worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10271 Commits
107 Branches
123 Tags
109 MiB
 
 
 
 
 
Tag: Branch: Tree: adb6526dc9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'adb6526dc9'
${ noResults }
lemonldap-ng/doc/sources/admin/ssocookie.rst

68 lines
2.3 KiB
Raw Blame History

Single Sign On cookie, domain and portal URL
============================================
SSO cookie
----------
The SSO cookie is built by the portal (as described in the
:ref:`login kinematic<presentation-login>`), or by the
Handler for cross domain authentication (see
:ref:`CDA kinematic<cda>`).
To edit SSO cookie parameters, go in Manager, ``General Parameters`` >
``Cookies``:
- **Cookie name**: name of the cookie, can be changed to avoid
conflicts with other LemonLDAP::NG installations
- **Domain**: validity domain for the cookie (the cookie will not be
sent on other domains)
- **Multiple domains**: enable :doc:`cross domain mechanism<cda>`
(without this, you cannot extend SSO to other domains)
- **Secured cookie**: 4 options:
- **Non secured cookie**: the cookie can be sent over HTTP and HTTPS
connections
- **Secured cookie**: the cookie can only be sent over HTTPS
- **Double cookie**: two cookies are delivered, one for HTTP and
HTTPS connections, the other for HTTPS only
- **Double cookie for single session**: same as double cookie but
only one session is created in session database
- **Javascript protection**: set httpOnly flag, to prevent cookie from
being caught by javascript code
- **Cookie expiration time**: by default, SSO cookie is a session
cookie, which means it will be destroyed when browser is closed. You
can change this behavior by setting a cookie expiration time. It must
be an integer. **Cookie Expiration Time** value is a number of
seconds until the cookie expires. Set a zero value to disable
expiration time and use a session cookie.
.. danger::
When you change cookie expiration time, it is written on
the user hard disk unlike session cookie
.. attention::
Changing the domain value will not update other
configuration parameters, like virtual host names, portal URL, etc. You
have to update them by yourself.
Portal URL
----------
Portal URL is the address used to redirect users on the authentication
portal by:
- **Handler**: user is redirected if he has no SSO cookie (or in
:doc:`CDA<cda>` mode)
- **Portal**: the portal redirect on itself in many cases (credentials
POST, SAML, etc.)
.. danger::
The portal URL **must** be inside SSO domain. If secured
cookie is enabled, the portal URL **must** be HTTPS.