parameter.
| Field name | Value
|--- |---
| email | Email
| first_name | First Name
| last_name | Last Name
| username | Email
1. {!send-us-info.md!}
1. Your organization's URL
2. The **issuer URL** from the **SSO** section. It contains required **Identity Provider** metadata.
{!saml-login-button.md!}
{tab|azuread}
{!upgrade-to-plus-if-needed.md!}
1. From your Entra ID Dashboard, navigate to **Enterprise applications**,
click **New application**, followed by **Create your own application**.
1. Enter a name (e.g., `Zulip Cloud`) for the new Entra ID application,
choose **Integrate any other application you don't find in the
gallery (Non-gallery)**, and click **Create**.
1. From your new Entra ID application's **Overview** page that opens, go to
**Single sign-on**, and select **SAML**.
1. In the **Basic SAML Configuration** section, specify the following fields:
* **Identifier (Entity ID)**: `https://zulipchat.com`
* **Default**: *checked* (This is required for enabling IdP-initiated sign on.)
* **Reply URL (Assertion Consumer Service URL)**: `https://auth.zulipchat.com/complete/saml/`
1. If you want to set up IdP-initiated sign on, in the **Basic SAML
Configuration** section, also specify:
* **RelayState**: `{"subdomain": "<your organization's zulipchat.com subdomain>"}`
1. Check the **User Attributes & Claims** configuration, which should already be
set to the following. If the configuration is different, please
indicate this when contacting [support@zulip.com](mailto:support@zulip.com)
(see next step).
* **givenname**: `user.givenname`
* **surname**: `user.surname`
* **emailaddress**: `user.mail`
* **name**: `user.principalname`
* **Unique User Identifier**: `user.principalname`
1. {!send-us-info.md!}
1. Your organization's URL
1. From the **SAML Signing Certificate** section:
* **App Federation Metadata Url**
* Certificate downloaded from **Certificate (Base64)**
1. From the **Set up** section
* **Login URL**
* **Microsoft Entra Identifier**
{!saml-login-button.md!}
{tab|keycloak}
{!upgrade-to-plus-if-needed.md!}
1. Make sure your Keycloak server is up and running.
1. In Keycloak, register a new Client for your Zulip organization:
* **Client-ID**: `https://zulipchat.com`
* **Client Protocol**: `saml`
* **Client SAML Endpoint**: *(empty)*
1. In the **Settings** tab for your new Keycloak client, set the following properties:
* **Valid Redirect URIs**: `https://auth.zulipchat.com/*`
* **Base URL**: `https://auth.zulipchat.com/complete/saml/`
* **Client Signature Required**: `Disable`
1. In the **Mappers** tab for your new Keycloak client:
* Create a Mapper for the first name:
* **Property**: `firstName`
* **Friendly Name**: `first_name`
* **SAML Attribute Name**: `first_name`
* **SAML Attribute Name Format**: `Basic`
* Create a Mapper for the last name:
* **Property**: `lastName`
* **Friendly Name**: `last_name`
* **SAML Attribute Name**: `last_name`
* **SAML Attribute Name Format**: `Basic`
* Create a Mapper for the email address:
* **Property**: `email`
* **Friendly Name**: `email`
* **SAML Attribute Name**: `email`
* **SAML Attribute Name Format**: `Basic`
1. {!send-us-info.md!}
1. Your organization's URL
2. The URL of your Keycloak realm.
{!saml-login-button.md!}
!!! tip ""
Your Keycloak realm URL will look something like this: `https://keycloak.example.com/auth/realms/yourrealm`.
{tab|auth0}
{!upgrade-to-plus-if-needed.md!}
1. Set up SAML authentication by following [Auth0's documentation](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider#configure-saml-sso-in-auth0)
to create a new application. You don't need to save the certificates or other information detailed.
All you will need is the **SAML Metadata URL**.
1. In the **Addon: SAML2 Web App** **Settings** tab, set the **Application Callback URL** to
`https://auth.zulipchat.com/complete/saml/`.
1. Edit the **Settings** section to match:
```
{
"audience": "https://zulipchat.com",
"mappings": {
"email": "email",
"given_name": "first_name",
"family_name": "last_name"
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
}
```
1. {!send-us-info.md!}
1. Your organization's URL
2. The **SAML Metadata URL** value mentioned above. It contains required **Identity Provider** metadata.
{!saml-login-button.md!}
{end_tabs}
!!! tip ""
Once SAML has been configured, consider also [configuring SCIM](/help/scim).
## Related articles
* [SAML configuration for self-hosting][saml-readthedocs]
* [SCIM provisioning](/help/scim)
* [Moving to Zulip](/help/moving-to-zulip)
[saml-readthedocs]: https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#saml
Reference in New Issue View Git Blame Copy Permalink