YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2025-10-28 09:07:59 +01:00
Code Issues Projects Releases Packages Wiki Activity
A simple SSO for NGINX, written in Lua
1005 commits 10 branches 119 tags 3.8 MiB
Find a file
Exact
Alexandre Aubin a59b558bbb Upate changelog for 12.1.1
2025-08-22 00:52:56 +02:00
debian Upate changelog for 12.1.1 2025-08-22 00:52:56 +02:00
maintenance Add maintenance scripts to v12 2024-10-30 22:42:34 +01:00
vendor/luajwtjitsi Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00
access.lua Also check for header with ynh- 2025-08-21 23:40:19 +02:00
conf.json.example Remove unused 'redirected_regex' mechanism, + we don't need the label and show_tile property on acls 2023-10-07 17:49:49 +02:00
config.lua Uuuuh how was it even supposed to work eh 2023-11-28 19:14:19 +01:00
init.lua add the possibility to change the logging level 2024-03-29 17:01:06 +01:00
LICENSE Add AGPL license 2015-07-15 15:29:45 +02:00
README.md Update README.md: there's no translation needed for SSOwat anymore, cf yunohost-portal now 2024-11-16 17:54:00 +01:00

README.md

SSOwat

A simple LDAP SSO for NGINX, written in Lua.

Installation

  • Fetch the repository
git clone https://github.com/YunoHost/SSOwat /etc/ssowat

NGINX configuration

  • Add SSOwat's NGINX configuration (http{} scope)
nano /etc/nginx/conf.d/ssowat.conf


lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

SSOwat configuration

mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Available parameters

Only the portal_domain SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.

  • cookie_secret_file: Where the secret used for signing and encrypting cookie is stored. It should only be readable by root.
  • cookie_name: The name of the cookie used for authentication. Its content is expected to be a JWT signed with the cookie secret and should contain a key user and password (which is needed for Basic HTTP Auth). Because JWT is only encoded and signed (not encrypted), the password is expected to be encrypted using the cookie secret.
  • session_folder: A path to a folder where files exists for any valid valid session id. SSOwat will check for the last modification date to confirm that the session is not expired.
  • domain_portal_urls: Location of the portal to use for login and browsing apps, to redirect to when access to some route is denied
  • redirected_urls: Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" }).

permissions

The list of permissions depicted as follows:

"myapp.main": {
    "auth_header": true,
    "label": "MyApp",
    "public": true,
    "show_tile": true,
    "uris": [
        "example.tld/myapp"
    ],
    "users": [
        "JaneDoe",
        "JohnDoe"
    ]
},
"myapp.admin": {
    "auth_header": true,
    "label": "MyApp (admin)",
    "public": false,
    "show_tile": false,
    "uris": [
        "example.tld/myapp/admin"
    ],
    "users": [
        "JaneDoe"
    ]
},
"myapp.api": {
    "auth_header": false,
    "label": "MyApp (api)",
    "public": true,
    "show_tile": false,
    "uris": [
        "re:domain%.tld/%.well%-known/.*"
    ],
    "users": []
}

auth_header

Does the SSO add an authentication header that allows certain apps to connect automatically? (True by default)

public

Can a person who is not connected to the SSO have access to this authorization?

uris

A list of url attatched to this permission, a regex url start with re:.

users

A list of users which is allowed to access to this permission. If public.