2013-10-15 10:11:39 +02:00
SSOwat
======
2020-06-16 17:48:56 +02:00
A simple LDAP SSO for NGINX, written in Lua.
2013-10-15 10:11:39 +02:00
2017-01-28 06:23:51 +01:00
< a href = "https://translate.yunohost.org/engage/yunohost/?utm_source=widget" >
< img src = "https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt = "Translation status" / >
< / a >
2020-06-16 17:48:56 +02:00
- [Please report issues to the YunoHost bugtracker ](https://github.com/YunoHost/issues ).
2017-04-03 01:35:16 +02:00
2013-10-16 20:47:37 +02:00
Installation
------------
2013-10-16 20:50:02 +02:00
* Fetch the repository
2013-10-16 20:50:36 +02:00
2013-10-16 20:47:37 +02:00
```bash
2019-09-27 12:09:07 +02:00
git clone https://github.com/YunoHost/SSOwat /etc/ssowat
2013-10-16 20:50:02 +02:00
```
2013-10-16 20:50:36 +02:00
2020-06-16 17:48:56 +02:00
NGINX configuration
2014-04-17 16:07:52 +02:00
-------------------
2013-10-16 20:47:37 +02:00
2020-06-16 17:48:56 +02:00
* Add SSOwat's NGINX configuration (`http{}` scope)
2013-10-16 20:50:36 +02:00
2013-10-16 20:47:37 +02:00
```bash
nano /etc/nginx/conf.d/ssowat.conf
```
2013-10-15 10:11:39 +02:00
2013-10-15 10:13:34 +02:00
```nginx
2013-10-26 15:29:51 +02:00
lua_shared_dict cache 10m;
2013-10-16 20:47:37 +02:00
init_by_lua_file /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;
2013-10-15 10:11:39 +02:00
2013-10-15 10:13:34 +02:00
```
2013-10-16 20:47:37 +02:00
2014-04-17 16:07:52 +02:00
You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.
SSOwat configuration
--------------------
```
2016-05-07 23:57:17 +02:00
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
2014-04-17 16:07:52 +02:00
nano /etc/ssowat/conf.json
```
If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.
2014-04-17 16:24:48 +02:00
## Available parameters
2020-06-16 17:48:56 +02:00
Only the `portal_domain` SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.
2014-04-17 16:24:48 +02:00
2021-12-26 17:01:56 +01:00
- `cookie_secret_file` : Where the secret used for signing and encrypting cookie is stored. It should only be readable by root.
- `cookie_name` : The name of the cookie used for authentication. Its content is expected to be a JWT signed with the cookie secret and should contain a key `user` and `password` (which is needed for Basic HTTP Auth). Because JWT is only encoded and signed (not encrypted), the `password` is expected to be encrypted using the cookie secret.
2023-10-07 17:38:52 +02:00
- `domain_portal_urls` : Location of the portal to use for login and browsing apps, to redirect to when access to some route is denied
2021-12-26 17:01:56 +01:00
- `redirected_urls` : Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }` ).
2020-12-30 14:34:31 +01:00
2021-12-26 17:01:56 +01:00
### `permissions`
2020-12-30 14:34:31 +01:00
The list of permissions depicted as follows:
```json
"myapp.main": {
"auth_header": true,
"label": "MyApp",
"public": true,
"show_tile": true,
"uris": [
"example.tld/myapp"
],
"users": [
"JaneDoe",
"JohnDoe"
]
},
"myapp.admin": {
"auth_header": true,
"label": "MyApp (admin)",
"public": false,
"show_tile": false,
"uris": [
"example.tld/myapp/admin"
],
"users": [
"JaneDoe"
]
},
"myapp.api": {
"auth_header": false,
"label": "MyApp (api)",
"public": true,
"show_tile": false,
"uris": [
"re:domain%.tld/%.well%-known/.*"
],
"users": []
}
```
2014-04-17 16:24:48 +02:00
2020-12-30 14:34:31 +01:00
#### auth_header
2014-04-17 16:24:48 +02:00
2020-12-30 14:34:31 +01:00
Does the SSO add an authentication header that allows certain apps to connect automatically? (**True by default**)
2014-04-17 16:24:48 +02:00
2020-12-30 14:34:31 +01:00
#### public
2014-04-17 16:24:48 +02:00
2020-12-30 14:34:31 +01:00
Can a person who is not connected to the SSO have access to this authorization?
2014-04-17 16:24:48 +02:00
2020-12-30 14:34:31 +01:00
#### uris
2014-05-12 18:11:49 +02:00
2020-12-30 14:34:31 +01:00
A list of url attatched to this permission, a regex url start with `re:` .
#### users
A list of users which is allowed to access to this permission. If `public` .