yves
/
SSOwat
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
SSOwat/README.md

174 lines
4.8 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

SSOwat
======
A simple LDAP SSO for nginx, written in Lua
<a href="https://translate.yunohost.org/engage/yunohost/?utm_source=widget">
<img src="https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt="Translation status" />
</a>
Issues
------
- [Please report issues on YunoHost bugtracker](https://dev.yunohost.org/projects/yunohost/issues) (no registration needed).
Requirements
------------
- Nginx-extras from Debian wheezy-backports
- lua-json
- lua-ldap
**OR**
- Nginx "Openresty" flavored : http://openresty.org/
- lua-ldap
Installation
------------
* Fetch the repository
```bash
git clone https://github.com/Kloadut/SSOwat /etc/ssowat
```
Nginx configuration
-------------------
* Add SSOwat's Nginx configuration (`http{}` scope)
```bash
nano /etc/nginx/conf.d/ssowat.conf
```
```nginx
lua_shared_dict cache 10m;
init_by_lua_file /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;
```
You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.
SSOwat configuration
--------------------
```
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json
```
If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.
## Available parameters
These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
#### portal_domain
Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (**Required**)
#### portal_path
URI of the authentication portal (**default**: `/ssowat/`). This path **must** end with “`/`”.
#### portal_port
Web port of the authentication portal (**default**: `443` for `https`, `80` for `http`)
#### portal_scheme
Whether authentication should use secure connection or not (**default**: `https`)
#### domains
List of handled domains (**default**: similar to `portal_domain`)
#### ldap_host
LDAP server hostname (**default**: `localhost`)
#### ldap_group
LDAP group to search in (**default**: `ou=users,dc=yunohost,dc=org`)
#### ldap_identifier
LDAP user identifier (**default**: `uid`)
#### ldap_attributes
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
#### ldap_enforce_crypt
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
#### allow_mail_authentication
Whether users can authenticate with their mail address (**default**: `true`)
#### login_arg
URI argument to use for cross-domain authentication (**default**: `sso_login`)
#### additional_headers
Array of additionnal HTTP headers to set once user is authenticated (**default**: `{ "Remote-User": "uid" }`)
#### session_timeout
The session expiracy time limit in seconds, since the last connection (**default**: `86400` / one day)
#### session_max_timeout
The session expiracy time limit in seconds (**default**: `604800` / one week)
#### protected_urls
List of priorily protected URLs and/or URIs (**by default, every URL is protected**)
#### protected_regex
List of regular expressions to be matched against URLs **and** URIs to protect them
#### skipped_urls
List of URLs and/or URIs that will not be affected by SSOwat. This must be a JSON array, and SSOwat automatically adds itself to this array.
#### skipped_regex
List of regular expressions to be matched against URLs **and** URIs to ignore them
#### unprotected_urls
List of URLs and/or URIs that will not be affected by SSOwat **unless user is authenticated**
#### unprotected_regex
List of regular expressions to be matched against URLs **and** URIs to ignore them **unless user is authenticated**
#### redirected_urls
Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`)
#### redirected_regex
Array of regular expressions to be matched against URLS **and** URIs and their redirect URI/URL (**example**: `{ "example.org/megusta$": "example.org/subpath" }`)
#### users
3-level array containing usernames and their ACL (allow/deny), each consisting of allowed URLs along with an App name; fake user “*” is for global ACL (**example**: `{ "*": { "allow": { "kload.fr/blog": "Blog" } }, "kload": { "allow": { "kload.fr/admin/": "Admin" } }, "visitor": { "deny": { "kload.fr/blog": "no access" } } }`)
#### logout
Associative array; when logging out of SSOwat, any existing cookie that is found as a key of this array triggers the associated logout URL. This only works on `http[s]://[*.]portal_domain/`, though. (**example**: `{ "dcxd": "https://example.org/dotclear/admin/index.php?logout=1" }`)
#### default_language
Language code used by default in views (**default**: `en`)
Reference in New Issue View Git Blame Copy Permalink