SSOwat/README.md

157 lines
3.8 KiB
Markdown
Raw Normal View History

2013-10-15 10:11:39 +02:00
SSOwat
======
2013-10-16 11:59:48 +02:00
A simple LDAP SSO for nginx, written in Lua
2013-10-15 10:11:39 +02:00
2013-10-15 10:16:42 +02:00
Requirements
------------
2013-10-16 11:59:48 +02:00
- Nginx-extras from Debian wheezy-backports
2013-10-16 20:47:37 +02:00
- lua-json
2013-10-16 11:59:48 +02:00
- lua-ldap
2013-10-16 12:00:08 +02:00
2013-10-16 20:47:37 +02:00
**OR**
2013-10-16 12:00:08 +02:00
2013-10-16 11:59:48 +02:00
- Nginx "Openresty" flavored : http://openresty.org/
- lua-ldap
2013-10-15 10:16:42 +02:00
2013-10-16 20:47:37 +02:00
Installation
------------
2013-10-16 20:50:02 +02:00
* Fetch the repository
2013-10-16 20:50:36 +02:00
2013-10-16 20:47:37 +02:00
```bash
git clone https://github.com/Kloadut/SSOwat /etc/ssowat
2013-10-16 20:50:02 +02:00
```
2013-10-16 20:50:36 +02:00
2014-04-17 16:07:52 +02:00
Nginx configuration
-------------------
2013-10-16 20:47:37 +02:00
2014-04-17 16:07:52 +02:00
* Add SSOwat's Nginx configuration (`http{}` scope)
2013-10-16 20:50:36 +02:00
2013-10-16 20:47:37 +02:00
```bash
nano /etc/nginx/conf.d/ssowat.conf
```
2013-10-15 10:11:39 +02:00
2013-10-15 10:13:34 +02:00
```nginx
2013-10-26 15:29:51 +02:00
lua_shared_dict cache 10m;
2013-10-16 20:47:37 +02:00
init_by_lua_file /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;
2013-10-15 10:11:39 +02:00
2013-10-15 10:13:34 +02:00
```
2013-10-16 20:47:37 +02:00
2014-04-17 16:07:52 +02:00
You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.
SSOwat configuration
--------------------
```
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
2014-04-17 16:07:52 +02:00
nano /etc/ssowat/conf.json
```
If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.
2014-04-17 16:24:48 +02:00
## Available parameters
2014-04-17 16:25:53 +02:00
These are the SSOwat's configuration parameters. Only the first one is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
2014-04-17 16:24:48 +02:00
#### portal_domain
Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (**Required**)
#### portal_path
URI of the authentication portal (**default**: `/ssowat`)
#### portal_port
Web port of the authentication portal (**default**: `443`)
#### portal_scheme
Whether authentication should use secure connection or not (**default**: `https`)
#### domains
List of handle domains (**default**: similar to `portal_domain`)
#### ldap_host
LDAP server hostname (**default**: `localhost`)
#### ldap_group
LDAP group to search in (**default**: `ou=users,dc=yunohost,dc=org`)
#### ldap_identifier
LDAP user identifier (**default**: `uid`)
#### ldap_attributes
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
#### allow_mail_authentication
Whether users can authenticate with their mail address (**default**: `true`)
#### login_arg
URI argument to use for cross-domain authentication (**default**: `sso_login`)
#### additional_headers
Array of additionnal HTTP headers to set once user is authenticated (**default**: `{ "Remote-User": "uid" }`)
#### session_timeout
The session expiracy time limit in seconds, since the last connection (**default**: `86400` / one day)
#### session_max_timeout
The session expiracy time limit in seconds (**default**: `604800` / one week)
#### protected_urls
List of priorily protected URLs and/or URIs (**by default, every URL is protected**)
#### protected_regex
List of regular expressions to be matched against URLs **and** URIs to protect them
#### skipped_urls
List of URLs and/or URIs that will not be affected by SSOwat
#### skipped_regex
List of regular expressions to be matched against URLs **and** URIs to ignore them
#### unprotected_urls
List of URLs and/or URIs that will not be affected by SSOwat **unless user is authenticated**
#### unprotected_regex
List of regular expressions to be matched against URLs **and** URIs to ignore them **unless user is authenticated**
#### redirected_urls
2014-06-09 16:23:52 +02:00
Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`)
2014-04-17 16:24:48 +02:00
#### redirected_regex
2014-06-09 16:23:52 +02:00
Array of regular expressions to be matched against URLS **and** URIs and their redirect URI/URL (**example**: `{ "example.org/megusta$": "example.org/subpath" }`)
2014-04-17 16:24:48 +02:00
#### users
2-level array containing usernames and their allowed URLs along with an App name (**example**: `{ "kload": { "kload.fr/myapp/": "My App" } }`)
2014-04-17 16:07:52 +02:00
2014-05-12 18:11:49 +02:00
#### default_language
Language code used by default in views (**default**: `en`)