A simple LDAP SSO for NGINX, written in Lua.

• Please report issues to the YunoHost bugtracker.

• nginx-extras from Debian wheezy-backports
• lua-json
• lua-ldap
• lua-filesystem
• lua-socket
• lua-rex-pcre

OR

• "OpenResty" flavored NGINX: https://openresty.org/
• lua-ldap
• lua-filesystem
• lua-socket
• lua-rex-pcre

• Fetch the repository

git clone https://github.com/YunoHost/SSOwat /etc/ssowat

• Add SSOwat's NGINX configuration (http{} scope)

nano /etc/nginx/conf.d/ssowat.conf

lua_shared_dict cache 10m;
init_by_lua_file   /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;

You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.

mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json

If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.

Only the portal_domain SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.

Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required).

URI of the authentication portal (default: /ssowat/). This path must end with “/”.

Web port of the authentication portal (default: 443 for https, 80 for http).

Whether authentication should use secure connection or not (default: https).

List of handled domains (default: similar to portal_domain).

LDAP server hostname (default: localhost).

LDAP group to search in (default: ou=users,dc=yunohost,dc=org).

LDAP user identifier (default: uid).

User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]).

Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (default: true).

Whether users can authenticate with their mail address (default: true).

URI argument to use for cross-domain authentication (default: sso_login).

Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" }).

The session expiracy time limit in seconds, since the last connection (default: 86400 / one day).

The session expiracy time limit in seconds (default: 604800 / one week).

Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" }).

Array of regular expressions to be matched against URLs and URIs and their redirect URI/URL (example: { "example.org/megusta$": "example.org/subpath" }).

Language code used by default in views (default: en).

The list of permissions depicted as follows:

"myapp.main": {
    "auth_header": true,
    "label": "MyApp",
    "public": true,
    "show_tile": true,
    "uris": [
        "example.tld/myapp"
    ],
    "users": [
        "JaneDoe",
        "JohnDoe"
    ]
},
"myapp.admin": {
    "auth_header": true,
    "label": "MyApp (admin)",
    "public": false,
    "show_tile": false,
    "uris": [
        "example.tld/myapp/admin"
    ],
    "users": [
        "JaneDoe"
    ]
},
"myapp.api": {
    "auth_header": false,
    "label": "MyApp (api)",
    "public": true,
    "show_tile": false,
    "uris": [
        "re:domain%.tld/%.well%-known/.*"
    ],
    "users": []
}

Does the SSO add an authentication header that allows certain apps to connect automatically? (True by default)

A user-friendly name displayed in the portal and in the administration panel to manage permission. (By convention it is of the form: Name of the app (specificity of this permission))

Can a person who is not connected to the SSO have access to this authorization?

Display or not the tile in the user portal.

A list of url attatched to this permission, a regex url start with re:.

A list of users which is allowed to access to this permission. If public.