YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity
A simple SSO for NGINX, written in Lua
821 commits 8 branches 113 tags 3.6 MiB
Lua 58.6%
CSS 18.5%
JavaScript 14.7%
HTML 4.4%
MAXScript 2.4%
Other 1.4%
Find a file
selfhoster1312 7fc0350788 Authentication headers are ONLY set when user is logged in and has access to app 
Prevents impersonating users on public applications where the auth headers were not cleared
2023-01-10 14:10:40 +01:00
debian Update changelog for 4.4.1 2022-08-09 23:34:47 +02:00
lustache licence file added 2018-06-07 13:37:58 +02:00
portal Translated using Weblate (Finnish) 2022-01-15 13:20:47 +00:00
access.lua Authentication headers are ONLY set when user is logged in and has access to app 2023-01-10 14:10:40 +01:00
conf.json.example Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00
config.lua Merge pull request #161 from YunoHost/permission_protection 2020-10-30 14:52:43 +01:00
CONTRIBUTORS.md [fix] sidddy takes 3 d 2017-05-18 08:56:48 +02:00
helpers.lua Authentication headers are ONLY set when user is logged in and has access to app 2023-01-10 14:10:40 +01:00
init.lua Make sure ssowat log file is created and exists when starting nginx/ssowat 2019-10-03 20:42:48 +02:00
LICENSE Add AGPL license 2015-07-15 15:29:45 +02:00
log.lua Many tweaks in log system + implement many log messages in low-level functions 2019-10-03 20:42:01 +02:00
lustache.lua replace hige by lustache 2018-06-07 11:56:34 +02:00
README.md Update the sso doc with the new permissions system 2020-12-30 14:34:31 +01:00

README.md

SSOwat

A simple LDAP SSO for NGINX, written in Lua.

Translation status

Issues

Requirements

  • nginx-extras from Debian wheezy-backports
  • lua-json
  • lua-ldap
  • lua-filesystem
  • lua-socket
  • lua-rex-pcre

OR

Installation

  • Fetch the repository
git clone https://github.com/YunoHost/SSOwat /etc/ssowat

NGINX configuration

  • Add SSOwat's NGINX configuration (http{} scope)
nano /etc/nginx/conf.d/ssowat.conf


lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

SSOwat configuration

mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Available parameters

Only the portal_domain SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.

portal_domain

Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required).

portal_path

URI of the authentication portal (default: /ssowat/). This path must end with “/”.

portal_port

Web port of the authentication portal (default: 443 for https, 80 for http).

portal_scheme

Whether authentication should use secure connection or not (default: https).

domains

List of handled domains (default: similar to portal_domain).

ldap_host

LDAP server hostname (default: localhost).

ldap_group

LDAP group to search in (default: ou=users,dc=yunohost,dc=org).

ldap_identifier

LDAP user identifier (default: uid).

ldap_attributes

User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]).

ldap_enforce_crypt

Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (default: true).

allow_mail_authentication

Whether users can authenticate with their mail address (default: true).

login_arg

URI argument to use for cross-domain authentication (default: sso_login).

additional_headers

Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" }).

session_timeout

The session expiracy time limit in seconds, since the last connection (default: 86400 / one day).

session_max_timeout

The session expiracy time limit in seconds (default: 604800 / one week).

redirected_urls

Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" }).

redirected_regex

Array of regular expressions to be matched against URLs and URIs and their redirect URI/URL (example: { "example.org/megusta$": "example.org/subpath" }).

default_language

Language code used by default in views (default: en).

permissions

The list of permissions depicted as follows:

"myapp.main": {
    "auth_header": true,
    "label": "MyApp",
    "public": true,
    "show_tile": true,
    "uris": [
        "example.tld/myapp"
    ],
    "users": [
        "JaneDoe",
        "JohnDoe"
    ]
},
"myapp.admin": {
    "auth_header": true,
    "label": "MyApp (admin)",
    "public": false,
    "show_tile": false,
    "uris": [
        "example.tld/myapp/admin"
    ],
    "users": [
        "JaneDoe"
    ]
},
"myapp.api": {
    "auth_header": false,
    "label": "MyApp (api)",
    "public": true,
    "show_tile": false,
    "uris": [
        "re:domain%.tld/%.well%-known/.*"
    ],
    "users": []
}

auth_header

Does the SSO add an authentication header that allows certain apps to connect automatically? (True by default)

label

A user-friendly name displayed in the portal and in the administration panel to manage permission. (By convention it is of the form: Name of the app (specificity of this permission))

public

Can a person who is not connected to the SSO have access to this authorization?

show_tile

Display or not the tile in the user portal.

uris

A list of url attatched to this permission, a regex url start with re:.

users

A list of users which is allowed to access to this permission. If public.