Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/YunoHost/SSOwat
A simple SSO for NGINX, written in Lua
https://github.com/YunoHost/SSOwat
authentication-portal ldap lua nginx-module sso yunohost
Last synced: 21 days ago
JSON representation
A simple SSO for NGINX, written in Lua
- Host: GitHub
- URL: https://github.com/YunoHost/SSOwat
- Owner: YunoHost
- License: agpl-3.0
- Created: 2013-10-15T08:12:10.000Z (over 10 years ago)
- Default Branch: dev
- Last Pushed: 2024-05-19T22:43:52.000Z (about 2 months ago)
- Last Synced: 2024-05-19T23:27:39.146Z (about 2 months ago)
- Topics: authentication-portal, ldap, lua, nginx-module, sso, yunohost
- Language: Lua
- Homepage:
- Size: 2.01 MB
- Stars: 231
- Watchers: 31
- Forks: 71
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- awesome-starred - YunoHost/SSOwat - A simple SSO for NGINX, written in Lua (lua)
- awesome-stars - SSOwat
README
SSOwat
======A simple LDAP SSO for NGINX, written in Lua.
Issues
------- [Please report issues to the YunoHost bugtracker](https://github.com/YunoHost/issues).
Requirements
------------- `nginx-extras` from Debian wheezy-backports
- `lua-json`
- `lua-ldap`
- `lua-filesystem`
- `lua-socket`
- `lua-rex-pcre`**OR**
- "OpenResty" flavored NGINX: https://openresty.org/
- `lua-ldap`
- `lua-filesystem`
- `lua-socket`
- `lua-rex-pcre`Installation
------------* Fetch the repository
```bash
git clone https://github.com/YunoHost/SSOwat /etc/ssowat
```NGINX configuration
-------------------* Add SSOwat's NGINX configuration (`http{}` scope)
```bash
nano /etc/nginx/conf.d/ssowat.conf
``````nginx
lua_shared_dict cache 10m;
init_by_lua_file /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;```
You can also put the `access_by_lua_file` directive in a `server{}` scope if you want to protect only a vhost.
SSOwat configuration
--------------------```
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json
```If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent` file, since the `/etc/ssowat/conf.json` will often be overwritten.
## Available parameters
Only the `portal_domain` SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.
---------------
### portal_domain
Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (**Required**).
---------------
### portal_path
URI of the authentication portal (**default**: `/ssowat/`). This path **must** end with “`/`”.
---------------
### portal_port
Web port of the authentication portal (**default**: `443` for `https`, `80` for `http`).
---------------
### portal_scheme
Whether authentication should use secure connection or not (**default**: `https`).
---------------
### domains
List of handled domains (**default**: similar to `portal_domain`).
---------------
### ldap_host
LDAP server hostname (**default**: `localhost`).
---------------
### ldap_group
LDAP group to search in (**default**: `ou=users,dc=yunohost,dc=org`).
---------------
### ldap_identifier
LDAP user identifier (**default**: `uid`).
---------------
### ldap_attributes
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`).
---------------
### ldap_enforce_crypt
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`).
---------------
### allow_mail_authentication
Whether users can authenticate with their mail address (**default**: `true`).
---------------
### login_arg
URI argument to use for cross-domain authentication (**default**: `sso_login`).
---------------
### additional_headers
Array of additionnal HTTP headers to set once user is authenticated (**default**: `{ "Remote-User": "uid" }`).
---------------
### session_timeout
The session expiracy time limit in seconds, since the last connection (**default**: `86400` / one day).
---------------
### session_max_timeout
The session expiracy time limit in seconds (**default**: `604800` / one week).
---------------
### redirected_urls
Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`).
---------------
### redirected_regex
Array of regular expressions to be matched against URLs **and** URIs and their redirect URI/URL (**example**: `{ "example.org/megusta$": "example.org/subpath" }`).
---------------
### default_language
Language code used by default in views (**default**: `en`).
---------------
### permissions
The list of permissions depicted as follows:
```json
"myapp.main": {
"auth_header": true,
"label": "MyApp",
"public": true,
"show_tile": true,
"uris": [
"example.tld/myapp"
],
"users": [
"JaneDoe",
"JohnDoe"
]
},
"myapp.admin": {
"auth_header": true,
"label": "MyApp (admin)",
"public": false,
"show_tile": false,
"uris": [
"example.tld/myapp/admin"
],
"users": [
"JaneDoe"
]
},
"myapp.api": {
"auth_header": false,
"label": "MyApp (api)",
"public": true,
"show_tile": false,
"uris": [
"re:domain%.tld/%.well%-known/.*"
],
"users": []
}
```#### auth_header
Does the SSO add an authentication header that allows certain apps to connect automatically? (**True by default**)
#### label
A user-friendly name displayed in the portal and in the administration panel to manage permission. (**By convention it is of the form: Name of the app (specificity of this permission)**)
#### public
Can a person who is not connected to the SSO have access to this authorization?
#### show_tile
Display or not the tile in the user portal.
#### uris
A list of url attatched to this permission, a regex url start with `re:`.
#### users
A list of users which is allowed to access to this permission. If `public`.