dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Doc & Typos

This commit is contained in:
Christophe Maudoux 2022-03-03 22:29:45 +01:00
parent e5415338cb
commit 20c4773065
3 changed files with 64 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/sources/admin/authopenidconnect.rst
View File

@ -20,15 +20,15 @@ LL::NG can act as an OpenID Connect Relying Party (RP) towards multiple
OpenID Connect Providers (OP). It will get the user identity through an
ID Token, and grab user attributes through UserInfo endpoint.
As an RP, LL::NG supports a lot of OpenID Connect features:
As an RP, LL::NG supports many OpenID Connect features:
- Authorization Code flow
- Authorization Code, Implicit and Hybrid flows
- Automatic download of JWKS
- JWT signature verification
- Access Token Hash verification
- ID Token validation
- Get UserInfo as JSON or as JWT
- Logout on EndSession end point
- Logout on EndSession endpoint
You can use this authentication module to link your LL::NG server to any
OpenID Connect Provider. Here are some examples, with their specific
@ -60,11 +60,11 @@ Google France Connect Pro Santé Connect
.. attention::
OpenID Connect specification is not finished for logout
propagation. So logout initiated by relaying-party will be forward to
OpenID Connect specification is not achieved for logout propagation.
So logout initiated by relaying-party will be forwarded to
OpenID Connect provider but logout initiated by the provider (or another
RP) will not be propagated. LLNG will implement this when spec will be
published.
RP) will not be propagated. LL::NG will implement this when specification
is published.
Configuration
-------------
@ -93,11 +93,11 @@ In ``General Parameters`` > ``Authentication modules``, set:
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
inconsistent (e.g. Firefox does not block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
In Manager, go in:
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
@ -118,7 +118,7 @@ Register LL::NG to an OpenID Connect Provider
To register LL::NG, you will need to give some information like
application name or logo.
You will be asked to provide a *Redirect URI* for LL::NG, which is constructed
You will be prompted to provide a *Redirect URI* for LL::NG, which is built
by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
For example:

42
doc/sources/admin/idpopenidconnect.rst
View File

@ -51,7 +51,7 @@ IssuerDB
Go in ``General Parameters`` » ``Issuer modules`` » ``OpenID Connect``
and configure:
- **Activation**: set to ``On``
- **Activation**: Set to ``On``
- **Path**: Keep ``^/oauth2/`` unless you need to use another path
- **Use rule**: Rule to allow user to use this module, set to ``1``
to always allow
@ -150,10 +150,10 @@ Configuration of Relying Party in LL::NG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go in Manager and click on ``OpenID Connect Relying Parties``, then
click on ``Add OpenID Relying Party``. Give a technical label (no
spaces, no special characters), like “sample-rp”;
click on ``Add OpenID Relying Party``. Set a technical name
(without space or special character), like “sample-rp”;
You can then access to the configuration of this RP.
You can then set this RP configuration.
.. _oidcexportedattr:
@ -165,7 +165,7 @@ Exported attributes
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__
are exposed to applications. If you want to add non-standard attributes, you have to create a new scope in the *Scope values content* section and your application must request it.
For each OpenID Connect attribute you want to release to applications, you can define:
For each OpenID Connect attribute you want to expose to applications, you can define:
* **Claim name**: Name of the attribute as it will appear in Userinfo responses
* **Variable name**: Name of the LemonLDAP::NG session variable containing the attribute value
@ -225,7 +225,7 @@ be able to read the ``company`` and ``position`` attributes from the UserInfo en
.. _oidcscoperules:
Scope Rules
Scope rules
^^^^^^^^^^^
.. versionadded:: 2.0.12
@ -347,6 +347,22 @@ Options
- **Type**: Type of logout to perform (only Front-Channel is implemented for now)
- **Session required**: Whether to send the Session ID in the logout request
Macros
^^^^^^
You can define here macros that will be only evaluated for this service,
and not registered in the session of the user.
Display
^^^^^^^
- **Display name**: Name of the RP application
- **Logo**: Logo of the RP application
.. |beta| image:: /documentation/beta.png
Access Rule extra variables
^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -398,17 +414,3 @@ mapped to **Exported Attributes** and **Extra Claims**.
.. seealso::
Specification for the Client Credentials Grant: :rfc:`6749#section-4.4`
Macros
^^^^^^
You can define here macros that will be only evaluated for this service,
and not registered in the session of the user.
Display
^^^^^^^
- **Display name**: Name of the RP application
- **Logo**: Logo of the RP application
.. |beta| image:: /documentation/beta.png

65
doc/sources/admin/writingrulesand_headers.rst
View File

@ -1,10 +1,10 @@
Writing rules and headers
=========================
Lemonldap::NG manages applications by their hostname (Apache's
virtualHosts). Rules are used to protect applications, headers are HTTP
headers added to the request to give datas to the application (for logs,
profiles,...).
LL::NG manages applications by their hostname (Apache's
Virtual Hosts or Nginx Block Servers). Rules are used for protecting applications,
and HTTP headers are appended to each request for sending datas to protected
applications (for logs, profiles,...).
.. attention::
@ -12,12 +12,12 @@ profiles,...).
Note that variables designed by $xx correspond to the
name of the :doc:`exported variables<exportedvars>` or
:ref:`macro names<macros_and_groups>` except for ``$ENV{<cgi-header>}`` which
correspond to CGI header (``$ENV{REMOTE_ADDR}`` for example).
correspond to CGI headers (``$ENV{REMOTE_ADDR}`` for example).
Available $ENV variables
------------------------
The %ENV table provides:
The %ENV hash provides:
- all headers in CGI format (``User-Agent`` becomes
``HTTP_USER_AGENT``)
@ -30,7 +30,7 @@ The %ENV table provides:
- For Nginx handler: all variables given by ``fastcgi_param``
commands.
- For portal:
- For Portal:
- $ENV{urldc} : Origin URL before Handler redirection, in cleartext
- $ENV{_url} : Origin URL before Handler redirection, base64 encoded
@ -62,29 +62,28 @@ Makes authentication optional, but authenticated users are seen as such (that is
Restrict access to the whole site to users that have the LDAP description field set to "LDAP administrator" (must be set in exported variables) default
=============================================================================================================================================== ================== ======================================
The "**default**" access rule is used if no other access rule match the
The "**default**" access rule is used if none rule matches the
current URL.
.. tip::
See :doc:`the rules examples page<rules_examples>` for a few
See :doc:`the rule examples page<rules_examples>` for few
common use cases
.. tip::
- Comments can be used to order your rules: rules are applied in the
alphabetical order of comment (or regexp in there is no comment). See
- Comments can be employed for ordering your rules: rules are applied depending on
comment alphabetical order (or regexp if no comment is defined). See
:ref:`security chapter<security-write-good-rules>` to learn more
about writing good rules.
- See :ref:`performances<performances-handler-performance>` to know how
to use macros and groups in rules.
about rules best practice.
- See :ref:`performances<performances-handler-performance>` to learn how
using macros and groups in rules.
Rules can also be used to intercept logout URL:
Rules can also be used for intercepting logout URL:
================================================================================================================= =================== =====================================
Goal Regular expression Rule
@ -98,24 +97,24 @@ Logout user from current application and from Lemonldap::NG and redirect it to h
.. danger::
\ ``logout_app`` and ``logout_app_sso`` rules are not
available on Nginx, only on Apache.
available with Nginx, Apache ONLY.
By default, user will be redirected on portal if no URL defined, or on
the specified URL if any.
By default, users will be redirected to the Portal if no URL is defined,
or to the specified URL if exists.
.. attention::
Only current application is concerned by logout_app\*
targets. Be careful with some applications which doesn't verify
Lemonldap::NG headers after having created their own cookies. If so, you
can redirect users to a HTML page that explain that it is safe to close
browser after disconnect.
targets. Be careful with some applications which does not check
headers sent by LL::NG after having created their own application cookies.
If so, you can redirect users to a HTML page that explain that it is better
to close browser after logout.
Rules based on authentication level
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LLNG set an "authentication level" during authentication process. This
LL::NG set an "authentication level" during authentication process. This
level depends on authentication backend used by this user. Default
values are:
@ -142,8 +141,8 @@ There are three ways to impose users a higher authentication level:
.. tip::
Instead of returning a 403 code, "minimum level" returns user
to a form that explain that a higher level is required and propose to
Instead of returning a 403 code, "minimum level" returns users
to a form that explains that a higher level is required and propose to
reauthenticate himself.
.. _headers:
@ -152,8 +151,8 @@ Headers
-------
Headers are associations between an header name and a perl expression
that returns a string. Headers are used to give user data to the
application.
that returns a value. Headers are used for sending user data to protected
applications.
Examples:
@ -175,7 +174,7 @@ use macros, local macros,...
- Since many HTTP servers refuse non ascii headers, it is recommended
to use encode_base64() function to transmit those headers
- Don't forget to add an empty string as second argument to
- Do not forget to add an empty string as second argument to
encode_base64 function to avoid a "newline" characters insertion in
result
- Header names must contain only letters and "-" character.
@ -189,7 +188,7 @@ use macros, local macros,...
By default, SSO cookie is hidden. So protected applications
cannot retrieve SSO session key. But you can forward this key if
absolutely needed:
absolutely needed (NOT recommanded because can be a security issue):
::
@ -203,7 +202,7 @@ Available functions
In addition to macros and name, you can use some functions in rules and
headers:
- :doc:`LLNG extended functions<extendedfunctions>`
- :doc:`LL::NG extended functions<extendedfunctions>`
- :doc:`Your custom functions<customfunctions>`
Wildcards in hostnames
@ -215,8 +214,8 @@ aliases !): ``*.example.com`` matches all hostnames that belong to
wildcards such as ``test-*.example.com`` or ``test-%.example.com``. The
``%`` wilcard doesn't match subdomains.
Even if a wildcard exists, if a virtualhost is explicitly declared, this
rule is applied. Example with precedence order for test.sub.example.com:
Even if a wildcard exists, if a VirtualHost is explicitly declared, this
rule will be applied. Example with precedence order for test.sub.example.com:
#. test.sub.example.com
#. test%.sub.example.com