YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity
A simple SSO for NGINX, written in Lua
90 commits 8 branches 113 tags 3.6 MiB
Lua 58.6%
CSS 18.5%
JavaScript 14.7%
HTML 4.4%
MAXScript 2.4%
Other 1.4%
Find a file
Kload 001e02413a [doc] Update README.md
2014-04-17 16:07:52 +02:00
portal Fix double-width bug, remove transition. 2014-02-19 12:38:30 +01:00
.gitignore Add .gitignore 2013-10-20 18:31:37 +02:00
access.lua [enh] Default configuration value table 2014-04-17 14:51:47 +02:00
conf.json Update conf.json 2013-12-13 19:45:36 +01:00
hige.lua Strange Rpi bugfix 2013-12-14 10:22:30 +01:00
init.lua ARM cache bugfix 2013-11-29 16:29:57 +01:00
README.md [doc] Update README.md 2014-04-17 16:07:52 +02:00

README.md

SSOwat

A simple LDAP SSO for nginx, written in Lua

Requirements

  • Nginx-extras from Debian wheezy-backports
  • lua-json
  • lua-ldap

OR

Installation

  • Fetch the repository
git clone https://github.com/Kloadut/SSOwat /etc/ssowat

Nginx configuration

  • Add SSOwat's Nginx configuration (http{} scope)
nano /etc/nginx/conf.d/ssowat.conf


lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

SSOwat configuration

nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Available parameters

  • portal_domain: Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required)
  • portal_path: URI of the authentication portal (default: /ssowat)
  • portal_port: Web port of the authentication portal (default: 443)
  • portal_scheme: Whether authentication should use secure connection or not (default: https)
  • domains: List of handle domains (default: portal_domain)
  • ldap_host: LDAP server hostname (default: localhost)
  • ldap_group: LDAP group to search in (default: ou=users,dc=yunohost,dc=org)
  • ldap_identifier: LDAP user identifier (default: uid)
  • ldap_attributes: User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"])
  • allow_mail_authentication: Whether users can authenticate with their mail address (default: true)
  • login_arg: URI argument to use for cross-domain authentication (default: sso_login)
  • additional_headers: Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" })
  • session_timeout: The session expiracy time limit in seconds, since the last connection (default: 86400 / one day)
  • session_max_timeout: The session expiracy time limit in seconds (default: 604800 / one week)
  • protected_urls: List of priorily protected URLs and/or URIs (by default, every URL is protected)
  • protected_regex: List of regular expressions to be matched against URLs and URIs to protect them
  • skipped_urls: List of URLs and/or URIs that will not be affected by SSOwat
  • skipped_regex: List of regular expressions to be matched against URLs and URIs to ignore them
  • unprotected_urls: List of URLs and/or URIs that will not be affected by SSOwat unless user is authenticated
  • unprotected_regex: List of regular expressions to be matched against URLs and URIs to ignore them unless user is authenticated
  • redirected_urls: Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/", "example.org/subpath" })
  • redirected_regex: Array of regular expressions to be matched against URLS and URIs and their redirect URI/URL (example: { "example.org/megusta$", "example.org/subpath" })
  • users: 2-level array containing usernames and their allowed URLs along with an App name (example: { "kload": { "kload.fr/myapp/": "My App" } })