SSOwat/README.md
2019-02-21 18:12:24 +01:00

179 lines
No EOL
4.4 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

SSOwat
======
A simple LDAP SSO for nginx, written in Lua
<a href="https://translate.yunohost.org/engage/yunohost/?utm_source=widget">
<img src="https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt="Translation status" />
</a>
Issues
------
- [Please report issues on YunoHost bugtracker](https://github.com/YunoHost/issues).
Requirements
------------
- Nginx-extras from Debian wheezy-backports
- lua-json
- lua-ldap
- lua-filesystem
- lua-socket
- lua-rex-pcre
**OR**
- Nginx "Openresty" flavored : http://openresty.org/
- lua-ldap
- lua-filesystem
- lua-socket
- lua-rex-pcre
Installation
------------
* Fetch the repository
```bash
git clone https://github.com/Kloadut/SSOwat /etc/ssowat
```
Nginx configuration
-------------------
* Add SSOwat's Nginx configuration (`http{}` scope)
```bash
nano /etc/nginx/conf.d/ssowat.conf
```
```nginx
lua_shared_dict cache 10m;
init_by_lua_file /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;
```
You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.
SSOwat configuration
--------------------
```
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json
```
If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.
## Available parameters
These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
#### portal_domain
Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (**Required**)
#### portal_path
URI of the authentication portal (**default**: `/ssowat/`). This path **must** end with “`/`”.
#### portal_port
Web port of the authentication portal (**default**: `443` for `https`, `80` for `http`)
#### portal_scheme
Whether authentication should use secure connection or not (**default**: `https`)
#### domains
List of handled domains (**default**: similar to `portal_domain`)
#### ldap_host
LDAP server hostname (**default**: `localhost`)
#### ldap_group
LDAP group to search in (**default**: `ou=users,dc=yunohost,dc=org`)
#### ldap_identifier
LDAP user identifier (**default**: `uid`)
#### ldap_attributes
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
#### ldap_enforce_crypt
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
#### allow_mail_authentication
Whether users can authenticate with their mail address (**default**: `true`)
#### login_arg
URI argument to use for cross-domain authentication (**default**: `sso_login`)
#### additional_headers
Array of additionnal HTTP headers to set once user is authenticated (**default**: `{ "Remote-User": "uid" }`)
#### session_timeout
The session expiracy time limit in seconds, since the last connection (**default**: `86400` / one day)
#### session_max_timeout
The session expiracy time limit in seconds (**default**: `604800` / one week)
#### protected_urls
List of priorily protected URLs and/or URIs (**by default, every URL is protected**)
#### protected_regex
List of regular expressions to be matched against URLs **and** URIs to protect them
#### skipped_urls
List of URLs and/or URIs that will not be affected by SSOwat. This must be a JSON array, and SSOwat automatically adds itself to this array.
#### skipped_regex
List of regular expressions to be matched against URLs **and** URIs to ignore them
#### unprotected_urls
List of URLs and/or URIs that will not be affected by SSOwat **unless user is authenticated**
#### unprotected_regex
List of regular expressions to be matched against URLs **and** URIs to ignore them **unless user is authenticated**
#### redirected_urls
Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`)
#### redirected_regex
Array of regular expressions to be matched against URLS **and** URIs and their redirect URI/URL (**example**: `{ "example.org/megusta$": "example.org/subpath" }`)
#### users
2-level array containing usernames and their allowed URLs along with an App name (**example**: `{ "kload": { "kload.fr/myapp/": "My App" } }`)
#### default_language
Language code used by default in views (**default**: `en`)
#### theme
Can be either `default` or `vapor`.