5.7.221. Bugzilla::Extension::SAML2Auth¶

5.7.221.1. Name¶

Bugzilla::Extension::SAML2Auth - SAML2 authentication support for Bugzilla

5.7.221.2. Version¶

Version 0.01

5.7.221.3. Description¶

This module will allow you to set up your Bugzilla server as an SP and configure multiple IDPs to authenticate against.

5.7.221.4. Configuration and Environment¶

To enable SAML2 authentication you will need to configure your Service Provider and select SAML2Auth in both user_info_class and user_verify_class on the user authentication panel in the parameters UI.

This module uses OpenSSL to validate certificates and XML signatures, you will save yourself a lot of pain if you ensure all CAs are imported in to your system certifcate chain. If you are using self signed certificates then you should sue one self signed certficate as a CA, imprt that,a nd use it to sign certficates for your SP and IDPs.

Service Provider¶

To configure your Bugzilla instance as a Service Provider (SP) you will need paths to a valid key, a valid cert, and a cacert, in data/params.json.

The defaults for these fields are for FHS Linux paths https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard, you may need to change them for other Linux distros and other O/Ss. You may also need to change these if you haven’t imported your CA in to your systems certificate chain. There are cross platform instructions on doing this at http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

The metadata URL for your SP will be $SITE_BASE_URL/saml2_metadata.cgi

Identity Providers¶

Identity Providers (IDPs) are configured on a new Administration page, you will need to be able to verify the IDPs certificates, it is easiest to do this by importing the necessary CA’s in the same way you did for your SP’s certificates. The defaults are again based on FHS Linux paths. The full list of field descriptions is available in Bugzilla::Extension::SAML2Auth::IDP

If the IDP provides full and correct metadata you can add the URL to it in the IDP administration page and it will be fetched and stored in the Database. Some IDPs do not provide full and correct metadata, and some do not provide a URL for their metadata. For these services you will need to add a recored on the administration page and then import the metadata XML directly using the provided import-metadata.pl script.

5.7.221.5. Author¶

Jeff Fearn <jfearn@redhat.com>

This documentation undoubtedly has bugs; if you find some, please file them here.