Friendly fork of SSOwat from the YunoHost project on GitHub.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Y bdaaf0270d global and specific ACL (forgot doc and example…) 5 years ago
debian Update changelog for 2.7.2 release 5 years ago
portal [i18n] Translated using Weblate (Esperanto) 5 years ago
.gitignore Add .gitignore 9 years ago
CONTRIBUTORS.md [fix] sidddy takes 3 d 5 years ago
LICENSE Add AGPL license 7 years ago
README.md global and specific ACL (forgot doc and example…) 5 years ago
access.lua No absolute paths in the LUA files 5 years ago
conf.json.example global and specific ACL (forgot doc and example…) 5 years ago
config.lua Limited support for app-logout on SSO-logout 5 years ago
headers.lua Limited support for app-logout on SSO-logout 5 years ago
helpers.lua global and specific ACL 5 years ago
hige.lua Strange Rpi bugfix 9 years ago
init.lua [fix] uses a cryptographically secure source of randomness 5 years ago

README.md

SSOwat

A simple LDAP SSO for nginx, written in Lua

Translation status

Issues

Requirements

  • Nginx-extras from Debian wheezy-backports
  • lua-json
  • lua-ldap

OR

Installation

  • Fetch the repository
git clone https://github.com/Kloadut/SSOwat /etc/ssowat

Nginx configuration

  • Add SSOwat's Nginx configuration (http{} scope)
nano /etc/nginx/conf.d/ssowat.conf

lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

SSOwat configuration

mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Available parameters

These are the SSOwat's configuration parameters. Only portal_domain is required, but it is recommended to know the others to fully understand what you can do with SSOwat.

portal_domain

Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required)

portal_path

URI of the authentication portal (default: /ssowat/). This path must end with “/”.

portal_port

Web port of the authentication portal (default: 443 for https, 80 for http)

portal_scheme

Whether authentication should use secure connection or not (default: https)

domains

List of handled domains (default: similar to portal_domain)

ldap_host

LDAP server hostname (default: localhost)

ldap_group

LDAP group to search in (default: ou=users,dc=yunohost,dc=org)

ldap_identifier

LDAP user identifier (default: uid)

ldap_attributes

User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"])

ldap_enforce_crypt

Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (default: true)

allow_mail_authentication

Whether users can authenticate with their mail address (default: true)

login_arg

URI argument to use for cross-domain authentication (default: sso_login)

additional_headers

Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" })

session_timeout

The session expiracy time limit in seconds, since the last connection (default: 86400 / one day)

session_max_timeout

The session expiracy time limit in seconds (default: 604800 / one week)

protected_urls

List of priorily protected URLs and/or URIs (by default, every URL is protected)

protected_regex

List of regular expressions to be matched against URLs and URIs to protect them

skipped_urls

List of URLs and/or URIs that will not be affected by SSOwat. This must be a JSON array, and SSOwat automatically adds itself to this array.

skipped_regex

List of regular expressions to be matched against URLs and URIs to ignore them

unprotected_urls

List of URLs and/or URIs that will not be affected by SSOwat unless user is authenticated

unprotected_regex

List of regular expressions to be matched against URLs and URIs to ignore them unless user is authenticated

redirected_urls

Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" })

redirected_regex

Array of regular expressions to be matched against URLS and URIs and their redirect URI/URL (example: { "example.org/megusta$": "example.org/subpath" })

users

3-level array containing usernames and their ACL (allow/deny), each consisting of allowed URLs along with an App name; fake user “*” is for global ACL (example: { "*": { "allow": { "kload.fr/blog": "Blog" } }, "kload": { "allow": { "kload.fr/admin/": "Admin" } }, "visitor": { "deny": { "kload.fr/blog": "no access" } } })

logout

Associative array; when logging out of SSOwat, any existing cookie that is found as a key of this array triggers the associated logout URL. This only works on http[s]://[*.]portal_domain/, though. (example: { "dcxd": "https://example.org/dotclear/admin/index.php?logout=1" })

default_language

Language code used by default in views (default: en)