SSOwat/README.md

SSOwat
======

A simple LDAP SSO for NGINX, written in Lua.

<a href="https://translate.yunohost.org/engage/yunohost/?utm_source=widget">
<img src="https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt="Translation status" />
</a>

- [Please report issues to the YunoHost bugtracker](https://github.com/YunoHost/issues).

Installation
------------

* Fetch the repository

```bash
git clone https://github.com/YunoHost/SSOwat /etc/ssowat
```


NGINX configuration
-------------------

* Add SSOwat's NGINX configuration (`http{}` scope)

```bash
nano /etc/nginx/conf.d/ssowat.conf
```

```nginx

lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

```

You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.


SSOwat configuration
--------------------

```
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json
```

If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.

## Available parameters

Only the `portal_domain` SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.

- `cookie_secret_file`: Where the secret used for signing and encrypting cookie is stored. It should only be readable by root.
- `cookie_name`: The name of the cookie used for authentication. Its content is expected to be a JWT signed with the cookie secret and should contain a key `user` and `password` (which is needed for Basic HTTP Auth). Because JWT is only encoded and signed (not encrypted), the `password` is expected to be encrypted using the cookie secret.
- `session_folder`: A path to a folder where files exists for any valid valid session id. SSOwat will check for the last modification date to confirm that the session is not expired.
- `domain_portal_urls`: Location of the portal to use for login and browsing apps, to redirect to when access to some route is denied
- `redirected_urls`: Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`).

### `permissions`

The list of permissions depicted as follows:

```json
"myapp.main": {
    "auth_header": true,
    "label": "MyApp",
    "public": true,
    "show_tile": true,
    "uris": [
        "example.tld/myapp"
    ],
    "users": [
        "JaneDoe",
        "JohnDoe"
    ]
},
"myapp.admin": {
    "auth_header": true,
    "label": "MyApp (admin)",
    "public": false,
    "show_tile": false,
    "uris": [
        "example.tld/myapp/admin"
    ],
    "users": [
        "JaneDoe"
    ]
},
"myapp.api": {
    "auth_header": false,
    "label": "MyApp (api)",
    "public": true,
    "show_tile": false,
    "uris": [
        "re:domain%.tld/%.well%-known/.*"
    ],
    "users": []
}
```

#### auth_header

Does the SSO add an authentication header that allows certain apps to connect automatically? (**True by default**)

#### public

Can a person who is not connected to the SSO have access to this authorization?

#### uris

A list of url attatched to this permission, a regex url start with `re:`.

#### users

A list of users which is allowed to access to this permission. If `public`.
Init 2013-10-15 10:11:39 +02:00			`SSOwat`
			`======`

README reworked (#165) 2020-06-16 17:48:56 +02:00			`A simple LDAP SSO for NGINX, written in Lua.`
Init 2013-10-15 10:11:39 +02:00
[enh] readme: add translation badge status. 2017-01-28 06:23:51 +01:00			`<a href="https://translate.yunohost.org/engage/yunohost/?utm_source=widget">`
			`<img src="https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt="Translation status" />`
			`</a>`

README reworked (#165) 2020-06-16 17:48:56 +02:00			`- [Please report issues to the YunoHost bugtracker](https://github.com/YunoHost/issues).`
Adding link to bugtracker 2017-04-03 01:35:16 +02:00
Update README.md 2013-10-16 20:47:37 +02:00			`Installation`
			`------------`

Update README.md 2013-10-16 20:50:02 +02:00			`* Fetch the repository`
Update README.md 2013-10-16 20:50:36 +02:00
Update README.md 2013-10-16 20:47:37 +02:00			```bash
Update README.md 2019-09-27 12:09:07 +02:00			`git clone https://github.com/YunoHost/SSOwat /etc/ssowat`
Update README.md 2013-10-16 20:50:02 +02:00			```
Update README.md 2013-10-16 20:50:36 +02:00

README reworked (#165) 2020-06-16 17:48:56 +02:00			`NGINX configuration`
[doc] Update README.md 2014-04-17 16:07:52 +02:00			`-------------------`
Update README.md 2013-10-16 20:47:37 +02:00
README reworked (#165) 2020-06-16 17:48:56 +02:00			* Add SSOwat's NGINX configuration (`http{}` scope)
Update README.md 2013-10-16 20:50:36 +02:00
Update README.md 2013-10-16 20:47:37 +02:00			```bash
			`nano /etc/nginx/conf.d/ssowat.conf`
			```
Init 2013-10-15 10:11:39 +02:00
Update README.md 2013-10-15 10:13:34 +02:00			```nginx

Update README.md 2013-10-26 15:29:51 +02:00			`lua_shared_dict cache 10m;`
Update README.md 2013-10-16 20:47:37 +02:00			`init_by_lua_file /etc/ssowat/init.lua;`
			`access_by_lua_file /etc/ssowat/access.lua;`
Init 2013-10-15 10:11:39 +02:00
Update README.md 2013-10-15 10:13:34 +02:00			```
Update README.md 2013-10-16 20:47:37 +02:00
[doc] Update README.md 2014-04-17 16:07:52 +02:00			You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.


			`SSOwat configuration`
			`--------------------`

			```
[deb] Rename conf.json installed file to conf.json.example 2016-05-07 23:57:17 +02:00			`mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json`
[doc] Update README.md 2014-04-17 16:07:52 +02:00			`nano /etc/ssowat/conf.json`
			```

			If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.

[doc] Update README.md 2014-04-17 16:24:48 +02:00			`## Available parameters`

README reworked (#165) 2020-06-16 17:48:56 +02:00			Only the `portal_domain` SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.
[doc] Update README.md 2014-04-17 16:24:48 +02:00
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			- `cookie_secret_file`: Where the secret used for signing and encrypting cookie is stored. It should only be readable by root.
			- `cookie_name`: The name of the cookie used for authentication. Its content is expected to be a JWT signed with the cookie secret and should contain a key `user` and `password` (which is needed for Basic HTTP Auth). Because JWT is only encoded and signed (not encrypted), the `password` is expected to be encrypted using the cookie secret.
implement proper expiration/prolong mechanism for cookies 2023-11-28 18:04:29 +01:00			- `session_folder`: A path to a folder where files exists for any valid valid session id. SSOwat will check for the last modification date to confirm that the session is not expired.
Remove unused 'redirected_regex' mechanism, + we don't need the label and show_tile property on acls 2023-10-07 17:38:52 +02:00			- `domain_portal_urls`: Location of the portal to use for login and browsing apps, to redirect to when access to some route is denied
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			- `redirected_urls`: Array of URLs and/or URIs to redirect and their redirect URI/URL (example: `{ "/": "example.org/subpath" }`).
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			### `permissions`
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00
			`The list of permissions depicted as follows:`

			```json
			`"myapp.main": {`
			`"auth_header": true,`
			`"label": "MyApp",`
			`"public": true,`
			`"show_tile": true,`
			`"uris": [`
			`"example.tld/myapp"`
			`],`
			`"users": [`
			`"JaneDoe",`
			`"JohnDoe"`
			`]`
			`},`
			`"myapp.admin": {`
			`"auth_header": true,`
			`"label": "MyApp (admin)",`
			`"public": false,`
			`"show_tile": false,`
			`"uris": [`
			`"example.tld/myapp/admin"`
			`],`
			`"users": [`
			`"JaneDoe"`
			`]`
			`},`
			`"myapp.api": {`
			`"auth_header": false,`
			`"label": "MyApp (api)",`
			`"public": true,`
			`"show_tile": false,`
			`"uris": [`
			`"re:domain%.tld/%.well%-known/.*"`
			`],`
			`"users": []`
			`}`
			```
[doc] Update README.md 2014-04-17 16:24:48 +02:00
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00			`#### auth_header`
[doc] Update README.md 2014-04-17 16:24:48 +02:00
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00			`Does the SSO add an authentication header that allows certain apps to connect automatically? (True by default)`
[doc] Update README.md 2014-04-17 16:24:48 +02:00
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00			`#### public`
[doc] Update README.md 2014-04-17 16:24:48 +02:00
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00			`Can a person who is not connected to the SSO have access to this authorization?`
[doc] Update README.md 2014-04-17 16:24:48 +02:00
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00			`#### uris`
Update README.md 2014-05-12 18:11:49 +02:00
Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00			A list of url attatched to this permission, a regex url start with `re:`.

			`#### users`

			A list of users which is allowed to access to this permission. If `public`.