A simple SSO for NGINX, written in Lua
Find a file
2023-05-04 22:38:42 +02:00
debian Update changelog for 12.0.0 2023-05-04 22:38:42 +02:00
lustache licence file added 2018-06-07 13:37:58 +02:00
portal Added translation using Weblate (Lithuanian) 2023-01-24 14:45:08 +01:00
access.lua security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2 2023-01-10 00:03:25 +01:00
conf.json.example Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00
config.lua Merge pull request #161 from YunoHost/permission_protection 2020-10-30 14:52:43 +01:00
CONTRIBUTORS.md [fix] sidddy takes 3 d 2017-05-18 08:56:48 +02:00
helpers.lua Fix auth_header 2023-01-12 22:23:41 +01:00
init.lua Make sure ssowat log file is created and exists when starting nginx/ssowat 2019-10-03 20:42:48 +02:00
LICENSE Add AGPL license 2015-07-15 15:29:45 +02:00
log.lua Many tweaks in log system + implement many log messages in low-level functions 2019-10-03 20:42:01 +02:00
lustache.lua replace hige by lustache 2018-06-07 11:56:34 +02:00
README.md Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00

SSOwat

A simple LDAP SSO for NGINX, written in Lua.

Translation status

Issues

Requirements

  • nginx-extras from Debian wheezy-backports
  • lua-json
  • lua-ldap
  • lua-filesystem
  • lua-socket
  • lua-rex-pcre

OR

Installation

  • Fetch the repository
git clone https://github.com/YunoHost/SSOwat /etc/ssowat

NGINX configuration

  • Add SSOwat's NGINX configuration (http{} scope)
nano /etc/nginx/conf.d/ssowat.conf

lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

SSOwat configuration

mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Available parameters

Only the portal_domain SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.


portal_domain

Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required).


portal_path

URI of the authentication portal (default: /ssowat/). This path must end with “/”.


portal_port

Web port of the authentication portal (default: 443 for https, 80 for http).


portal_scheme

Whether authentication should use secure connection or not (default: https).


domains

List of handled domains (default: similar to portal_domain).


ldap_host

LDAP server hostname (default: localhost).


ldap_group

LDAP group to search in (default: ou=users,dc=yunohost,dc=org).


ldap_identifier

LDAP user identifier (default: uid).


ldap_attributes

User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]).


ldap_enforce_crypt

Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (default: true).


allow_mail_authentication

Whether users can authenticate with their mail address (default: true).


login_arg

URI argument to use for cross-domain authentication (default: sso_login).


additional_headers

Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" }).


session_timeout

The session expiracy time limit in seconds, since the last connection (default: 86400 / one day).


session_max_timeout

The session expiracy time limit in seconds (default: 604800 / one week).


redirected_urls

Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" }).


redirected_regex

Array of regular expressions to be matched against URLs and URIs and their redirect URI/URL (example: { "example.org/megusta$": "example.org/subpath" }).


default_language

Language code used by default in views (default: en).


permissions

The list of permissions depicted as follows:

"myapp.main": {
    "auth_header": true,
    "label": "MyApp",
    "public": true,
    "show_tile": true,
    "uris": [
        "example.tld/myapp"
    ],
    "users": [
        "JaneDoe",
        "JohnDoe"
    ]
},
"myapp.admin": {
    "auth_header": true,
    "label": "MyApp (admin)",
    "public": false,
    "show_tile": false,
    "uris": [
        "example.tld/myapp/admin"
    ],
    "users": [
        "JaneDoe"
    ]
},
"myapp.api": {
    "auth_header": false,
    "label": "MyApp (api)",
    "public": true,
    "show_tile": false,
    "uris": [
        "re:domain%.tld/%.well%-known/.*"
    ],
    "users": []
}

auth_header

Does the SSO add an authentication header that allows certain apps to connect automatically? (True by default)

label

A user-friendly name displayed in the portal and in the administration panel to manage permission. (By convention it is of the form: Name of the app (specificity of this permission))

public

Can a person who is not connected to the SSO have access to this authorization?

show_tile

Display or not the tile in the user portal.

uris

A list of url attatched to this permission, a regex url start with re:.

users

A list of users which is allowed to access to this permission. If public.