2018-05-15 21:50:12 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:ssoaas< / title >
< meta name = "generator" content = "DokuWiki" / >
< meta name = "robots" content = "noindex,nofollow" / >
< meta name = "keywords" content = "documentation,2.0,ssoaas" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "ssoaas.html" / >
< link rel = "contents" href = "ssoaas.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : s s o a a s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
2018-05-17 21:42:46 +02:00
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#our_concept_of_ssoaas" > Our concept of SSOaaS< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#using_front_reverse-proxies" > Using front reverse-proxies< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#using_a_global_fastcgi_or_uwsgi_server" > Using a global FastCGI (or uWSGI) server< / a > < / div > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
2018-05-15 21:50:12 +02:00
< h1 class = "sectionedit1" id = "sso_as_a_service_ssoaas" > SSO as a service (SSOaaS)< / h1 >
< div class = "level1" >
2018-05-17 21:42:46 +02:00
< / div >
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1 - 41] -->
< h2 class = "sectionedit2" id = "our_concept_of_ssoaas" > Our concept of SSOaaS< / h2 >
< div class = "level2" >
2018-05-15 21:50:12 +02:00
< p >
2018-05-17 21:42:46 +02:00
Access management provides 3 services:
2018-05-15 21:50:12 +02:00
< / p >
< ul >
2018-05-17 21:42:46 +02:00
< li class = "level1" > < div class = "li" > Global authentication: Single-Sign-On< / div >
2018-05-15 21:50:12 +02:00
< / li >
2018-05-17 21:42:46 +02:00
< li class = "level1" > < div class = "li" > Authorization check: authentication isn' t enough, user rights mus be checked< / div >
< / li >
< li class = "level1" > < div class = "li" > Accounting: < abbr title = "Single Sign On" > SSO< / abbr > logs + application logs < em > (transactions and results)< / em > < / div >
< / li >
< / ul >
< p >
LLNG provides all these services (except application logs of course, but headers are provided to permit this). Headers is another LLNG service: LLNG can provide any user attributes to the application < em > (see < a href = "writingrulesand_headers.html" class = "wikilink1" title = "documentation:2.0:writingrulesand_headers" > Rules and headers< / a > )< / em >
< / p >
< p >
< code > *aaS< / code > means that application can drive undelying layer (IaaS for infrastructure, PaaS for platform,…). So for us, < code > SSOaaS< / code > must provide the ability for an app to manage authorizations and to get user attributes. Authentication can' t be really “*aaS”: app must not drive it, only consumes it.
< / p >
< p >
LLNG provides some features that can be used to provide < abbr title = "Single Sign On" > SSO< / abbr > as a service: a web application can drive its rules and headers. Docker or VM images (Nginx only) includes LLNG Nginx configuration that points to a global < a href = "platformsoverview.html#external_servers_for_nginx" class = "wikilink1" title = "documentation:2.0:platformsoverview" > LLNG authorization server< / a > . By default, all authenticated users can access and one header is set: < code > Auth-User< / code > . If application gives a RULES_< abbr title = "Uniform Resource Locator" > URL< / abbr > parameter that points to a JSON file, authorization server will read it and apply given rules and set asked headers < em > (see < a href = "devopshandler.html" class = "wikilink1" title = "documentation:2.0:devopshandler" > DevOps Handler< / a > )< / em > .
< / p >
< p >
Two architectures to do it:
< / p >
< ul >
2018-05-15 21:50:12 +02:00
< li class = "level1" > < div class = "li" > Using a global FastCGI (or uWSGI) server< / div >
< / li >
2018-05-17 21:42:46 +02:00
< li class = "level1" > < div class = "li" > Using front reverse-proxies < em > (some cloud installation use reverse-proxies in front of the cloud)< / em > < / div >
< / li >
2018-05-15 21:50:12 +02:00
< / ul >
< p >
In both case, Handler type must be set to < a href = "devopshandler.html" class = "wikilink1" title = "documentation:2.0:devopshandler" > DevOps< / a > .
< / p >
< / div >
2018-05-17 21:42:46 +02:00
<!-- EDIT2 SECTION "Our concept of SSOaaS" [42 - 1689] -->
< h2 class = "sectionedit3" id = "using_front_reverse-proxies" > Using front reverse-proxies< / h2 >
2018-05-15 21:50:12 +02:00
< div class = "level2" >
< p >
Here is a simple Nginx configuration file. It looks like a standard LLNG nginx configuration file except that:
< / p >
< ul >
< li class = "level1" > < div class = "li" > VHOSTTYPE parameter force to use DevOps handler< / div >
< / li >
< li class = "level1" > < div class = "li" > /rules.json nust not be protected by LLNG but by the web server itself< / div >
< / li >
< / ul >
< p >
This configuration handles < code > *.dev.sso.my.domain< / code > services and forward authenticated requests to < code > < vhost> .internal.domain< / code > . Rules can be defined in the root of the website in the file < code > /rules.json< / code > .
< / p >
< dl class = "file" >
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.0.code" title = "Download Snippet" class = "mediafile mf_conf" > test-nginx.conf< / a > < / dt >
< dd > < pre class = "code file nginx" > server {
server_name " ~^(?< vhost> .+?)\.dev\.sso\.my\.domain$" ;
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/home/xavier/dev/lemonldap/e2e-tests/conf/llng-fastcgi.sock;
# Force handler type:
fastcgi_param VHOSTTYPE DevOps;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH " " ;
# Keep original hostname
fastcgi_param HOST $http_host;
2018-05-17 21:42:46 +02:00
# Keep original request (LLNG server will received /lmauth)
2018-05-15 21:50:12 +02:00
fastcgi_param X_ORIGINAL_URI $request_uri;
}
location /rules.json {
auth_request off;
allow 127.0.0.0/8;
deny all;
}
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
include /etc/lemonldap-ng/nginx-lua-headers.conf;
proxy_pass https://$vhost.internal.domain;
}
}< / pre >
< / dd > < / dl >
< / div >
2018-05-17 21:42:46 +02:00
<!-- EDIT3 SECTION "Using front reverse - proxies" [1690 - 3166] -->
< h2 class = "sectionedit4" id = "using_a_global_fastcgi_or_uwsgi_server" > Using a global FastCGI (or uWSGI) server< / h2 >
2018-05-15 21:50:12 +02:00
< div class = "level2" >
< p >
In this example, web server templates (Nginx only) are configured to ask authorization to a central FastCGI server
< / p >
< dl class = "file" >
< dt > < a href = "_export/code/documentation/2.0/ssoaas/codeblock.1.code" title = "Download Snippet" class = "mediafile mf_conf" > test-nginx.conf< / a > < / dt >
< dd > < pre class = "code file nginx" > server {
server_name myapp.domain.com;
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
# Central FastCGI server:
fastcgi_pass 10.1.2.3:9090;
fastcgi_param VHOSTTYPE DevOps;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH " " ;
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
# Set dynamically rules (LLNG will poll it every 10 mn)
fastcgi_param RULES_URL http://rulesserver/my.json
}
location /rules.json {
auth_request off;
allow 10.1.2.3;
deny all;
}
location ~ ^(.*\.php)$ {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
include /etc/lemonldap-ng/nginx-lua-headers.conf;
...
# Example with php-fpm:
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
location / {
try_files $uri $uri/ =404;
}
}< / pre >
< / dd > < / dl >
< / div >
2018-05-17 21:42:46 +02:00
<!-- EDIT4 SECTION "Using a global FastCGI (or uWSGI) server" [3167 - ] --> < / div >
2018-05-15 21:50:12 +02:00
< / body >
< / html >