A simple SSO for NGINX, written in Lua
Find a file
JimboJoe b1a1d55e66 [fix] Fix tile not displayed when app is installed on root (bug #285) (#71)
* Fix proposal for bug #285 (YunoHost tile is not displayed when the app is installed on root path)
* Fix access to administration page
2017-04-02 23:47:54 +02:00
debian Update changelog for 2.6.4 release 2017-03-14 15:39:44 +01:00
portal [fix] Remove help-link in portal as they don't link to nothing. Fix #68 2017-03-14 15:32:49 +01:00
.gitignore Add .gitignore 2013-10-20 18:31:37 +02:00
access.lua [fix] Fix tile not displayed when app is installed on root (bug #285) (#71) 2017-04-02 23:47:54 +02:00
conf.json.example [deb] Rename conf.json installed file to conf.json.example 2016-05-07 23:57:17 +02:00
config.lua [enh] Use consistent coding convention for function prototype. 2016-04-30 12:40:59 +02:00
CONTRIBUTORS.md [enh] Add Trollken to contributors list. 2017-03-02 12:17:40 +01:00
helpers.lua [fix] Use local variables for cookie's expired_time. 2017-02-28 15:38:46 +01:00
hige.lua Strange Rpi bugfix 2013-12-14 10:22:30 +01:00
init.lua [enh] Use consistent coding convention for function prototype. 2016-04-30 12:40:59 +02:00
LICENSE Add AGPL license 2015-07-15 15:29:45 +02:00
README.md [enh] readme: add translation badge status. 2017-01-28 06:23:51 +01:00

SSOwat

A simple LDAP SSO for nginx, written in Lua

Translation status

Requirements

  • Nginx-extras from Debian wheezy-backports
  • lua-json
  • lua-ldap

OR

Installation

  • Fetch the repository
git clone https://github.com/Kloadut/SSOwat /etc/ssowat

Nginx configuration

  • Add SSOwat's Nginx configuration (http{} scope)
nano /etc/nginx/conf.d/ssowat.conf

lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

SSOwat configuration

mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Available parameters

These are the SSOwat's configuration parameters. Only the first one is required, but it is recommended to know the others to fully understand what you can do with SSOwat.

portal_domain

Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required)

portal_path

URI of the authentication portal (default: /ssowat)

portal_port

Web port of the authentication portal (default: 443)

portal_scheme

Whether authentication should use secure connection or not (default: https)

domains

List of handle domains (default: similar to portal_domain)

ldap_host

LDAP server hostname (default: localhost)

ldap_group

LDAP group to search in (default: ou=users,dc=yunohost,dc=org)

ldap_identifier

LDAP user identifier (default: uid)

ldap_attributes

User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"])

allow_mail_authentication

Whether users can authenticate with their mail address (default: true)

login_arg

URI argument to use for cross-domain authentication (default: sso_login)

additional_headers

Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" })

session_timeout

The session expiracy time limit in seconds, since the last connection (default: 86400 / one day)

session_max_timeout

The session expiracy time limit in seconds (default: 604800 / one week)

protected_urls

List of priorily protected URLs and/or URIs (by default, every URL is protected)

protected_regex

List of regular expressions to be matched against URLs and URIs to protect them

skipped_urls

List of URLs and/or URIs that will not be affected by SSOwat

skipped_regex

List of regular expressions to be matched against URLs and URIs to ignore them

unprotected_urls

List of URLs and/or URIs that will not be affected by SSOwat unless user is authenticated

unprotected_regex

List of regular expressions to be matched against URLs and URIs to ignore them unless user is authenticated

redirected_urls

Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" })

redirected_regex

Array of regular expressions to be matched against URLS and URIs and their redirect URI/URL (example: { "example.org/megusta$": "example.org/subpath" })

users

2-level array containing usernames and their allowed URLs along with an App name (example: { "kload": { "kload.fr/myapp/": "My App" } })

default_language

Language code used by default in views (default: en)