Seafile Pro SAML/LDAP auth

Seafile Server
,
1

Hi guys,
I’m currently trying to setup a seafile server pro with ldap and saml authentication.
For saml I found the following docs:

  • ADFS or SAML 2.0
  • SAML 2.0 in version 10.0+

Unfortunately I can’t provide links (not allowed in a blog post), but both of them are found under Config → Authentication & Users → Single Sign On. The first one looks a bit mixed up. Could someone tell me which one is the correct instruction to follow?

As well I’m not quite sure how I should configure ldap/saml to get them both working with the UPN from active directory. So if someone could provide some valuable info about the saml mapping that would be great.

Thanks in advance!

2

Please check the following documents:

https://manual.seafile.com/latest/config/ldap_in_11.0_pro/

https://manual.seafile.com/latest/config/saml2_in_10.0/

Note, you should use the document for version 12.0. The version number is shown at the top of the document site:

image
image1976×1082 246 KB

3

Okay, I followed the instructions from these docs, but I’m encountering one issue when using SSO from an onprem adfs server: It doesn’t match the synced user from ldap and the new user created got only that strange username “ab01834dfcbf439ab94251208296cf4d”.

Following the config from seahub_settings.py:

LDAP_PROVIDER = 'ldap'
LDAP_LOGIN_ATTR = 'userPrincipalName'
LDAP_CONTACT_EMAIL_ATTR = 'userPrincipalName'
LDAP_USER_FIRST_NAME_ATTR = 'givenName'
LDAP_USER_LAST_NAME_ATTR = 'sn'
ENABLE_LDAP_USER_SYNC = True
LDAP_SYNC_INTERVAL = 10
LDAP_USER_OBJECT_CLASS = 'person'
LDAP_DEPT_ATTR = 'department'
LDAP_UID_ATTR = 'userPrincipalName'
LDAP_AUTO_REACTIVATE_USERS = False
USE_LDAP_SYNC_ONLY = True
ACTIVATE_USER_WHEN_IMPORT = False
ACTIVATE_AFTER_FIRST_LOGIN = False
DEACTIVE_USER_IF_NOTFOUND = True
ENABLE_ADFS_LOGIN = True
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_ATTRIBUTE_MAPPING = {
    'sn': ('user_last_name', ),
    'givenName': ('user_first_name', ),
    'userPrincipalName': ('uid', 'contact_email', ),
}
SAML_REMOTE_METADATA_URL = 'https://adfs.redacted.com/federationmetadata/2007-06/federationmetadata.xml'

What am I missing here?

4

@daniel.pan could you please take a look at my config and check where’s the error?

5

I know these cryptic user id are a feature (https://manual.seafile.com/12.0/upgrade/upgrade_notes_for_11.0.x/#change-of-user-identity) but is there no way how to map firstname, lastname and mail to be displayed correctly? If not, how do you know which whom you share a folder or smth?