Go back to general SAML configuration for Kimai.
SAML authentication with Azure accounts has proven to work. It requires four phases to get SAML configured. We will call them:
Note: The Azure AD is a part of the Microsoft Cloud offerings; you will likely need either a Microsoft Cloud license
or an Office 365 license associated with your domain. In case you managed to set it up using a free offering,
please let us know, so we can add it to the documentation.
Please check the following steps to set up an enterprise application using the SAML toolkit.
Other languages are accessible through the Microsoft Documentation under: Click here to get to the documentation.
Edit the Basic SAML Configuration at the top and add the required URLs:
Setting | Value |
---|---|
Identifier (Entity ID) | https://timetracking.example.com/auth/saml/metadata |
Reply URL (Assertion Consumer Service URL) | https://timetracking.example.com/auth/saml/acs |
Sign on URL | https://timetracking.example.com/ |
Logout Url | https://timetracking.example.com/auth/saml/logout |
Kimai uses a local.yaml configuration file for changes in the application. This configuration file has to be created by the user itself under /config/packages/local.yaml
.
Configuration Example:
security:
firewalls:
secured_area:
kimai_saml: ~
kimai:
saml:
activate: true
title: Azure AD SAML
mapping:
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: username }
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, kimai: alias }
roles:
attribute: Roles
mapping:
- { saml: Admins, kimai: ROLE_ADMIN }
- { saml: Management, kimai: ROLE_TEAMLEAD }
connection:
idp:
entityId: 'https://sts.windows.net/****-****-***/'
singleSignOnService:
url: 'https://login.microsoftonline.com/****-****-***/saml2'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
singleLogoutService:
url: 'https://login.microsoftonline.com/****-****-***/saml2'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: 'M***********Y'
sp:
entityId: 'https://timetracking.example.com/auth/saml/metadata'
assertionConsumerService:
url: 'https://timetracking.example.com/auth/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
url: 'https://timetracking.example.com/auth/saml/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
#baseurl: 'https://timetracking.example.com/auth/saml/'
strict: true
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: false
logoutRequestSigned: false
logoutResponseSigned: false
wantMessagesSigned: false
wantAssertionsSigned: false
wantNameIdEncrypted: false
requestedAuthnContext: true
signMetadata: false
wantXMLValidation: true
signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
contactPerson:
technical:
givenName: 'Kimai Admin'
emailAddress: 'kimai-tech@example.com'
support:
givenName: 'Kimai Support'
emailAddress: 'kimai-support@example.com'
organization:
en:
name: 'Kimai'
displayname: 'Kimai'
url: 'https://www.kimai.org'
title: ExampleSAML
entityId: 'https://sts.windows.net/****-****-***/' # Azure AD Identifier
singleSignOnService:
url: 'https://login.microsoftonline.com/****-****-***/saml2' # Login URL
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
singleLogoutService:
url: 'https://login.microsoftonline.com/****-****-***/saml2' # Logout URL
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
entityId: 'https://timetracking.example.com/auth/saml/metadata'
assertionConsumerService:
url: 'https://timetracking.example.com/auth/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
url: 'https://timetracking.example.com/auth/saml/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: 'REALLY LONG SET OF CHARACTERS'
You should now be able to test the Login by visiting https://timetracking.example.com/ and clicking on the title of the SAML method, you defined earlier.