You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
170 lines
6.5 KiB
170 lines
6.5 KiB
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:ssoaas</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="noindex,nofollow"/>
|
|
<meta name="keywords" content="documentation,2.0,ssoaas"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="ssoaas.html"/>
|
|
<link rel="contents" href="ssoaas.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:ssoaas","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
|
|
<h1 class="sectionedit1" id="sso_as_a_service_ssoaas">SSO as a service (SSOaaS)</h1>
|
|
<div class="level1">
|
|
|
|
<p>
|
|
LLNG provides some features that can be used to provide <abbr title="Single Sign On">SSO</abbr> as a service. Two possibility to do it:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Using front reverse-proxies</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Using a global FastCGI (or uWSGI) server</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
In both case, Handler type must be set to <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1-288] -->
|
|
<h2 class="sectionedit2" id="using_front_reverse-proxies">Using front reverse-proxies</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Here is a simple Nginx configuration file. It looks like a standard LLNG nginx configuration file except that:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> VHOSTTYPE parameter force to use DevOps handler</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> /rules.json nust not be protected by LLNG but by the web server itself</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
This configuration handles <code>*.dev.sso.my.domain</code> services and forward authenticated requests to <code><vhost>.internal.domain</code>. Rules can be defined in the root of the website in the file <code>/rules.json</code>.
|
|
</p>
|
|
<dl class="file">
|
|
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.0.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
|
|
<dd><pre class="code file nginx">server {
|
|
server_name "~^(?<vhost>.+?)\.dev\.sso\.my\.domain$";
|
|
location = /lmauth {
|
|
internal;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_pass unix:/home/xavier/dev/lemonldap/e2e-tests/conf/llng-fastcgi.sock;
|
|
# Force handler type:
|
|
fastcgi_param VHOSTTYPE DevOps;
|
|
# Drop post datas
|
|
fastcgi_pass_request_body off;
|
|
fastcgi_param CONTENT_LENGTH "";
|
|
# Keep original hostname
|
|
fastcgi_param HOST $http_host;
|
|
# Keep original request (LLNG server will received /llauth)
|
|
fastcgi_param X_ORIGINAL_URI $request_uri;
|
|
}
|
|
location /rules.json {
|
|
auth_request off;
|
|
allow 127.0.0.0/8;
|
|
deny all;
|
|
}
|
|
location / {
|
|
auth_request /lmauth;
|
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
|
auth_request_set $lmlocation $upstream_http_location;
|
|
error_page 401 $lmlocation;
|
|
include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
|
proxy_pass https://$vhost.internal.domain;
|
|
}
|
|
}</pre>
|
|
</dd></dl>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Using front reverse-proxies" [289-1765] -->
|
|
<h2 class="sectionedit3" id="using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
In this example, web server templates (Nginx only) are configured to ask authorization to a central FastCGI server
|
|
</p>
|
|
<dl class="file">
|
|
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.1.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
|
|
<dd><pre class="code file nginx">server {
|
|
server_name myapp.domain.com;
|
|
location = /lmauth {
|
|
internal;
|
|
include /etc/nginx/fastcgi_params;
|
|
# Central FastCGI server:
|
|
fastcgi_pass 10.1.2.3:9090;
|
|
fastcgi_param VHOSTTYPE DevOps;
|
|
# Drop post datas
|
|
fastcgi_pass_request_body off;
|
|
fastcgi_param CONTENT_LENGTH "";
|
|
# Keep original hostname
|
|
fastcgi_param HOST $http_host;
|
|
# Keep original request (LLNG server will received /llauth)
|
|
fastcgi_param X_ORIGINAL_URI $request_uri;
|
|
|
|
# Set dynamically rules (LLNG will poll it every 10 mn)
|
|
fastcgi_param RULES_URL http://rulesserver/my.json
|
|
}
|
|
location /rules.json {
|
|
auth_request off;
|
|
allow 10.1.2.3;
|
|
deny all;
|
|
}
|
|
location ~ ^(.*\.php)$ {
|
|
auth_request /lmauth;
|
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
|
auth_request_set $lmlocation $upstream_http_location;
|
|
error_page 401 $lmlocation;
|
|
include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
|
...
|
|
# Example with php-fpm:
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
|
|
}
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
}</pre>
|
|
</dd></dl>
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Using a global FastCGI (or uWSGI) server" [1766-] --></div>
|
|
</body>
|
|
</html>
|
|
|