{"id":28461212,"url":"https://github.com/cryptpad/sso","last_synced_at":"2025-08-22T01:20:47.872Z","repository":{"id":205813304,"uuid":"715151531","full_name":"cryptpad/sso","owner":"cryptpad","description":"CryptPad official SSO plugin","archived":false,"fork":false,"pushed_at":"2025-06-03T11:51:58.000Z","size":91,"stargazers_count":22,"open_issues_count":4,"forks_count":6,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-06-11T15:38:59.053Z","etag":null,"topics":["cryptpad","plugin","single-sign-on","sso"],"latest_commit_sha":null,"homepage":"https://cryptpad.org","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cryptpad.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":null,"patreon":null,"open_collective":"cryptpad","ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-11-06T15:22:10.000Z","updated_at":"2025-06-03T11:48:53.000Z","dependencies_parsed_at":"2023-12-15T16:54:26.102Z","dependency_job_id":"698ff465-6d49-46c8-9b63-3f1484b7cce8","html_url":"https://github.com/cryptpad/sso","commit_stats":{"total_commits":14,"total_committers":4,"mean_commits":3.5,"dds":0.4285714285714286,"last_synced_commit":"aa703b1c4bfa218a2f069eaf499d6258d964e6c8"},"previous_names":["cryptpad/cryptpad-sso","cryptpad/sso"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/cryptpad/sso","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptpad%2Fsso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptpad%2Fsso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptpad%2Fsso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptpad%2Fsso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cryptpad","download_url":"https://codeload.github.com/cryptpad/sso/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptpad%2Fsso/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260951294,"owners_count":23087661,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptpad","plugin","single-sign-on","sso"],"created_at":"2025-06-07T03:07:56.927Z","updated_at":"2025-07-03T08:32:30.602Z","avatar_url":"https://github.com/cryptpad.png","language":"JavaScript","funding_links":["https://opencollective.com/cryptpad"],"categories":[],"sub_categories":[],"readme":"# CryptPad SSO Plugin\n\nThe CryptPad SSO plugin can be manually installed to allow a CryptPad instance to be connected to a single sign-on (SSO) system.\n\nThis allows to restrict registrations to only SSO users or to display a “Register with SSONAME” button on the connection and registration screen.\n\nUsers will still be able to create a personal password which will be used to derive the “encryption key” of their drive secret from SSO Administrators.\n\n## Features supported\n\n- OIDC and SAML SSO connectors;\n- Allow logging in using one or more SSO systems;\n- Allow restricting login to only SSO;\n- Store public key information of SSO users on the CryptPad server.\n\n## Features not supported / Future Work\n\n- Store extra information from users coming from SSO;\n- Allow sharing documents with SSO users without the need to connect with them;\n- Allow administrators to manage SSO users (see their storage use, delete their data, etc.);\n- Allow synchronizing OIDC roles/groups with CryptPad teams;\n- Additional SSO protocols.\n\nIf you are interested in these extra features and wish to sponsor them, contact XWiki SAS at sales@cryptpad.org\n\n## Manual installation\n\n1. Go the cryptpad/lib/plugins directory on your server\n\n```\ncd cryptpad/lib/plugins\ngit clone https://github.com/cryptpad/sso/\n```\n\n2. Go to the cryptpad/config directory on your server\n\n```\ncd ../../config\ncp sso.example.js sso.js\n```\n\n3. Edit the `sso.js` config file to set the credentials to your SSO server ([more instructions here](#ssojs-sample-configurations))\n\n4. Flush the cache on your Cryptpad instance\n\nOn the web interface, login, and then go to:\nAdministration \u003e General (default) \u003e Flush HTTP Cache \u003e click \"FLUSH CACHE\"\n\n\u003e At this point you may be done, but if issues persist try restarting your Cryptpad instance with `systemctl restart ...`, `service ... restart`, or `reboot`\n\n## Create an OpenID Connect Configuration on your authentication server\n\nThe SSO module has been successfully tested using KeyCloak and Univention UCS using default settings.\nWhen setting up the client credentials on your OpenIDC Connect server the following redirect URI needs to be set\n\n`https://\u003cyourdomain\u003e/ssoauth`\n\n(In case you are still using a local test http server the URL should be `http://\u003cyourdomain\u003e:\u003cyourport\u003e/ssoauth`)\n\n### sso.js sample configurations\n\nHere follows an example configuration file for `sso.js` showing examples for KeyCloak, Univention UCS and SAML:\n\n```\n// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team \u003ccontact@cryptpad.org\u003e and contributors\n//\n// SPDX-License-Identifier: AGPL-3.0-or-later\n\n//const fs = require('node:fs');\nmodule.exports = {\n // Enable SSO login on this instance\n enabled: true,\n // Block registration for non-SSO users on this instance\n enforced: false,\n // Allow users to add an additional CryptPad password to their SSO account\n cpPassword: true,\n // You can also force your SSO users to add a CryptPad password\n forceCpPassword: true,\n // List of SSO providers\n list: [\n {\n name: 'keycloak',\n type: 'oidc',\n url: 'https://\u003ckeycloakserver/realms/\u003crealm\u003e',\n client_id: \"cryptpad\",\n client_secret: \"\u003cclientsecret\u003e\",\n jwt_alg: 'RS256', (deprecated)\n id_token_alg: 'PS256', (optional)\n userinfo_token_alg: 'PS256', (optional)\n username_scope: 'profile', (optional)\n username_claim: 'name', (optional)\n use_pkce: true, (optional)\n use_nonce: true (optional)\n },\n /*\n\n // Sample Univention UCS Configuration (using Kopano Connect)\n {\n name: 'xwiki', \n type: 'oidc',\n url: 'https://ucs-sso.\u003cyourdomain\u003e',\n client_id: \"cryptpad\",\n client_secret: \"\u003cyoursecret\",\n jwt_alg: 'PS256'\n },\n // Sample Google Configuration\n {\n name: 'google',\n type: 'oidc',\n url: 'https://accounts.google.com',\n client_id: \"{your_client_id}\",\n client_secret: \"{your_client_secret}\",\n jwt_alg: 'RS256' (optional)\n },\n // Sample SAML Configuration\n {\n name: 'samltest', \n type: 'saml',\n url: 'https://samltest.id/idp/profile/SAML2/Redirect/SSO',\n issuer: 'your-cryptpad-issuer-id',\n cert: String or fs.readFileSync(\"./your/cert/location\", \"utf-8\"),\n privateKey: fs.readFileSync(\"./your/private/key/location\", \"utf-8\"),\n signingCert: fs.readFileSync(\"./your/signing/cert/location\", \"utf-8\"),\n }\n */\n ]\n};\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcryptpad%2Fsso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcryptpad%2Fsso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcryptpad%2Fsso/lists"}