saml: update doc for elabftw/elabftw#6217

doc/saml.rst

@@ -8,22 +8,17 @@ Configure SAML2 authentication
     :align: center
     :alt: authentication
 
-This page describes the steps necessary to setup SAML2 authentication on eLabFTW with an IDentity Provider (IDP). It assumes that you already know what we're talking about.
-
-The IDP can lookup identity on an LDAP directory and deal with two factors authentication.
+This page describes the steps necessary to setup SAML2 authentication on eLabFTW with an Identity Provider (IdP). It assumes that you already know what we're talking about.
 
 Setup the Service Provider
 ==========================
 
-The service provider is the elabftw install. Head to the Sysadmin panel, click the SAML tab.
+The Service Provider (SP) is your eLabFTW instance. Head to the Sysadmin panel, click the SAML tab.
 
-* Debug mode: Set to "No". We don't want to print errors
+* Debug mode: Set to "Yes". We want to print errors during the initial setup. Once everything is working, switch it back to "No"
 * Strict mode: Set to "Yes". Otherwise the mechanism is not secure
-* Base url: Where did you install elabftw? Example: https://elabftw.example.edu
-* entityId: The same as base URL
-* SAML protocol binding: basically it can be POST or HTTP-redirect. Depending on your IDP, set the correct value here
-* Single Logout Service: The same as entityId
-* Single Logout Service protocol binding: basically it can be POST or HTTP-redirect. Depending on your IDP, set the correct value here
+* Base url: This is the base URL of your SP, so the publicly accessible URL of your eLabFTW instance. Example: https://elabftw.example.edu
+* entityId: The same as base URL in most cases.
 * NameIDFormat: match the supported NameIDFormat of the IDP, eLabFTW doesn't use this but it needs to be specified most of the time. Example values:
 
   - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress [default]
@@ -45,20 +40,46 @@ Use the content of `private.key` and `cert.crt`.
 
 Alternatively you can use `this site <https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs>`_ to generate a self-signed certificate.
 
-Setup the IDentity Provider
+Setup the Identity Provider
 ===========================
 
-* Name: Visible to the user logging in. Example: "Institut Curie"
-* entityId: Example: https://idp1.agroparistech.fr/shibboleth
-* SSO url: Single Sign On URL
-* SSO binding: Example: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-* SLO url: Single Log Out URL
-* SLO binding: Example: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-* x509 cert: the public key of the IDP
+Option A: using XML file (recommended)
+--------------------------------------
+
+It is recommended to use a Source XML file to ingest IdP information in eLabFTW. This way, information will be refreshed automatically and it's also much simpler to set up, as all metadata will be populated automagically.
+
+
+.. figure:: img/saml-idp-from-url.png
+    :align: center
+    :alt: saml xml url config
+
+    Use an URL pointing to XML metadata for IdPs
+
+
+Add the URL into the input field, click Save button, then click the Refresh button so the content is processed and IdPs are added into eLabFTW's database. They will be added as disabled, you can then select the ones you wish to enable.
+
+Example metadata URLs:
+^^^^^^^^^^^^^^^^^^^^^^
 
-The SLO URL that the IDP needs to know to redirect the user to would be `/app/logout.php`.
+Here are some IdP metadata listing URL that you might want to use in your institution:
 
-Attributes for the IDP
+* France: Renater's federation, use: `https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml`.
+* Germany: DFN AAI federation: `https://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml`
+* Portugal: RCTSaai exported to eduGAIN: `https://registry.rctsaai.pt/rr/signedmetadata/federation/edugain/metadata.xml`
+* Microsoft's Entra ID, the URL will look like: `https://login.microsoftonline.com/183ad437-6002-47ad-8886-c5185ce9be1a/federationmetadata/2007-06/federationmetadata.xml`
+* Italia: IDEM federation: `https://md.idem.garr.it/metadata/idem-metadata-sha256.xml`
+* Netherlands: SurfConext: `https://metadata.surfconext.nl/idps-metadata.xml`
+* Switzerland: SwithAAI: `https://metadata.aai.switch.ch/metadata.switchaai+idp.xml`
+* Sweden: SWAMID: `https://mds.swamid.se/md/swamid-idp.xml`
+
+Option B: add IdP manually
+--------------------------
+
+Click "Add new IDP" button, give it a name and entityId, and configure the attributes.
+
+Then, from the IdPs list, add certificate(s) and endpoint(s).
+
+Attributes for the IdP
 ----------------------
 We need to specify where to look in the attributes sent in the response for email, team and name of the user. You can use the FriendlyName or the Name from the table below. Note that this will depend on your IDP and using the SAML Tracer plugin (see below) to see the response will be helpful in determining what fields you want to use.
 
@@ -111,31 +132,21 @@ How does it work?
 
 When a user successfully logins to the IDP, the email address is looked up. If it doesn't exist, the user is created. If the team doesn't exist either, it is created on the fly. You can configure this behavior from the Sysconfig panel.
 
-Federation and metadata synchronization
-=======================================
-
-The application allows you to fetch a list of IDPs from an URL pointing to XML content.
-
-.. figure:: img/sysconfig-saml-idps-xml.png
-   :align: center
-   :alt: Adding IDPs via URL
-
-   Example of adding IDPs via URL
-
-After adding the URL, click the "Refresh" button so the application can synchronize the local list of IDPs with the XML content. The "Auto-refresh" toggle will trigger this synchronization every day (**WARNING**: this means that any manual change you make to the IDP will get overwritten!).
 
 Renewing certificates
 =====================
 
-IDP is changing certs
+IdP is changing certs
 ---------------------
 
-Go to the Sysconfig panel, edit the corresponding IDP and add the new certificate into the "x509 Certificate" field. Add the old one into "x509 Certificate (additional for rollover)" so the transition is smooth.
+If the IdP has a Source URL, meaning it was added from an XML file, then the renewal should happen smoothly, especially if the IdP starts advertising the new certificate before using it at least 24 hours before the change.
+
+Otherwise, you can add the new cert manually by editing the corresponding IDP. You can choose to keep the old cert around if it's still in use, or delete it if you know it's not used anymore.
 
 SP is changing certs
 --------------------
 
-From the SAML tab of the Sysconfig panel, in the "Service provider" section, change "x509 Certificate in PEM format" and "x509 Certificate private key". Note from the developers: we never used the rollover thingy and have no idea if it even works.
+From the SAML tab of the Sysconfig panel, in the "Service provider" section, change "x509 Certificate in PEM format" and "x509 Certificate private key". Make sure your IdPs are aware of the change. If the IdPs are consuming the SP metadata, add the new cert in the specific rollover section so they have a chance to update their metadata. Then set it in the main x509 section along with the corresponding private key to start using it.
 
 Debugging
 =========