Merge branch 'v2.0'
|
@ -12,7 +12,7 @@
|
|||
.debian_build_job:
|
||||
extends: .build_job
|
||||
script:
|
||||
- apt-get update && apt-get -y dist-upgrade
|
||||
- apt-get update --allow-releaseinfo-change && apt-get -y dist-upgrade
|
||||
- DEBIAN_FRONTEND=noninteractive apt-get -y install tzdata
|
||||
- ci-build-pkg
|
||||
before_script:
|
||||
|
@ -49,6 +49,10 @@ build_buster:
|
|||
extends: .debian_build_job
|
||||
image: buildpkg/debian:buster
|
||||
|
||||
build_bullseye:
|
||||
extends: .debian_build_job
|
||||
image: buildpkg/debian:bullseye
|
||||
|
||||
#build_xenial:
|
||||
# extends: .debian_build_job
|
||||
# image: buildpkg/ubuntu:xenial
|
||||
|
@ -64,6 +68,7 @@ build_centos_7:
|
|||
script:
|
||||
- rm -f /etc/yum.repos.d/CentOS-Sources.repo
|
||||
- yum -y install epel-release
|
||||
- scripts/ci-install-lasso-centos
|
||||
- make dist
|
||||
- ci-build-pkg
|
||||
|
||||
|
@ -74,11 +79,12 @@ build_centos_8:
|
|||
- yum-config-manager --enable PowerTools
|
||||
- yum-config-manager --enable AppStream
|
||||
- yum -y install epel-release
|
||||
- scripts/ci-install-lasso-centos
|
||||
- make dist
|
||||
- ci-build-pkg
|
||||
|
||||
sign:
|
||||
image: buildpkg/debian:stretch
|
||||
image: buildpkg/debian:bullseye
|
||||
stage: sign
|
||||
# variables:
|
||||
# SIGN_USER: firstname.lastname@orange.com
|
||||
|
@ -87,8 +93,9 @@ sign:
|
|||
- cd $CI_PROJECT_DIR
|
||||
- ci-sign-pkg
|
||||
dependencies:
|
||||
- build_stretch
|
||||
- build_buster
|
||||
- build_bullseye
|
||||
# - build_xenial
|
||||
- build_bionic
|
||||
- build_centos_7
|
||||
- build_centos_8
|
||||
|
@ -100,7 +107,7 @@ sign:
|
|||
- master
|
||||
|
||||
pages:
|
||||
image: buildpkg/debian:stretch
|
||||
image: buildpkg/debian:bullseye
|
||||
stage: deploy
|
||||
variables:
|
||||
# Default page dir
|
||||
|
|
27
changelog
|
@ -1,3 +1,26 @@
|
|||
lemonldap-ng (2.0.13) focal; urgency=medium
|
||||
|
||||
* Bugs:
|
||||
* #2428: Correctly report the number of purged sessions when using deleteIfLowerThan
|
||||
* #2566: No configuration available in fresh LemonLDAP 2.0.12
|
||||
* #2567: CORS headers not sent in userinfo endpoint error response
|
||||
* #2568: SafeJail does not report errors correctly
|
||||
* #2573: convertConfig does not work when target backend is empty
|
||||
* #2589: FindUser plugin: minor improvements and several issues
|
||||
|
||||
* Improvements:
|
||||
* #2558: Add a new portal error code for Auth::OIDC issues
|
||||
* #2564: Missing options to use text emails for some features
|
||||
* #2585: RGAA: to use autocomplete when possible
|
||||
* #2589: FindUser plugin: minor improvements and several issues
|
||||
* #2592: Bad error reporting during portal init
|
||||
|
||||
* Templates:
|
||||
* #2585: RGAA: to use autocomplete when possible
|
||||
* #2589: FindUser plugin: minor improvements and several issues
|
||||
|
||||
-- Clément <clem.oudot@gmail.com> Fri, 20 Aug 2021 18:30:23 +0200
|
||||
|
||||
lemonldap-ng (2.0.12) focal; urgency=medium
|
||||
|
||||
* Bugs:
|
||||
|
@ -2018,7 +2041,7 @@ lemonldap-ng (1.0.6) stable; urgency=low
|
|||
* [LEMONLDAP-304] - Cannot use spaces between values of Multi
|
||||
authentication
|
||||
parameter
|
||||
* [LEMONLDAP-305] - Parameters are not overriden in the first Multi module
|
||||
* [LEMONLDAP-305] - Parameters are not overridden in the first Multi module
|
||||
* [LEMONLDAP-307] - Base64 encoded IDs can contain more than one "/", but
|
||||
only the first is escaped
|
||||
|
||||
|
@ -2026,7 +2049,7 @@ lemonldap-ng (1.0.5) stable; urgency=low
|
|||
|
||||
* [LEMONLDAP-292] - Application menu is not well displayed with multiple
|
||||
users having differents rights
|
||||
* [LEMONLDAP-294] - Subroutines can not be overriden in lemonldap-ng.ini
|
||||
* [LEMONLDAP-294] - Subroutines can not be overridden in lemonldap-ng.ini
|
||||
* [LEMONLDAP-293] - Password Manager - Sending Mail
|
||||
|
||||
lemonldap-ng (1.0.4) stable; urgency=low
|
||||
|
|
7
debian/changelog
vendored
|
@ -1,3 +1,10 @@
|
|||
lemonldap-ng (2.0.13-1) unstable; urgency=medium
|
||||
|
||||
* New release. See changes on our website:
|
||||
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
|
||||
|
||||
-- Clement OUDOT <clement@oodo.net> Fri, 20 Aug 2021 22:00:00 +0100
|
||||
|
||||
lemonldap-ng (2.0.12-1) unstable; urgency=medium
|
||||
|
||||
* New release. See changes on our website:
|
||||
|
|
6
debian/control
vendored
|
@ -9,6 +9,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
|
|||
libapache-session-perl <!nocheck>,
|
||||
libauth-yubikey-webclient-perl <!nocheck>,
|
||||
libauthen-oath-perl <!nocheck>,
|
||||
libauthen-radius-perl <!nocheck>,
|
||||
libcache-cache-perl <!nocheck>,
|
||||
libclone-perl <!nocheck>,
|
||||
libconfig-inifiles-perl <!nocheck>,
|
||||
|
@ -37,6 +38,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
|
|||
libmouse-perl <!nocheck>,
|
||||
libnet-cidr-lite-perl <!nocheck>,
|
||||
libnet-ldap-perl <!nocheck>,
|
||||
libio-socket-timeout-perl <!nocheck>,
|
||||
libnet-openid-consumer-perl <!nocheck>,
|
||||
libnet-openid-server-perl <!nocheck>,
|
||||
libplack-perl <!nocheck>,
|
||||
|
@ -59,7 +61,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
|
|||
python3-sphinx,
|
||||
python3-sphinx-bootstrap-theme,
|
||||
perl
|
||||
Standards-Version: 4.5.1
|
||||
Standards-Version: 4.6.0
|
||||
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
|
||||
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
|
||||
Homepage: https://lemonldap-ng.org/
|
||||
|
@ -281,6 +283,7 @@ Depends: ${misc:Depends},
|
|||
liblemonldap-ng-handler-perl (= ${binary:Version}),
|
||||
libtext-unidecode-perl,
|
||||
libregexp-assemble-perl,
|
||||
liblist-moreutils-perl,
|
||||
libemail-date-format-perl
|
||||
Recommends: gsfonts,
|
||||
libcrypt-openssl-bignum-perl,
|
||||
|
@ -306,6 +309,7 @@ Suggests: gpg,
|
|||
libnet-oauth-perl,
|
||||
libsoap-lite-perl,
|
||||
libweb-id-perl,
|
||||
libauthen-radius-perl,
|
||||
slapd
|
||||
Pre-Depends: debconf
|
||||
Description: Lemonldap::NG authentication portal part
|
||||
|
|
2
debian/lemonldap-ng-fastcgi-server.install
vendored
|
@ -1 +1 @@
|
|||
/usr/sbin/llng-fastcgi-server
|
||||
usr/sbin/llng-fastcgi-server
|
||||
|
|
12
debian/lemonldap-ng-handler.install
vendored
|
@ -1,6 +1,6 @@
|
|||
/etc/lemonldap-ng/nginx*
|
||||
/etc/lemonldap-ng/handler-apache2.conf
|
||||
/etc/lemonldap-ng/handler-nginx.conf
|
||||
/etc/lemonldap-ng/test-apache2.conf
|
||||
/etc/lemonldap-ng/test-nginx.conf
|
||||
/var/lib/lemonldap-ng/test
|
||||
etc/lemonldap-ng/nginx*
|
||||
etc/lemonldap-ng/handler-apache2.conf
|
||||
etc/lemonldap-ng/handler-nginx.conf
|
||||
etc/lemonldap-ng/test-apache2.conf
|
||||
etc/lemonldap-ng/test-nginx.conf
|
||||
var/lib/lemonldap-ng/test
|
||||
|
|
2
debian/lemonldap-ng-uwsgi-app.install
vendored
|
@ -1 +1 @@
|
|||
/etc/uwsgi/apps-available/llng-server.yaml
|
||||
etc/uwsgi/apps-available/llng-server.yaml
|
||||
|
|
35
debian/liblemonldap-ng-common-perl.install
vendored
|
@ -1,17 +1,18 @@
|
|||
/etc/lemonldap-ng/lemonldap-ng.ini
|
||||
/etc/lemonldap-ng/for_etc_hosts
|
||||
/usr/share/man/man1/convertConfig.1p
|
||||
/usr/share/man/man1/convertSessions.1p
|
||||
/usr/share/man/man1/lemonldap-ng-cli.1p
|
||||
/usr/share/man/man1/lemonldap-ng-sessions.1p
|
||||
/usr/share/man/man3/Lemonldap::NG::Common*
|
||||
/usr/share/perl5/auto/Lemonldap/NG/Common
|
||||
/usr/share/perl5/Lemonldap/NG/Common*
|
||||
/usr/share/lemonldap-ng/ressources
|
||||
/usr/share/lemonldap-ng/bin/convertConfig
|
||||
/usr/share/lemonldap-ng/bin/convertSessions
|
||||
/usr/share/lemonldap-ng/bin/importMetadata
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
|
||||
/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
|
||||
/usr/share/lemonldap-ng/bin/rotateOidcKeys
|
||||
/var/lib/lemonldap-ng/conf/
|
||||
etc/lemonldap-ng/lemonldap-ng.ini
|
||||
etc/lemonldap-ng/for_etc_hosts
|
||||
usr/share/man/man1/convertConfig.1p
|
||||
usr/share/man/man1/convertSessions.1p
|
||||
usr/share/man/man1/importMetadata.1p
|
||||
usr/share/man/man1/lemonldap-ng-cli.1p
|
||||
usr/share/man/man1/lemonldap-ng-sessions.1p
|
||||
usr/share/man/man3/Lemonldap::NG::Common*
|
||||
usr/share/perl5/auto/Lemonldap/NG/Common
|
||||
usr/share/perl5/Lemonldap/NG/Common*
|
||||
usr/share/lemonldap-ng/ressources
|
||||
usr/share/lemonldap-ng/bin/convertConfig
|
||||
usr/share/lemonldap-ng/bin/convertSessions
|
||||
usr/share/lemonldap-ng/bin/importMetadata
|
||||
usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
|
||||
usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
|
||||
usr/share/lemonldap-ng/bin/rotateOidcKeys
|
||||
var/lib/lemonldap-ng/conf/
|
||||
|
|
14
debian/liblemonldap-ng-handler-perl.install
vendored
|
@ -1,7 +1,7 @@
|
|||
/usr/share/perl5/Lemonldap/NG/Handler*
|
||||
/usr/share/perl5/auto/Lemonldap/NG/Handler*
|
||||
/usr/share/perl5/Plack/*
|
||||
/usr/share/man/man3/Lemonldap::NG::Handler*
|
||||
/usr/share/man/man3/Plack::Middleware::Auth::LemonldapNG*
|
||||
/usr/share/lemonldap-ng/bin/purgeLocalCache
|
||||
/usr/share/lemonldap-ng/llng-server/llng-server.psgi
|
||||
usr/share/perl5/Lemonldap/NG/Handler*
|
||||
usr/share/perl5/auto/Lemonldap/NG/Handler*
|
||||
usr/share/perl5/Plack/*
|
||||
usr/share/man/man3/Lemonldap::NG::Handler*
|
||||
usr/share/man/man3/Plack::Middleware::Auth::LemonldapNG*
|
||||
usr/share/lemonldap-ng/bin/purgeLocalCache
|
||||
usr/share/lemonldap-ng/llng-server/llng-server.psgi
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
# Conf files have moved to lemonldap-ng-handler package
|
||||
rm_conffile /etc/lemonldap-ng/handler-nginx.conf 1.9.1-2~
|
||||
rm_conffile /etc/lemonldap-ng/handler-apache2.X.conf 1.9.1-2~
|
20
debian/liblemonldap-ng-manager-perl.install
vendored
|
@ -1,10 +1,10 @@
|
|||
/etc/lemonldap-ng/api-apache2.conf
|
||||
/etc/lemonldap-ng/api-nginx.conf
|
||||
/etc/lemonldap-ng/manager-apache2.conf
|
||||
/etc/lemonldap-ng/manager-nginx.conf
|
||||
/usr/share/man/man3/Lemonldap::NG::Manager*
|
||||
/usr/share/perl5/Lemonldap/NG/Manager*
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli
|
||||
/usr/share/lemonldap-ng/manager
|
||||
/usr/share/lemonldap-ng/bin/lmConfigEditor
|
||||
/usr/share/lemonldap-ng/bin/llngDeleteSession
|
||||
etc/lemonldap-ng/api-apache2.conf
|
||||
etc/lemonldap-ng/api-nginx.conf
|
||||
etc/lemonldap-ng/manager-apache2.conf
|
||||
etc/lemonldap-ng/manager-nginx.conf
|
||||
usr/share/man/man3/Lemonldap::NG::Manager*
|
||||
usr/share/perl5/Lemonldap/NG/Manager*
|
||||
usr/share/lemonldap-ng/bin/lemonldap-ng-cli
|
||||
usr/share/lemonldap-ng/manager
|
||||
usr/share/lemonldap-ng/bin/lmConfigEditor
|
||||
usr/share/lemonldap-ng/bin/llngDeleteSession
|
||||
|
|
12
debian/liblemonldap-ng-portal-perl.install
vendored
|
@ -1,6 +1,6 @@
|
|||
/usr/share/lemonldap-ng/bin/purgeCentralCache
|
||||
/usr/share/man/man3/Lemonldap::NG::Portal*
|
||||
/usr/share/perl5/Lemonldap/NG/Portal*
|
||||
/usr/share/lemonldap-ng/portal
|
||||
/etc/lemonldap-ng/portal-apache2.conf
|
||||
/etc/lemonldap-ng/portal-nginx.conf
|
||||
usr/share/lemonldap-ng/bin/purgeCentralCache
|
||||
usr/share/man/man3/Lemonldap::NG::Portal*
|
||||
usr/share/perl5/Lemonldap/NG/Portal*
|
||||
usr/share/lemonldap-ng/portal
|
||||
etc/lemonldap-ng/portal-apache2.conf
|
||||
etc/lemonldap-ng/portal-nginx.conf
|
||||
|
|
|
@ -17,6 +17,7 @@ Applications
|
|||
applications/drupal
|
||||
applications/fusiondirectory
|
||||
applications/gerrit
|
||||
applications/gitea
|
||||
applications/gitlab
|
||||
applications/glpi
|
||||
applications/googleapps
|
||||
|
@ -28,11 +29,13 @@ Applications
|
|||
applications/jitsimeet
|
||||
applications/liferay
|
||||
applications/limesurvey
|
||||
applications/matrix
|
||||
applications/mattermost
|
||||
applications/mediawiki
|
||||
applications/mobilizon
|
||||
applications/nextcloud
|
||||
applications/obm
|
||||
applications/odoo
|
||||
applications/office365
|
||||
applications/publik
|
||||
applications/phpldapadmin
|
||||
|
@ -99,6 +102,7 @@ Application Configuration
|
|||
.. image:: applications/fusiondirectory-logo.jpg :doc:`FusionDirectory<applications/fusiondirectory>` ✔
|
||||
.. image:: applications/gerrit_logo.png :doc:`Gerrit<applications/gerrit>` ✔
|
||||
.. image:: applications/gitlab_logo.png :doc:`Gitlab<applications/gitlab>` ✔ ✔
|
||||
.. image:: applications/gitea_logo.png :doc:`Gitea<applications/gitea>` ✔
|
||||
.. image:: applications/glpi_logo.png :doc:`GLPI<applications/glpi>` ✔
|
||||
.. image:: applications/googleapps_logo.png :doc:`Google Apps<applications/googleapps>` ✔
|
||||
.. image:: applications/grafana_logo.png :doc:`Grafana<applications/grafana>` ✔
|
||||
|
@ -109,11 +113,13 @@ Application Configuration
|
|||
.. image:: applications/logo-jitsimeet.png :doc:`Jitsi Meet<applications/jitsimeet>` ✔
|
||||
.. image:: applications/liferay_logo.png :doc:`Liferay<applications/liferay>` ✔
|
||||
.. image:: applications/limesurvey_logo.png :doc:`LimeSurvey<applications/limesurvey>` ✔
|
||||
.. image:: applications/matrix_logo.png :doc:`Matrix<applications/matrix>` ✔
|
||||
.. image:: applications/mattermost_logo.png :doc:`Mattermost<applications/mattermost>` ✔
|
||||
.. image:: applications/mediawiki_logo.png :doc:`Mediawiki<applications/mediawiki>` ✔
|
||||
.. image:: applications/mobilizon_logo.jpg :doc:`Mobilizon<applications/mobilizon>` ✔
|
||||
.. image:: applications/nextcloud-logo.png :doc:`NextCloud<applications/nextcloud>` ✔
|
||||
.. image:: applications/obm_logo.png :doc:`OBM<applications/obm>` ✔
|
||||
.. image:: applications/odoo_logo.png :doc:`Odoo<applications/odoo>` ✔
|
||||
.. image:: applications/logo_office_365.png :doc:`Office 365<applications/office365>` ✔
|
||||
.. image:: applications/logo-publik.png :doc:`Publik<applications/publik>` ✔
|
||||
.. image:: applications/phpldapadmin_logo.png :doc:`phpLDAPAdmin<applications/phpldapadmin>` ✔
|
||||
|
|
67
doc/sources/admin/applications/gitea.rst
Normal file
|
@ -0,0 +1,67 @@
|
|||
Gitea
|
||||
=====
|
||||
|
||||
|logo|
|
||||
|
||||
Presentation
|
||||
------------
|
||||
|
||||
`Gitea <https://gitea.io/>`__ is a community managed lightweight
|
||||
code hosting solution written in Go. It is published under the MIT license.
|
||||
|
||||
It can be configured to authenticate users with :doc:`OpenID Connect <../idpopenidconnect>`.
|
||||
|
||||
Configuration
|
||||
--------------
|
||||
|
||||
LL:NG
|
||||
~~~~~
|
||||
|
||||
Make sure you have already
|
||||
:doc:`enabled OpenID Connect<../idpopenidconnect>` on your LemonLDAP::NG
|
||||
server
|
||||
|
||||
Make sure you have generated a set of signing keys in
|
||||
``OpenID Connect Service`` » ``Security`` » ``Keys``
|
||||
|
||||
You also need to set a Signing key ID to a non-empty value of your choice.
|
||||
|
||||
Then, add a Relaying Party with the following configuration:
|
||||
|
||||
- Options » Basic » Client ID : choose a client ID, such as ``gitea``
|
||||
- Options » Basic » Client Secret : choose a client secret, such as ``xxxx``
|
||||
- Options » Basic » Allowed redirection address : ``https://git.example.com/user/oauth2/NAME/callback``
|
||||
- Options » ID Token Signature Algorithm : ``RS256``
|
||||
- No Exported Attributes needed
|
||||
|
||||
.. note::
|
||||
|
||||
The redirection address is built like this: ``<Gitea service URL>`` ``/user/oauth2/`` ``<Name of the OIDC authentication source in Gitea>`` ``/callback``
|
||||
|
||||
Gitea
|
||||
~~~~~
|
||||
|
||||
Go in administration panel and create a new authentication source:
|
||||
|
||||
|screenshot_admin|
|
||||
|
||||
Configure settings:
|
||||
|
||||
- Authentication name: set here the value used for the redirection address
|
||||
- OAuth2 Provider: set OpenID Connect
|
||||
- Client ID: the Client ID configured on LL::NG side
|
||||
- Client Secret: the Client Secret configured on LL::NG side
|
||||
- OpenID Connect Auto Discovery URL: use the default OIDC configuration URL of your LL::NG server
|
||||
- Enable the authentication source
|
||||
|
||||
Usage
|
||||
-----
|
||||
|
||||
In Gitea login screen, a new OpenID logo appears at the bottom. Click on it to authenticate.
|
||||
|
||||
At first connection, the user must associate his account to an existing one (local or LDAP). The assocation is then remembered for further connections.
|
||||
|
||||
.. |logo| image:: /applications/gitea_logo.png
|
||||
:class: align-center
|
||||
.. |screenshot_admin| image:: /applications/gitea_oidc_config.png
|
||||
:class: align-center
|
BIN
doc/sources/admin/applications/gitea_logo.png
Normal file
After Width: | Height: | Size: 16 KiB |
BIN
doc/sources/admin/applications/gitea_oidc_config.png
Normal file
After Width: | Height: | Size: 61 KiB |
|
@ -54,9 +54,9 @@ Then, add a Relaying Party with the following configuration:
|
|||
|
||||
If you want to transmit extra user attributes to Grafana, you also need to configure:
|
||||
|
||||
- Extra Claims »
|
||||
- Scope values content »
|
||||
|
||||
- add a key named ``profile``
|
||||
- add a key named ``profile`` to override the default claim list
|
||||
- set a value of ``name username display_name upn``
|
||||
|
||||
- Exported Attributes (not all of them are mandatory)
|
||||
|
|
56
doc/sources/admin/applications/matrix.rst
Normal file
|
@ -0,0 +1,56 @@
|
|||
Synapse Matrix home server
|
||||
==========================
|
||||
|
||||
|image0|
|
||||
|
||||
Presentation
|
||||
------------
|
||||
|
||||
Synapse is the reference implementation of a Matrix home server, written in Python.
|
||||
|
||||
Configuring Synapse
|
||||
-------------------
|
||||
|
||||
See `The official Synapse documentation <https://matrix-org.github.io/synapse/latest/openid.html>`__ for details
|
||||
|
||||
|
||||
.. code:: yaml
|
||||
|
||||
oidc_providers:
|
||||
- idp_id: lemonldap
|
||||
idp_name: lemonldap
|
||||
discover: true
|
||||
issuer: "https://auth.example.com/" # TO BE FILLED: replace with your domain
|
||||
client_id: "your client id" # TO BE FILLED
|
||||
client_secret: "your client secret" # TO BE FILLED
|
||||
scopes:
|
||||
- "openid"
|
||||
- "profile"
|
||||
- "email"
|
||||
user_mapping_provider:
|
||||
config:
|
||||
localpart_template: "{{ user.preferred_username }}}"
|
||||
# TO BE FILLED: If your users have names in LemonLDAP::NG and you want those in Synapse, this should be replaced with user.name|capitalize or any valid filter.
|
||||
display_name_template: "{{ user.preferred_username|capitalize }}"
|
||||
|
||||
|
||||
Configuring LemonLDAP
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
|
||||
with the following parameters:
|
||||
|
||||
* **Options/Basic**
|
||||
* **Client ID**: same as ``client_id`` configuration in Synapse
|
||||
* **Client Secret**: same as ``client_secret`` configuration in Synapse
|
||||
* **Allowed redirection addresses**: ``[synapse public baseurl]/_synapse/client/oidc/callback``
|
||||
* **Options/Security**
|
||||
* **ID Token signature algorithm**:: ``RS256``
|
||||
* **Exported Attributes**
|
||||
* ``preferred_username``: ``uid``
|
||||
|
||||
(adjust if you don't store your username attribute in the ``uid`` session variable
|
||||
|
||||
.. |image0| image:: /applications/matrix_logo.png
|
||||
:class: align-center
|
||||
|
BIN
doc/sources/admin/applications/matrix_logo.png
Normal file
After Width: | Height: | Size: 3.8 KiB |
88
doc/sources/admin/applications/odoo.rst
Normal file
|
@ -0,0 +1,88 @@
|
|||
Odoo
|
||||
====
|
||||
|
||||
|image0|
|
||||
|
||||
Presentation
|
||||
------------
|
||||
|
||||
Odoo is a suite of business management software tools including, for example, CRM, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
This guide explains how to authenticate your Odoo users using LemonLDAP::NG 's SAML provider.
|
||||
|
||||
Make sure you have :doc:`set up LemonLDAP::NG a SAML IDP <../samlservice>`
|
||||
|
||||
.. warning::
|
||||
Odoo requires your public SAML Signature key to be in `BEGIN CERTIFICATE`
|
||||
format, if this is not the case, you need to :ref:`convert your SAML key to
|
||||
a certificate<samlservice-convert-certificate>`)
|
||||
|
||||
.. warning::
|
||||
Odoo requires LemonLDAP::NG 2.0.14 in order to handle RelayState correctly
|
||||
|
||||
Configuring Odoo
|
||||
----------------
|
||||
|
||||
Pre-requisites
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
On the Odoo side, you need to install the ``auth_saml`` module from OCA:
|
||||
|
||||
* https://github.com/OCA/server-auth/tree/14.0/auth_saml
|
||||
* https://odoo-community.org/shop/product/saml2-authentication-3211
|
||||
|
||||
This module requires the ``pysaml2`` and ``xmlsec1`` python dependencies.
|
||||
|
||||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
After installing the module, you will see two new menus in the Odoo admin:
|
||||
|
||||
|
||||
* Settings » Users & Companies » SAML Providers
|
||||
* And a new *SAML* tab in Settings » Users & Companies » Users
|
||||
|
||||
|
||||
Creating a new SAML Provider
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Create a new SAML provider in Settings » Users & Companies » SAML Providers
|
||||
|
||||
* Choose a name
|
||||
* Copy the metadata from https://auth.example.com/saml/metadata/idp in the *Identity Provider Metadata* field
|
||||
* Import a certificate and a private key in the *Odoo Public Certificate* and *Odoo Private Key* fields
|
||||
|
||||
To generate a key/certificate pair, you can run the following command::
|
||||
|
||||
openssl req -x509 -newkey rsa:4096 -keyout odoo-key.pem -out odoo-cert.pem -sha256 -days 3650 -nodes
|
||||
|
||||
* Select a signature method in the *Signature Algorithm*, such as *SIG_RSA_SHA256*
|
||||
* If you do not want to use the email address to match between LLNG and Odoo accounts, set the *Identity Provider matching attribute* to a different value
|
||||
* All other fields may be left to default values
|
||||
|
||||
Configuring users
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
For each user you want to enable SAML on, you need to edit them in Settings » Users & Companies » Users
|
||||
|
||||
In the *SAML* tab, set the SAML provider you just created, and their email address as the identifier.
|
||||
|
||||
Configuring LemonLDAP
|
||||
---------------------
|
||||
|
||||
Add a new :ref:`new SAML Service Provider to the LemonLDAP::NG configuration<samlidp-register-sp>`
|
||||
with the following parameters:
|
||||
|
||||
* **Metadata**
|
||||
* Copy the Metadata found at the URL referenced in Odoo's Settings » Users & Companies » SAML Providers menu » Your provider » Metadata URL
|
||||
* **Exported Attributes**
|
||||
* Declare the attribute that you set in Odoo's *Identity Provider matching attribute*
|
||||
* If you are using the email, you don't need to declare anything
|
||||
|
||||
|
||||
.. |image0| image:: /applications/odoo_logo.png
|
||||
:class: align-center
|
||||
|
BIN
doc/sources/admin/applications/odoo_logo.png
Normal file
After Width: | Height: | Size: 3.2 KiB |
BIN
doc/sources/admin/applications/prosanteconnect_logo.png
Normal file
After Width: | Height: | Size: 16 KiB |
|
@ -31,7 +31,7 @@ As an RP, LL::NG supports a lot of OpenID Connect features:
|
|||
- Logout on EndSession end point
|
||||
|
||||
You can use this authentication module to link your LL::NG server to any
|
||||
OpenID Connect Provider. Here are some examples, witch their specific
|
||||
OpenID Connect Provider. Here are some examples, with their specific
|
||||
documentation:
|
||||
|
||||
|
||||
|
@ -40,13 +40,14 @@ documentation:
|
|||
|
||||
authopenidconnect_google
|
||||
authopenidconnect_franceconnect
|
||||
authopenidconnect_prosanteconnect
|
||||
|
||||
|
||||
=============== ==================
|
||||
Google France Connect
|
||||
=============== ==================
|
||||
|google| |franceconnect|
|
||||
=============== ==================
|
||||
=============== ================== ==================
|
||||
Google France Connect Pro Santé Connect
|
||||
=============== ================== ==================
|
||||
|google| |franceconnect| |prosanteconnect|
|
||||
=============== ================== ==================
|
||||
|
||||
.. |google| image:: applications/google_logo.png
|
||||
:target: authopenidconnect_google.html
|
||||
|
@ -54,11 +55,14 @@ Google France Connect
|
|||
.. |franceconnect| image:: applications/franceconnect_logo.png
|
||||
:target: authopenidconnect_franceconnect.html
|
||||
|
||||
.. |prosanteconnect| image:: applications/prosanteconnect_logo.png
|
||||
:target: authopenidconnect_prosanteconnect.html
|
||||
|
||||
.. attention::
|
||||
|
||||
OpenID-Connect specification is not finished for logout
|
||||
OpenID Connect specification is not finished for logout
|
||||
propagation. So logout initiated by relaying-party will be forward to
|
||||
OpenID-Connect provider but logout initiated by the provider (or another
|
||||
OpenID Connect provider but logout initiated by the provider (or another
|
||||
RP) will not be propagated. LLNG will implement this when spec will be
|
||||
published.
|
||||
|
||||
|
@ -68,7 +72,7 @@ Configuration
|
|||
OpenID Connect Service
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
See :doc:`OpenIDConnect service<openidconnectservice>` configuration
|
||||
See :doc:`OpenID Connect service<openidconnectservice>` configuration
|
||||
chapter.
|
||||
|
||||
Authentication and UserDB
|
||||
|
@ -115,11 +119,11 @@ Register LL::NG to an OpenID Connect Provider
|
|||
To register LL::NG, you will need to give some information like
|
||||
application name or logo.
|
||||
|
||||
You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidcallback=1`` parameter to the Portal URL.
|
||||
You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
|
||||
|
||||
For example:
|
||||
|
||||
- https://auth.example.com/?openidcallback=1
|
||||
- https://auth.example.com/?openidconnectcallback=1
|
||||
|
||||
|
||||
.. attention::
|
||||
|
@ -198,8 +202,6 @@ standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`_
|
|||
and depends on the scope requested by LL::NG (see options in next
|
||||
chapter).
|
||||
|
||||
.. include:: openidconnectclaims.rst
|
||||
|
||||
So you can define for example:
|
||||
|
||||
- cn => name
|
||||
|
|
|
@ -26,7 +26,7 @@ Use the following form:
|
|||
https://doc.integ01.dev-franceconnect.fr/inscription.
|
||||
|
||||
You need to provide the callback URLs, for example
|
||||
https://auth.domain.com/?openidcallback=1.
|
||||
https://auth.domain.com/?openidconnectcallback=1.
|
||||
|
||||
You will then get a ``client_id`` and a ``client_secret``.
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ Here you can go in API Manager and get new credentials (``client_id``
|
|||
and ``client_secret``).
|
||||
|
||||
You need to provide the callback URLs, for example
|
||||
https://auth.domain.com/?openidcallback=1.
|
||||
https://auth.domain.com/?openidconnectcallback=1.
|
||||
|
||||
Declare Google in your LL::NG server
|
||||
------------------------------------
|
||||
|
|
209
doc/sources/admin/authopenidconnect_prosanteconnect.rst
Normal file
|
@ -0,0 +1,209 @@
|
|||
Pro Santé Connect
|
||||
=================
|
||||
|
||||
|logo|
|
||||
|
||||
Presentation
|
||||
------------
|
||||
|
||||
`Pro Santé Connect <https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/presentation-generale>`__ is
|
||||
a French identity provider for healthcare professionals. It relies on OpenID Connect protocol.
|
||||
|
||||
Register on Pro Santé Connect
|
||||
-----------------------------
|
||||
|
||||
Once :doc:`OpenID Connect service<openidconnectservice>` is configured,
|
||||
you need to register to Pro Santé Connect.
|
||||
|
||||
Go on https://integrateurs-cps.asipsante.fr.
|
||||
|
||||
You need to provide the callback URLs, for example
|
||||
https://auth.domain.com/?openidconnectcallback=1.
|
||||
|
||||
And also a logout URL, for example
|
||||
https://auth.domain.com/?logout=1.
|
||||
|
||||
You will then get a ``client_id`` and a ``client_secret``.
|
||||
|
||||
Declare Pro Santé Connect in your LL::NG server
|
||||
-----------------------------------------------
|
||||
|
||||
Go in Manager and create a new OpenID Connect provider. You can call it
|
||||
``psc-connect`` for example.
|
||||
|
||||
Click on ``Metadata`` and set manually the metadata of the service.
|
||||
|
||||
For the sandbox server:
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"issuer": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet",
|
||||
"authorization_endpoint": "https://wallet.bas.esw.esante.gouv.fr/auth",
|
||||
"token_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token",
|
||||
"introspection_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token/introspect",
|
||||
"userinfo_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/userinfo",
|
||||
"end_session_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/logout",
|
||||
"jwks_uri": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs",
|
||||
"check_session_iframe": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/login-status-iframe.html",
|
||||
"grant_types_supported": [
|
||||
"authorization_code",
|
||||
"implicit",
|
||||
"refresh_token",
|
||||
"password",
|
||||
"client_credentials"
|
||||
],
|
||||
"response_types_supported": [
|
||||
"code",
|
||||
"none",
|
||||
"id_token",
|
||||
"token",
|
||||
"id_token token",
|
||||
"code id_token",
|
||||
"code token",
|
||||
"code id_token token"
|
||||
],
|
||||
"subject_types_supported": [
|
||||
"public",
|
||||
"pairwise"
|
||||
],
|
||||
"id_token_signing_alg_values_supported": [
|
||||
"PS384",
|
||||
"ES384",
|
||||
"RS384",
|
||||
"HS256",
|
||||
"HS512",
|
||||
"ES256",
|
||||
"RS256",
|
||||
"HS384",
|
||||
"ES512",
|
||||
"PS256",
|
||||
"PS512",
|
||||
"RS512"
|
||||
],
|
||||
"id_token_encryption_alg_values_supported": [
|
||||
"RSA-OAEP",
|
||||
"RSA1_5"
|
||||
],
|
||||
"id_token_encryption_enc_values_supported": [
|
||||
"A256GCM",
|
||||
"A192GCM",
|
||||
"A128GCM",
|
||||
"A128CBC-HS256",
|
||||
"A192CBC-HS384",
|
||||
"A256CBC-HS512"
|
||||
],
|
||||
"userinfo_signing_alg_values_supported": [
|
||||
"PS384",
|
||||
"ES384",
|
||||
"RS384",
|
||||
"HS256",
|
||||
"HS512",
|
||||
"ES256",
|
||||
"RS256",
|
||||
"HS384",
|
||||
"ES512",
|
||||
"PS256",
|
||||
"PS512",
|
||||
"RS512",
|
||||
"none"
|
||||
],
|
||||
"request_object_signing_alg_values_supported": [
|
||||
"PS384",
|
||||
"ES384",
|
||||
"RS384",
|
||||
"HS256",
|
||||
"HS512",
|
||||
"ES256",
|
||||
"RS256",
|
||||
"HS384",
|
||||
"ES512",
|
||||
"PS256",
|
||||
"PS512",
|
||||
"RS512",
|
||||
"none"
|
||||
],
|
||||
"response_modes_supported": [
|
||||
"query",
|
||||
"fragment",
|
||||
"form_post"
|
||||
],
|
||||
"registration_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/clients-registrations/openid-connect",
|
||||
"token_endpoint_auth_methods_supported": [
|
||||
"private_key_jwt",
|
||||
"client_secret_basic",
|
||||
"client_secret_post",
|
||||
"tls_client_auth",
|
||||
"client_secret_jwt"
|
||||
],
|
||||
"token_endpoint_auth_signing_alg_values_supported": [
|
||||
"PS384",
|
||||
"ES384",
|
||||
"RS384",
|
||||
"HS256",
|
||||
"HS512",
|
||||
"ES256",
|
||||
"RS256",
|
||||
"HS384",
|
||||
"ES512",
|
||||
"PS256",
|
||||
"PS512",
|
||||
"RS512"
|
||||
],
|
||||
"claims_supported": [
|
||||
"aud",
|
||||
"sub",
|
||||
"iss",
|
||||
"auth_time",
|
||||
"name",
|
||||
"given_name",
|
||||
"family_name",
|
||||
"preferred_username",
|
||||
"email",
|
||||
"acr"
|
||||
],
|
||||
"claim_types_supported": [
|
||||
"normal"
|
||||
],
|
||||
"claims_parameter_supported": false,
|
||||
"scopes_supported": [
|
||||
"openid",
|
||||
"address",
|
||||
"email",
|
||||
"identity",
|
||||
"microprofile-jwt",
|
||||
"offline_access",
|
||||
"phone",
|
||||
"profile",
|
||||
"roles",
|
||||
"scope_1",
|
||||
"scope_2",
|
||||
"scope_all",
|
||||
"web-origins",
|
||||
"eidas2"
|
||||
],
|
||||
"request_parameter_supported": true,
|
||||
"request_uri_parameter_supported": true,
|
||||
"code_challenge_methods_supported": [
|
||||
"plain",
|
||||
"S256"
|
||||
],
|
||||
"tls_client_certificate_bound_access_tokens": true
|
||||
}
|
||||
|
||||
You should alos import JWKS data from https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs
|
||||
directly in configuration to avoid requests to reload them.
|
||||
|
||||
Go in ``Exported attributes`` to choose which attributes you want to collect.
|
||||
Read the technical documentation to know available attributes:
|
||||
https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/documentation-technique
|
||||
|
||||
Now go in ``Options``:
|
||||
|
||||
- Register the ``client_id`` and ``client_secret`` given by Pro Santé Connect
|
||||
- In ``Scopes`` set ``openid scope_all``
|
||||
- In ``ACR values`` set ``eidas2``
|
||||
- You can also set the name and the logo
|
||||
|
||||
.. |logo| image:: /applications/prosanteconnect_logo.png
|
||||
:class: align-center
|
|
@ -34,17 +34,25 @@ and choose Proxy for authentication and users.
|
|||
|
||||
Then, go in ``Proxy parameters``:
|
||||
|
||||
- **Internal portal URL**: URL of internal portal
|
||||
- **Session service URL** (optional): Session service URL (default:
|
||||
same as previous for SOAP, same with "/session/my" for REST)
|
||||
- **Cookie name** (optional): name of the cookie of internal portal, if
|
||||
different from external portal
|
||||
- **Authentication level**: authentication level for Proxy module
|
||||
- **Use SOAP instead of REST**: use a deprecated SOAP server instead of
|
||||
a REST one (you must set it if internal portal version is < 2.0). In
|
||||
this case, "Portal URL" parameter must contain SOAP endpoint
|
||||
(generally http://auth.example.com/index.pl/sessions for 1.9 and
|
||||
earlier, http://auth.example.com/sessions for 2.0)
|
||||
- **URL**: URL of internal portal
|
||||
- **Session service URL** (optional): session service URL (default:
|
||||
same as previous for SOAP, same with "/session/my" for REST)
|
||||
- **Choice parameter** (optional): choice parameter of the internal portal if applicable
|
||||
- **Choice value** (optional): value of the choice parameter of the internal portal
|
||||
- **Cookie name** (optional): internal portal cookie name, if
|
||||
different from external portal
|
||||
- **Impersonation** (optional) : can be enabled if the internal portal provides impersonation
|
||||
|
||||
.. note::
|
||||
|
||||
If the internal portal uses :doc:`Choice Authentication<authchoice>`, you must specify 'Internal portal choice parameter' and 'Internal portal choice value' depending on its configuration.
|
||||
This feature needs at least LL::NG version 2.0.14
|
||||
|
||||
Internal portal
|
||||
~~~~~~~~~~~~~~~
|
||||
|
@ -64,3 +72,6 @@ in your lemonldap-ng.ini:
|
|||
|
||||
soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
|
||||
|
||||
.. attention::
|
||||
|
||||
This feature needs at least LL::NG version 2.0.8
|
||||
|
|
|
@ -18,8 +18,8 @@ Several IDPs are allowed, in this case the user will choose the IDP he
|
|||
wants. You can preselect IDP with an IDP resolution rule.
|
||||
|
||||
For each IDP, you can configure attributes that are collected. Some can
|
||||
be mandatory, so if they are not returned by IDP, the session will not
|
||||
open.
|
||||
be mandatory, so if they are not returned by IDP, the session will not be
|
||||
opened.
|
||||
|
||||
|
||||
.. tip::
|
||||
|
@ -91,7 +91,7 @@ between your server and the IDP):
|
|||
|
||||
.. tip::
|
||||
|
||||
You can also edit the metadata directly in the textarea
|
||||
You can also edit the metadata directly in the textarea.
|
||||
|
||||
Exported attributes
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
@ -102,8 +102,8 @@ For each attribute, you can set:
|
|||
"uid" will then be used as $uid in access rules
|
||||
- **Attribute name**: name of the SAML attribute coming from the remote IDP
|
||||
- **Friendly Name**: optional, SAML attribute friendly name.
|
||||
- **Mandatory**: if set to On, then session will not open if this
|
||||
attribute is not given by IDP.
|
||||
- **Mandatory**: if set to On, session will not be created if this
|
||||
attribute is not sent by IDP.
|
||||
- **Format** (optional): SAML attribute format.
|
||||
|
||||
|image1|
|
||||
|
@ -192,8 +192,8 @@ Binding
|
|||
|
||||
.. note::
|
||||
|
||||
If no binding defined, the default binding in IDP metadata will be
|
||||
used.
|
||||
If no binding is defined, the default binding in IDP metadata
|
||||
will be used.
|
||||
|
||||
Security
|
||||
''''''''
|
||||
|
@ -208,11 +208,11 @@ Security
|
|||
Display
|
||||
'''''''
|
||||
|
||||
Used only if you have more than 1 SAML Identity Provider declared
|
||||
Used only if at least 2 SAML Identity Providers are declared
|
||||
|
||||
- **Display name**: Name of the IDP
|
||||
- **Logo**: Logo of the IDP
|
||||
- **Order**: Number to sort IDP display
|
||||
- **Order**: Number used for sorting IDP display
|
||||
|
||||
|
||||
.. tip::
|
||||
|
|
|
@ -34,6 +34,8 @@ set to ``On``.
|
|||
- **Allowed failed login**: Number of failed login attempts allowed before account is locked
|
||||
- **Incremental lock**: Enable/disable incremental lock times
|
||||
- **Incremental lock times**: List of comma separated lock time values in seconds
|
||||
- **Maximum lock time**: Lock time values can not be higher than max lock time
|
||||
- **Maximum age**: Delta between current and last stored failed login
|
||||
|
||||
|
||||
Incremental lock time enabled
|
||||
|
@ -70,17 +72,8 @@ Lock time increases between each failed login attempt after allowed failed login
|
|||
Incremental lock time disabled
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
After allowed failed login attempts, user must
|
||||
wait the lock time before trying to log in again.
|
||||
To modify delta (MaxAge) between current and last stored
|
||||
failed login (300 seconds by default) edit ``lemonldap-ng.ini`` in [portal] section:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
bruteForceProtectionTempo = 30
|
||||
bruteForceProtectionMaxAge = 300
|
||||
bruteForceProtectionMaxFailed = 3
|
||||
After allowed failed login attempts, user must wait
|
||||
the lock time before trying to log in again.
|
||||
|
||||
|
||||
.. attention::
|
||||
|
|
|
@ -11,15 +11,19 @@ Just enable it in the manager (section “plugins”).
|
|||
- **Parameters**:
|
||||
|
||||
- **Activation**: Enable / Disable this plugin
|
||||
- **Download file**: Allow users to download DevOps file from a remote server by
|
||||
providing an URL (By example: http://myapp.example.com:8080). Plugin will
|
||||
try to retrieve remote file by sending a request (i.e.
|
||||
http://myapp.example.com:8080/rules.json)
|
||||
- **Download file**: Allow users to download DevOps file from a
|
||||
remote server by providing an URL
|
||||
(By example: http://myapp.example.com:8080). Plugin will
|
||||
try to retrieve remote file by sending a request
|
||||
(i.e. http://myapp.example.com:8080/rules.json)
|
||||
- **Display normalized headers**: Display headers as they are sent
|
||||
- **Check session attributes**: Check if used attributes are existing
|
||||
|
||||
Usage
|
||||
-----
|
||||
When enabled, ``/checkdevops`` URL path is handled by this plugin.
|
||||
Then, you can paste a file to test your rules and headers.
|
||||
Then, you can paste a file to test your rules and headers or
|
||||
provide an URL to download the ``rules.json`` file.
|
||||
|
||||
Example
|
||||
~~~~~~~
|
||||
|
@ -48,7 +52,7 @@ access rules and headers:
|
|||
|
||||
By example: ``$groups =~ /\bdevops\b/``
|
||||
|
||||
.. attention::
|
||||
.. danger::
|
||||
|
||||
Be careful to not display secret attributes.
|
||||
|
||||
|
|
|
@ -25,6 +25,23 @@ GET Parameter Need Value
|
|||
``password`` optional
|
||||
============= ======== ============================================================
|
||||
|
||||
Response
|
||||
--------
|
||||
|
||||
The plugin will respond to the HTTP request with:
|
||||
|
||||
* HTTP code 500 if something went wrong
|
||||
* HTTP code 200 and the following JSON content if something went right
|
||||
|
||||
```
|
||||
{"result":1,"version":"2.0.14"}
|
||||
```
|
||||
|
||||
.. versionadded:: 2.0.14
|
||||
The *version* key is returned
|
||||
|
||||
|
||||
|
||||
Example
|
||||
~~~~~~~
|
||||
|
||||
|
|
|
@ -17,29 +17,30 @@ Just enable it in the manager (section “plugins”).
|
|||
- **Identities use rule**: Rule to define which profiles can be
|
||||
displayed (by example: ``!$anonymous``)
|
||||
- **Unrestricted users rule**: Rule to define which users can check
|
||||
ALL users. ``Identities use rule`` is bypassed.
|
||||
- **Hidden attributes**: Session attributes not displayed
|
||||
ALL users and attributes.
|
||||
- **Hidden attributes**: Session attributes not displayed except for unrestricted users
|
||||
- **Attributes used for searching sessions**: User's attributes used
|
||||
for searching sessions in backend if ``whatToTrace`` fails. Useful
|
||||
to look for sessions by mail or givenName. Let it blank to search
|
||||
by ``whatToTrace`` only
|
||||
- **Hidden headers**: Sent headers whose value is masked except for unrestricted users.
|
||||
Key is a Virtualhost name and value represents a space-separated headers list.
|
||||
A blank value obfuscates ALL relative Virtualhost sent headers.
|
||||
Key is a VirtualHost name and value represents a space-separated headers list.
|
||||
A blank value obfuscates ALL relative VirtualHost sent headers.
|
||||
Note that just valued hearders are masked.
|
||||
|
||||
- **Display**:
|
||||
|
||||
- **Computed sessions**: Rule to define which users can display a
|
||||
computed session if no SSO session is found
|
||||
- **Empty headers**: Rule to define which users can display ALL headers
|
||||
appended by LemonLDAP::NG including empty ones
|
||||
- **Normalized headers**: Rule to define which users can see headers name sent by
|
||||
the web server (see RFC3875)
|
||||
- **Empty values**: Rule to define which users can display ALL attributes
|
||||
even empty ones
|
||||
- **Persistent session data**: Rule to define which users can display
|
||||
persistent session data
|
||||
- **Normalized headers**: Rule to define which users can see headers name sent by
|
||||
the web server (see RFC3875)
|
||||
- **Empty headers**: Rule to define which users can display ALL headers
|
||||
sent by LemonLDAP::NG including empty ones
|
||||
- **Empty values**: Rule to define which users can display empty values
|
||||
- **Hidden attributes**: Rule to define which users can display hidden attributes
|
||||
- **History**: Rule to define which users can display logins history
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -57,7 +58,7 @@ Just enable it in the manager (section “plugins”).
|
|||
|
||||
By example:
|
||||
|
||||
\* Search attributes => ``mail uid givenName``
|
||||
\* Search attributes => ``mail, uid, givenName``
|
||||
|
||||
If ``whatToTrace`` fails, sessions are searched by ``mail``, next
|
||||
``uid`` if none session is found and so on...
|
||||
|
|
|
@ -174,6 +174,9 @@ html_css_files = [
|
|||
'css/custom.css',
|
||||
]
|
||||
|
||||
html_favicon = 'logos/favicon.ico'
|
||||
html_logo = 'logos/lemonldap-ng-logo.png'
|
||||
|
||||
# Add any extra paths that contain custom files (such as robots.txt or
|
||||
# .htaccess) here, relative to this directory. These files are copied
|
||||
# directly to the root of the documentation.
|
||||
|
|
|
@ -515,6 +515,8 @@ Some options are available:
|
|||
required level, he is redirected to an upgrade page in the portal.
|
||||
This default level is required for ALL locations relative to this virtual host.
|
||||
It can be overrided for each locations.
|
||||
- **DevOps rules file URL**: option to define URL to retreive DevOps rules file.
|
||||
This option can be overridden with ``uwsgi_param/fastcgi_param RULES_URL`` parameter.
|
||||
- **ServiceToken timeout**: by default, ServiceToken is just valid during 30
|
||||
seconds. This TTL can be customized for each virtual host.
|
||||
|
||||
|
|
|
@ -12,14 +12,14 @@ Custom functions allow one to extend LL::NG, they can be used in
|
|||
Implementation
|
||||
--------------
|
||||
|
||||
Your perl custom function must be declared on appropriate server when
|
||||
separating :
|
||||
Your perl custom functions must be declared on appropriate server when
|
||||
separating:
|
||||
|
||||
portal type : declare custom function here when using it in rules,
|
||||
macros, menu
|
||||
**Portal type**: declare custom functions here when using it in rules,
|
||||
macros or menu.
|
||||
|
||||
reverse-proxy type : declare custom function here when using it in
|
||||
headers
|
||||
**Reverse-proxy type**: declare custom functions here when using it in
|
||||
headers.
|
||||
|
||||
Write custom functions library
|
||||
------------------------------
|
||||
|
@ -125,7 +125,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
|
|||
|
||||
::
|
||||
|
||||
SSOExtensions::function1 SSOExtensions::function2
|
||||
SSOExtensions::function1, SSOExtensions::function2
|
||||
|
||||
|
||||
.. attention::
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
DevOps Handler
|
||||
==============
|
||||
|
||||
This handler is designed to read vhost configuration from the website
|
||||
itself not from LL:NG configuration. Rules and headers are set in a
|
||||
This Handler is designed to retrieve vhost configuration from the website
|
||||
itself, not from LL:NG configuration. Rules and headers are set in a
|
||||
**rules.json** file stored at the website root directory (ie
|
||||
``http://website/rules.json``). This file looks like:
|
||||
|
||||
|
@ -24,7 +24,7 @@ If this file is not found, the default rule "accept" is applied and just
|
|||
No specific configuration is required except that:
|
||||
|
||||
- you have to choose this specific handler (directly by using
|
||||
``VHOSTTYPE`` environment variable)
|
||||
``VHOSTTYPE`` environment variable or in VHost options)
|
||||
- you can set the loopback URL needed by the DevOps handler to get
|
||||
``/rules.json`` or use ``RULES_URL`` parameter to set JSON file path
|
||||
(see :doc:`SSO as a Service<ssoaas>`). Default to
|
||||
|
@ -33,7 +33,7 @@ No specific configuration is required except that:
|
|||
|
||||
.. attention::
|
||||
|
||||
Note that DevOps handler will refuse to compile
|
||||
rules.json if :doc:`Safe Jail<safejail>` isn't enabled.
|
||||
Note that DevOps handler will not compile
|
||||
rules.json if :doc:`Safe Jail<safejail>` is not enabled.
|
||||
|
||||
See :doc:`SSO as a Service<ssoaas>` for more
|
||||
See :doc:`SSO as a Service<ssoaas>` for more.
|
||||
|
|
|
@ -267,7 +267,7 @@ Simple usage example:
|
|||
groupMatch
|
||||
~~~~~~~~~~
|
||||
|
||||
this function allows one to parse the ``$hGroups`` variable to check if
|
||||
This function allows one to parse the ``$hGroups`` variable to check if
|
||||
a value is present inside a group attribute.
|
||||
|
||||
Function parameter:
|
||||
|
|
|
@ -19,7 +19,7 @@ All parameters are configured in "General Parameters » Portal Parameters
|
|||
» Extensions » External 2nd Factor".
|
||||
|
||||
- **Activation**
|
||||
- **Code RegEx**: regular expression to create an OTP code. Let this
|
||||
- **Code regex**: regular expression to create an OTP code. Let this
|
||||
option blank to delegate code Generation / Verification to an
|
||||
external provider
|
||||
- **Send command**: define your command using *$attribute* like in
|
||||
|
@ -33,9 +33,9 @@ All parameters are configured in "General Parameters » Portal Parameters
|
|||
- **Authentication level** (Optional): if you want to overwrite the
|
||||
value sent by your authentication module, you can define here the new
|
||||
authentication level. Example: 5
|
||||
- **Logo** (Optional): logo file (in static/<skin> directory)
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
- **Logo** (Optional): logo file (in static/<skin> directory)
|
||||
|
||||
|
||||
.. attention::
|
||||
|
|
|
@ -19,9 +19,16 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
|
|||
- **Character used as wildcard**: Character that can be used by users as wildcard. An empty value disable wildcarded search requests
|
||||
- **Parameters control**: Regular expression used for checking searching values syntax
|
||||
- **User accounts URL**: User database URL to search on if REST backend is used. Let it blank to use default user data URL.
|
||||
- **Searching attributes**: For each attribute, you have to set a key (attribute as defined in UserBD) and a value that will be display in login form (placeholder). A value can be a multivalued list separated by multiValuesSeparator parameter (General Parameters > Advanced parameters > Separator). See note below.
|
||||
- **Searching attributes**: For each attribute, you have to set a key (attribute as defined in UserBD) and a value that will be display in login form (placeholder). A value can be a multivalued list separated by multiValuesSeparator parameter (General Parameters > Advanced parameters > Separator). Attibutes can be sorted by adding ``#_`` before their name (where ``#`` is a number). See note below.
|
||||
- **Excluding attributes**: You can defined here attributes used for excluding accounts. Set keys corresponding to UserBD attributes and values to exclude. A value can be a multivalued list separated by multiValuesSeparator parameter (General Parameters > Advanced parameters > Separator)
|
||||
|
||||
.. note::
|
||||
|
||||
By default, simple searching attributes are mandatory to restrict the number of entries to return. To set an attribute as optional,
|
||||
you can use the following syntax ::
|
||||
|
||||
uid##1 => UID
|
||||
|
||||
.. note::
|
||||
|
||||
You can provide a 'multiValuesSeparator' separated list of allowed searching values that will be displayed as an HTML <select> list ::
|
||||
|
@ -34,11 +41,9 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
|
|||
|
||||
uid#Identity#1 => dwho; Dr Who; rtyler; Rose Tyler (allow empty value)
|
||||
|
||||
Entries are sorted by alphabetical order.
|
||||
1_uid#Identity#1 => 2_dwho; Dr Who; 1_rtyler; Rose Tyler; dalek; Dalek
|
||||
(The attributes will be sorted by number, those without a number will appear at the end of the list)
|
||||
|
||||
.. attention::
|
||||
|
||||
LDAP filter works only if an objectClass is set.
|
||||
|
||||
.. attention::
|
||||
|
||||
|
@ -46,6 +51,14 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
|
|||
|
||||
request => searchAttr1=value && searchAttr2=value && not excludeAttr1=value && not excludeAttr2=value
|
||||
|
||||
|
||||
.. attention::
|
||||
|
||||
In some cases (like Choice authentication with SSL and Ajax), FindUser Ajax request can be blocked by Content Security Policy.
|
||||
|
||||
You may have to allow <Portal>/finduser in CSP ``General Parameters > Advanced Parameters > Security > Content security policy``
|
||||
|
||||
|
||||
.. danger::
|
||||
|
||||
This plugin works only with a users backend and of course if the searching or excluding attributes are existing.
|
||||
|
@ -53,8 +66,3 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
|
|||
.. danger::
|
||||
|
||||
With AuthChoice, you must set which module will be called by this plugin (:doc:`Backend choice by users<authchoice>`).
|
||||
|
||||
|
||||
|
||||
.. |image0| image:: /documentation/beta.png
|
||||
:width: 100px
|
||||
|
|
|
@ -6,9 +6,9 @@ Handlers are build on rows of modules:
|
|||
- Applications or launchers that get the request and choose the right
|
||||
type *(Main, AuthBasic, ZimbraPreAuth,...)* and launch it *(may not
|
||||
inherits from other Handler::\* modules)*
|
||||
- Wrappers that call "type" library and platform "Main" //(may all
|
||||
- Wrappers that call "type" library and platform "Main" (may all
|
||||
inherits from Platform::Main
|
||||
- library types if needed *(may inherits from Main)*
|
||||
- Library types if needed *(may inherit from Main)*
|
||||
- Main: the main handler library
|
||||
|
||||
Since version 2.1, wrappers are autogenerated when undefined. Generated
|
||||
|
|
|
@ -48,13 +48,13 @@ to access required locations in Portal Virtual Host.
|
|||
|
||||
.. danger::
|
||||
|
||||
With AuthBasic handler, you have to disable CSRF token by
|
||||
With AuthBasic Handler, you have to disable CSRF token by
|
||||
setting a special rule based on source IP addresses like this :
|
||||
|
||||
requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
|
||||
|
||||
With :doc:`authchoice`, you have to declare which authentication module is
|
||||
requested by handler to create global session.
|
||||
requested by the AuthBasic Handler to create global session.
|
||||
|
||||
Go to:
|
||||
``General Parameters > Authentication parameters > Choice parameters``
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
Available plugin hooks
|
||||
======================
|
||||
|
||||
This page shows the list of hooks that you can use in your :doc:`custom plugins <plugincustom>`. Read the :doc:`plugincustom` page for full details on how to create and enable custom plugins.
|
||||
|
||||
OpenID Connect Issuer hooks
|
||||
---------------------------
|
||||
|
||||
|
@ -94,7 +96,7 @@ Sample code::
|
|||
};
|
||||
|
||||
sub addClaimToUserInfo {
|
||||
my ( $self, $req, $userinfo ) = @_;
|
||||
my ( $self, $req, $userinfo, $rp) = @_;
|
||||
$userinfo->{"userinfo_hook"} = 1;
|
||||
return PE_OK;
|
||||
}
|
||||
|
@ -192,7 +194,7 @@ Sample code::
|
|||
};
|
||||
|
||||
sub gotRequest {
|
||||
my ( $self, $res, $login ) = @_;
|
||||
my ( $self, $req, $login ) = @_;
|
||||
|
||||
# Your code here
|
||||
}
|
||||
|
@ -213,7 +215,7 @@ Sample code::
|
|||
};
|
||||
|
||||
sub buildResponse {
|
||||
my ( $self, $res, $login ) = @_;
|
||||
my ( $self, $req, $login ) = @_;
|
||||
|
||||
# Your code here
|
||||
}
|
||||
|
@ -234,7 +236,7 @@ Sample code::
|
|||
};
|
||||
|
||||
sub gotLogout {
|
||||
my ( $self, $res, $logout ) = @_;
|
||||
my ( $self, $req, $logout ) = @_;
|
||||
|
||||
# Your code here
|
||||
}
|
||||
|
@ -255,7 +257,7 @@ Sample code::
|
|||
};
|
||||
|
||||
sub gotLogoutResponse {
|
||||
my ( $self, $res, $logout ) = @_;
|
||||
my ( $self, $req, $logout ) = @_;
|
||||
|
||||
# Your code here
|
||||
}
|
||||
|
@ -276,7 +278,7 @@ Sample code::
|
|||
};
|
||||
|
||||
sub buildLogoutResponse {
|
||||
my ( $self, $res, $logout ) = @_;
|
||||
my ( $self, $req, $logout ) = @_;
|
||||
|
||||
# Your code here
|
||||
}
|
||||
|
@ -416,6 +418,6 @@ Sample code::
|
|||
sub logPasswordChange {
|
||||
my ( $self, $req, $user, $password, $old ) = @_;
|
||||
$old ||= "";
|
||||
$self->userLogger->info("Password changed for $user: $old -> $password")
|
||||
$self->userLogger->info("Password changed for $user: $old -> $password");
|
||||
return PE_OK;
|
||||
}
|
||||
|
|
|
@ -47,7 +47,7 @@ Configuring the CAS Service
|
|||
Then go in ``CAS Service`` to define:
|
||||
|
||||
- **CAS login**: the session key transmitted to CAS client as the main
|
||||
identifier (CAS Principal). This setting can be overriden
|
||||
identifier (CAS Principal). This setting can be overridden
|
||||
per-application.
|
||||
- **Access control policy**: define if access control should be done on
|
||||
CAS service. Three options:
|
||||
|
|
|
@ -30,12 +30,11 @@ As an OP, LL::NG supports a lot of OpenID Connect features:
|
|||
- Session management
|
||||
- FrontChannel Logout
|
||||
- BackChannel Logout
|
||||
- PKCE (Since ``2.0.4``) - See `RFC
|
||||
7636 <https://tools.ietf.org/html/rfc7636>`__
|
||||
- Introspection endpoint (Since ``2.0.6``) - See `RFC
|
||||
7662 <https://tools.ietf.org/html/rfc7662>`__
|
||||
- PKCE (Since ``2.0.4``) - See :rfc:`7636`
|
||||
- Introspection endpoint (Since ``2.0.6``) - See :rfc:`7662`
|
||||
- Offline access (Since ``2.0.7``)
|
||||
- Refresh Tokens (Since ``2.0.7``)
|
||||
- Optional JWT Access Tokens (Since ``2.0.12``) - See :rfc:`9068`
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
|
@ -156,22 +155,20 @@ spaces, no special characters), like “sample-rp”;
|
|||
|
||||
You can then access to the configuration of this RP.
|
||||
|
||||
.. _oidcexportedattr:
|
||||
|
||||
Exported attributes
|
||||
^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
You can map here the attribute names from the LL::NG session to an
|
||||
`OpenID Connect
|
||||
claim <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__.
|
||||
.. warning::
|
||||
|
||||
.. include:: openidconnectclaims.rst
|
||||
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__ are visible to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it
|
||||
|
||||
.. _oidcexportedattr:
|
||||
For each OpenID Connect attribute you want to release to applications, you can define:
|
||||
|
||||
For each OpenID Connect claim you want to release to applications, you can define:
|
||||
|
||||
* **Claim name**: the name of the claim as it will appear in Userinfo responses
|
||||
* **Variable name**: the name of the LemonLDAP::NG session variable containing the claim value
|
||||
* **Type**: the data type of the attribute. By default, a string. Choosing integer or boolean will make the claim appear as the corresponding JSON type.
|
||||
* **Claim name**: the name of the attribute as it will appear in Userinfo responses
|
||||
* **Variable name**: the name of the LemonLDAP::NG session variable containing the attribute value
|
||||
* **Type**: the data type of the attribute. By default, a string. Choosing integer or boolean will make the attribute appear as the corresponding JSON type.
|
||||
* **Array**: choose how to process multi-valued attributes
|
||||
|
||||
* **Auto**: If the session key contains a single value, it will be released as a JSON number, string or boolean, depending on the previously specified type. If the session key contains multiple values, it will be released as an array of numbers, strings or booleans.
|
||||
|
@ -187,36 +184,47 @@ For each OpenID Connect claim you want to release to applications, you can defin
|
|||
|
||||
.. _oidcextraclaims:
|
||||
|
||||
Extra Claims
|
||||
^^^^^^^^^^^^
|
||||
Scope values content
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
By default, LemonLDAP::NG already defines the following scope-to-attribute map:
|
||||
|
||||
.. attention::
|
||||
.. csv-table::
|
||||
:header: "Scope value", "Attribute list"
|
||||
:delim: ;
|
||||
:widths: auto
|
||||
|
||||
By default, only claims that are part of standard OpenID
|
||||
Connect scopes will be sent to a client. If you want to send a claim
|
||||
that is not in the OpenID Connect specification, you need to declare it
|
||||
in the Extra Claims section
|
||||
profile; name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at
|
||||
email; email email_verified
|
||||
address; street_address locality region postal_code country
|
||||
phone; phone_number phone_number_verified
|
||||
|
||||
If you want to make custom claims visible to OpenID Connect clients, you
|
||||
need to declare them in a scope.
|
||||
If you want to make custom attribute visible to OpenID Connect clients, you
|
||||
need to declare them in a new scope in this section.
|
||||
|
||||
Add your additional scope as the **Key**, and a space-separated list of
|
||||
claims as the **Value**:
|
||||
attribute as the **Value**:
|
||||
|
||||
- timelord => rebirth_count bloodline
|
||||
- `employment_info` => `position company`
|
||||
|
||||
In this example, an OpenID Client asking for the ``timelord`` scope will
|
||||
be able to read the ``rebirth_count`` and ``bloodline`` claims from the
|
||||
In this example, an OpenID Client asking for the ``employment_info`` scope will
|
||||
be able to read the ``company`` and ``position`` attribute from the
|
||||
Userinfo endpoint.
|
||||
|
||||
.. important::
|
||||
|
||||
.. danger::
|
||||
|
||||
Any Claim defined in this section must be mapped to a
|
||||
LemonLDAP::NG session attribute in the **Exported Attributes**
|
||||
Any attribute defined in this section must be mapped to a
|
||||
LemonLDAP::NG session variable in the **Exported Attributes**
|
||||
section
|
||||
|
||||
.. important::
|
||||
|
||||
Your custom attributes will only be visible if the application requests the
|
||||
corresponding scope value
|
||||
|
||||
|
||||
|
||||
|
||||
.. _oidcscoperules:
|
||||
|
||||
Scope Rules
|
||||
|
@ -318,7 +326,7 @@ Options
|
|||
return it as a JWT, using one of the available signature algorithms.
|
||||
- **Require PKCE** (since version ``2.0.4``): a code challenge is
|
||||
required at token endpoint (see
|
||||
`RFC7636 <https://tools.ietf.org/html/rfc7636>`__)
|
||||
:rfc:`7636`)
|
||||
- **Allow offline access** (since version ``2.0.7``): After enabling
|
||||
this feature, an application may request the **offline_access**
|
||||
scope, and will obtain a Refresh Token that persists even after
|
||||
|
@ -333,11 +341,22 @@ Options
|
|||
|
||||
- **Logout**
|
||||
|
||||
- **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ``post_logout_redirect_uri``)
|
||||
- **Allowed redirection addresses for logout**: A space separated list of
|
||||
URLs that this client can redirect the user to once the logout is done
|
||||
(through ``post_logout_redirect_uri``)
|
||||
- **URL**: Specify the relying party's logout URL
|
||||
- **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
|
||||
- **Session required**: Whether to send the Session ID in the logout request
|
||||
|
||||
Access Rule extra variables
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
When writing your access rules, you can additionally use the following variables:
|
||||
|
||||
* ``$_oidc_grant_type`` (since version ``2.0.14``): the grant type being used to
|
||||
access this service. Possible values: ``authorizationcode``,
|
||||
``implicit``, ``hybrid``, ``clientcredentials``, ``password``
|
||||
|
||||
.. _resource-owner-password-grant:
|
||||
|
||||
Resource Owner Password Credentials Grant
|
||||
|
@ -351,7 +370,7 @@ The Resource Owner Password Credentials Grant allows you to exchange a user's lo
|
|||
|
||||
.. seealso::
|
||||
|
||||
`Specification for the Resource Owner Password Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.3>`__
|
||||
Specification for the Resource Owner Password Credentials Grant: :rfc:`6749#section-4.3`
|
||||
|
||||
.. _client-credentials-grant:
|
||||
|
||||
|
@ -379,7 +398,7 @@ mapped to Exported Attributes and Extra Claims
|
|||
|
||||
.. seealso::
|
||||
|
||||
`Specification for the Client Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.4>`__
|
||||
Specification for the Client Credentials Grant: :rfc:`6749#section-4.4`
|
||||
|
||||
Macros
|
||||
^^^^^^
|
||||
|
|
|
@ -58,6 +58,8 @@ IDP related metadata.
|
|||
In both cases, the entityID of the LemonLDAP::NG server is
|
||||
http://auth.example.com/saml/metadata
|
||||
|
||||
.. _samlidp-register-sp:
|
||||
|
||||
Register partner Service Provider on LemonLDAP::NG
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
@ -7,7 +7,6 @@ Handlers
|
|||
handlerauthbasic
|
||||
cda
|
||||
ssoaas
|
||||
servertoserver
|
||||
oauth2handler
|
||||
securetoken
|
||||
servertoserver
|
||||
|
|
|
@ -5,4 +5,5 @@ Attacks and Protection
|
|||
:maxdepth: 1
|
||||
|
||||
bruteforceprotection
|
||||
newlocationwarning
|
||||
safejail
|
||||
|
|
|
@ -68,7 +68,7 @@ repositories:
|
|||
|
||||
apt install apt-transport-https
|
||||
|
||||
You will need to trust the following GPG key : |image0|
|
||||
You will need to trust the `DEB signing key <https://lemonldap-ng.org/_media/rpm-gpg-key-ow2>`__ :
|
||||
|
||||
::
|
||||
|
||||
|
@ -196,6 +196,3 @@ the package yourself:
|
|||
tar xzf lemonldap-ng-*.tar.gz
|
||||
cd lemonldap-ng-*
|
||||
make debian-packages
|
||||
|
||||
.. |image0| image:: /rpm-gpg-key-ow2
|
||||
|
||||
|
|
|
@ -105,9 +105,8 @@ RPMs are available on the :doc:`Download page</download>`.
|
|||
Package GPG signature
|
||||
---------------------
|
||||
|
||||
The GPG key can be downloaded here: |image0|
|
||||
|
||||
Install it to trust RPMs:
|
||||
Get the `RPM signing key <https://lemonldap-ng.org/_media/rpm-gpg-key-ow2>`__ onto your LemonLDAP::NG server:
|
||||
|
||||
::
|
||||
|
||||
|
@ -219,5 +218,4 @@ If you need it, you can rebuild RPMs:
|
|||
|
||||
rpmbuild -ta SOURCES/lemonldap-ng-VERSION.tar.gz
|
||||
|
||||
.. |image0| image:: /rpm-gpg-key-ow2
|
||||
|
||||
|
|
|
@ -94,12 +94,11 @@ RPMs are available on the :doc:`Download page<download>`.
|
|||
Package GPG signature
|
||||
---------------------
|
||||
|
||||
The GPG key can be downloaded here: |image0|
|
||||
|
||||
Install it to trust RPMs:
|
||||
Install the `RPM signing key <https://lemonldap-ng.org/_media/rpm-gpg-key-ow2>`__ to trust RPMs:
|
||||
|
||||
::
|
||||
|
||||
wget https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
|
||||
rpm --import rpm-gpg-key-ow2
|
||||
|
||||
Install packages
|
||||
|
@ -243,6 +242,3 @@ Alternatively, you can use the automatic script
|
|||
:ref:`lemonldap svn repository<download-getting-sources-from-svn-repository>`.
|
||||
The automatic script can also generate intermediate dependencies. See
|
||||
README file in the same directory for more information.
|
||||
|
||||
.. |image0| image:: /rpm-gpg-key-ow2
|
||||
|
||||
|
|
|
@ -26,12 +26,14 @@ not allowed to open a session. In other cases which result on
|
|||
impossibility to authenticate user, to retrieve data or to create a
|
||||
session, nothing is stored.
|
||||
|
||||
By default, login time and IP address are stored in history, and the
|
||||
error message prompted to the user for failed logins. It is possible to
|
||||
store any additional session data. For example to store authentication
|
||||
mode, you can set in ``Session data to store`` a new key ``_auth`` with
|
||||
value ``Authentication mode``. The value will be used to display the
|
||||
data.
|
||||
* **Max successful logins count**: How many successful logins should be remembered in the history
|
||||
* **Max failed logins count**: How many failed logins should be remembered in the history
|
||||
* **Session data to store**: additional session variables to store in the history. *Key* is the variable (or macro) name, *Value* is the title of the column used when displaying the field. Use ``__hidden__`` to store a variables without displaying it to the user.
|
||||
|
||||
By default, login time and IP address are stored in history, and the error
|
||||
message prompted to the user for failed logins. It is possible to store any
|
||||
additional session data. For example to store authentication, add a new key
|
||||
``_auth`` with value ``Authentication mode``.
|
||||
|
||||
To allow the Login History tab in Menu, configure it in
|
||||
``General Parameters`` > ``Portal`` > ``Menu`` > ``Modules`` (see
|
||||
|
|
BIN
doc/sources/admin/logos/favicon.ico
Normal file
After Width: | Height: | Size: 162 KiB |
BIN
doc/sources/admin/logos/lemonldap-ng-logo.png
Normal file
After Width: | Height: | Size: 5.7 KiB |
BIN
doc/sources/admin/logos/logo_llng_600px.png
Normal file
After Width: | Height: | Size: 13 KiB |
|
@ -6,10 +6,10 @@ Presentation
|
|||
|
||||
Main settings:
|
||||
|
||||
- **REMOTE_USER** : session attribute used for logging user access
|
||||
- **REMOTE_CUSTOM** : can be used for logging an another user attribute or a macro
|
||||
- **REMOTE_USER**: session attribute used for logging user access
|
||||
- **REMOTE_CUSTOM**: can be used for logging an another user attribute or a macro
|
||||
(optional)
|
||||
- **Hidden attributes** : session attributes never displayed or sent
|
||||
- **Hidden attributes**: session attributes never displayed or sent
|
||||
|
||||
LemonLDAP::NG provides 5 levels of error and has two kind of logs:
|
||||
|
||||
|
|
|
@ -48,6 +48,6 @@ Mail second factor".
|
|||
- **Authentication level** (Optional): if you want to overwrite the
|
||||
value sent by your authentication module, you can define here the new
|
||||
authentication level. Example: 5
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
|
|
55
doc/sources/admin/newlocationwarning.rst
Normal file
|
@ -0,0 +1,55 @@
|
|||
|image0|
|
||||
|
||||
New Location Warning Plugin
|
||||
===========================
|
||||
|
||||
Presentation
|
||||
------------
|
||||
|
||||
This plugin allows LL::NG to send a warning message to the user's email
|
||||
address when their account connects from a new location.
|
||||
|
||||
By default, the location is the IP address. Meaning that any connection from a
|
||||
different IP address will send a warning. If this is not what you want, you can
|
||||
change the way location is computed (see below).
|
||||
|
||||
Following steps are performed when the user logs in
|
||||
|
||||
#. Extract the location from session info (by default, the IP address is used)
|
||||
#. Compare the current location to the previous locations saved in history
|
||||
#. If it is a new location, send an email to warn the user
|
||||
#. On the next login, the location will no longer be considered as new
|
||||
|
||||
The very first time a user logs in (empty login history), no email is sent.
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
Just enable it in the Manager (section ``General Parameters`` > ``Advanced parameters`` > ``Security`` > ``New location warning``:
|
||||
|
||||
- **Activation**: Enable this plugin *(default: disabled)*
|
||||
- **Session attribute containing location**: Indicate the session attribute you are using to store the location. You can use `ipAddr`, or a custom macro.
|
||||
- **Session attribute to display**: By default, the raw value of the location session attribute is displayed in the warning email. If you want to use a different session attribute in the warning email, you can specify it here.
|
||||
- **Maximum number of locations to consider**: By default, all previous value of the location are checked
|
||||
- **Session mail attribute**: Session key containing mail address *(default: mail)*
|
||||
- **Warning mail subject**: Subject of the email containing the warning
|
||||
- **Warning mail content**: Content of the email containing the warning
|
||||
|
||||
.. warning::
|
||||
If you use a macro instead of ``ipAddr`` as the location value, be sure to add the name of this macro to
|
||||
|
||||
General Parameters » Plugins » Login History » Session data to store
|
||||
|
||||
Otherwise, the value of the macro will not be remembered across logins
|
||||
|
||||
Email body variables
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Following variables are available in the Warning email body:
|
||||
|
||||
* ``$location``: the location value, from **Session attribute to display**
|
||||
* ``$date``: the date of login
|
||||
* ``$ua``: the full user agent string
|
||||
|
||||
.. |image0| image:: /documentation/beta.png
|
||||
:width: 100px
|
|
@ -48,6 +48,10 @@ The OAuth2 handler defines a few extra variables that you can use in
|
|||
* ``$_clientId``: client ID of the application which requested the Access Token
|
||||
* ``$_clientConfKey``: configuration key of the application which requested the
|
||||
Access Token
|
||||
* ``$_oidc_grant_type`` (since *2.0.14*): the grant type used to generate the Access Token. If
|
||||
Refresh Tokens are used, this is the grant type of the first emitted Access
|
||||
Token. Possible values: ``authorizationcode``, ``implicit``, ``hybrid``,
|
||||
``clientcredentials``, ``password``
|
||||
* ``$_scope``: list of space-separated scopes granted by the Access Token
|
||||
|
||||
For example, to grant access to access tokens containing the ``write`` scope,
|
||||
|
@ -68,7 +72,7 @@ Define access rules and headers. Then in ``Options`` > ``Type``, choose
|
|||
Reference
|
||||
---------
|
||||
|
||||
`RFC6750 <https://tools.ietf.org/html/rfc6750>`__
|
||||
:rfc:`6750`
|
||||
|
||||
.. |image0| image:: /documentation/oauth-retina-preview.jpg
|
||||
:class: align-center
|
||||
|
|
|
@ -1,32 +0,0 @@
|
|||
OpenID Connect claims
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
===================== ================ ======= =======================================
|
||||
Claim name Associated scope Type Example of corresponding LDAP attribute
|
||||
===================== ================ ======= =======================================
|
||||
sub openid string uid
|
||||
name profile string cn
|
||||
given_name profile string givenName
|
||||
family_name profile string sn
|
||||
middle_name profile string
|
||||
nickname profile string
|
||||
preferred_username profile string displayName
|
||||
profile profile string labeledURI
|
||||
picture profile string
|
||||
website profile string
|
||||
email email string mail
|
||||
email_verified email boolean
|
||||
gender profile string
|
||||
birthdate profile string
|
||||
zoneinfo profile string
|
||||
locale profile string preferredLanguage
|
||||
phone_number phone string telephoneNumber
|
||||
phone_number_verified phone boolean
|
||||
updated_at profile string
|
||||
formatted address string registeredAddress
|
||||
street_address address string street
|
||||
locality address string l
|
||||
region address string st
|
||||
postal_code address string postalCode
|
||||
country address string co
|
||||
===================== ================ ======= =======================================
|
|
@ -51,7 +51,7 @@ Security
|
|||
- **Only allow declared scopes**: By default, LemonLDAP::NG will grant all requested scopes. When this option is in use, LemonLDAP will only grant:
|
||||
|
||||
- Standard OIDC scopes (``openid`` ``profile`` ``email`` ``address`` ``phone``)
|
||||
- Scopes declared in :ref:`Extra Claims <oidcextraclaims>`
|
||||
- Scopes declared in :ref:`Scope values content <oidcextraclaims>`
|
||||
- Scopes declared in :ref:`Scope Rules <oidcscoperules>` (if they match the rule)
|
||||
|
||||
- **Authorization Code flow**: Set to 1 to allow Authorization Code
|
||||
|
|
|
@ -444,8 +444,10 @@ radiusServer
|
|||
randomPasswordRegexp Regular expression to create a random password ✔
|
||||
redirectFormMethod HTTP method for redirect page form ✔
|
||||
refreshSessions Refresh sessions plugin ✔
|
||||
registerConfirmBody Mail body for register confirmation ✔
|
||||
registerConfirmSubject Mail subject for register confirmation ✔
|
||||
registerDB Register module ✔
|
||||
registerDoneBody Mail body when register is done ✔
|
||||
registerDoneSubject Mail subject when register is done ✔
|
||||
registerTimeout Register session timeout ✔
|
||||
registerUrl URL of register page ✔
|
||||
|
|
|
@ -4,8 +4,22 @@ Write a custom plugin
|
|||
Presentation
|
||||
------------
|
||||
|
||||
Standard entry points
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
Portal plugins let you customize LemonLDAP::NG's behavior.
|
||||
|
||||
Common use cases for plugins are:
|
||||
|
||||
* Looking up session information in an additional backend
|
||||
* Implementing additional controls or steps during login
|
||||
* Adjusting the behavior of SAML, OIDC or CAS protocols to work around application bugs
|
||||
|
||||
Creating a plugin can be as simple as writing a short Perl module file and
|
||||
declaring it in your configuration. See below for an example.
|
||||
|
||||
Plugin API
|
||||
----------
|
||||
|
||||
Authentication entry points
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
You can now write a custom portal plugin that will hook in the
|
||||
authentication process:
|
||||
|
@ -21,8 +35,8 @@ authentication process:
|
|||
- ``forAuthUser``: method called for already authenticated users
|
||||
- ``beforeLogout``: method called before logout
|
||||
|
||||
Extended entry points
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
Generic entry points
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you need to call a method just after any standard method in
|
||||
authentication process, then use ``afterSub``, for example:
|
||||
|
@ -75,51 +89,147 @@ The plugin can also define new routes and call actions on them.
|
|||
|
||||
See also ``Lemonldap::NG::Portal::Main::Plugin`` man page.
|
||||
|
||||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
The current LemonLDAP::NG configuration can be accessed in the ``$self->conf`` hash. This variable is only meant to be read. Don't try changing its content, or *Bad Things* may happen.
|
||||
|
||||
You can set your own parameters in ``General Parameters`` » ``Plugins`` » ``Custom plugins`` » ``Additional parameters``
|
||||
and reach them through ``customPluginsParams``
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
sub my_function {
|
||||
my ($self, $req) = @_;
|
||||
|
||||
# Get a standard LLNG option
|
||||
my $llng_logo = $self->conf->{portalMainLogo};
|
||||
|
||||
# Get your custom LLNG option
|
||||
my $myvar = $self->conf->{customPluginsParams}->{myvar};
|
||||
}
|
||||
|
||||
Logs
|
||||
~~~~
|
||||
|
||||
You can use the ``$self->logger`` and ``$self->userLogger`` objects to log information during your plugin execution. Use ``logger`` for technical logs and ``userLogger`` for accounting and tracability events.
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
sub my_function {
|
||||
my ($self, $req) = @_;
|
||||
|
||||
$self->logger->debug("Debug message");
|
||||
if (my_custom_test($req->user)) {
|
||||
$self->userLogger->debug("User ". $req->user .
|
||||
" is not allowed because XXX");
|
||||
|
||||
return PE_ERROR;
|
||||
}
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
|
||||
Remembering data
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
In order to remember data between different steps, you can use the ``$req->data`` hash.
|
||||
|
||||
Data will not be remembered in between requests, only in between methods that process the same HTTP request.
|
||||
|
||||
History management
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Plugins may declare additional session fields to be stored in the :doc:`loginhistory`.
|
||||
|
||||
.. code:: perl
|
||||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
|
||||
$self->addSessionDataToRemember({
|
||||
# This field will be hidden from the user
|
||||
_language => '__hidden__',
|
||||
|
||||
# This field will be displayed on the portal. The column name
|
||||
# is treated like a message and can be internationalized
|
||||
authenticationLevel => "Human friendly column name",
|
||||
});
|
||||
return 1;
|
||||
}
|
||||
|
||||
Column names can be translated by :ref:`overriding the corresponding message <intlmessages>`
|
||||
|
||||
Example
|
||||
-------
|
||||
|
||||
Plugin Perl module
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Create for example the MyPlugin module:
|
||||
This example creates a ``Lemonldap::NG::Portal::MyPlugin`` plugin that
|
||||
showcases some features of the plugin system.
|
||||
|
||||
::
|
||||
First, create a file to contain the plugin code ::
|
||||
|
||||
vi /usr/share/perl5/Lemonldap/NG/Portal/MyPlugin.pm
|
||||
|
||||
|
||||
.. tip::
|
||||
|
||||
If you do not want to mix files from the distribution with
|
||||
your own work, put your own code in
|
||||
``/usr/local/lib/site_perl/Lemonldap/NG/Portal/MyPlugin.pm``\
|
||||
``/usr/local/lib/site_perl/Lemonldap/NG/Portal/MyPlugin.pm``.
|
||||
Or you can use your own namespace such as ``ACME::Corp::MyPlugin``.
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
# The package name must match the file path
|
||||
# This file must be in Lemonldap/NG/Portal/MyPlugin.pm
|
||||
package Lemonldap::NG::Portal::MyPlugin;
|
||||
|
||||
use Mouse;
|
||||
use Lemonldap::NG::Portal::Main::Constants;
|
||||
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
||||
|
||||
# Declare when LemonLDAP::NG must call your functions
|
||||
use constant beforeAuth => 'verifyIP';
|
||||
use constant hook => { passwordAfterChange => 'logPasswordChange' };
|
||||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
$self->addUnauthRoute( mypath => 'hello', [ 'GET', 'PUT' ] );
|
||||
$self->addAuthRoute( mypath => 'welcome', [ 'GET', 'PUT' ] );
|
||||
return 1;
|
||||
}
|
||||
# This function will be called at the "beforeAuth" login step
|
||||
sub verifyIP {
|
||||
my ($self, $req) = @_;
|
||||
return PE_ERROR if($req->address !~ /^10/);
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
# This function will be called when changing passwords
|
||||
sub logPasswordChange {
|
||||
my ( $self, $req, $user, $password, $old ) = @_;
|
||||
$self->userLogger->info("Password changed for $user");
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
# You can define your custom initialization in the
|
||||
# init method.
|
||||
# Before LemonLDAP::NG 2.0.14, this function was mandatory
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
|
||||
# This is how you declare HTTP routes
|
||||
$self->addUnauthRoute( mypath => 'hello', [ 'GET', 'PUT' ] );
|
||||
$self->addAuthRoute( mypath => 'welcome', [ 'GET', 'PUT' ] );
|
||||
|
||||
# The function can return 0 to indicate failure
|
||||
return 1;
|
||||
}
|
||||
|
||||
# This method will be called to handle unauthenticated requests to /mypath
|
||||
sub hello {
|
||||
my ($self, $req) = @_;
|
||||
...
|
||||
return $self->p->sendJSONresponse($req, { hello => 1 });
|
||||
}
|
||||
|
||||
# This method will be called to handle authenticated requests to /mypath
|
||||
sub welcome {
|
||||
my ($self, $req) = @_;
|
||||
|
||||
|
@ -129,10 +239,13 @@ Create for example the MyPlugin module:
|
|||
...
|
||||
return $self->p->sendHtml($req, 'template', params => { WELCOME => 1 });
|
||||
}
|
||||
|
||||
# Your file must return 1, or Perl will complain.
|
||||
1;
|
||||
|
||||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Enabling your plugin
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Declare the plugin in Manager, in General Parameters > Plugins > Custom
|
||||
Plugins.
|
||||
|
|
|
@ -11,9 +11,9 @@ Main Logo
|
|||
~~~~~~~~~
|
||||
|
||||
You can change the default Main Logo in Manager: General Parameters >
|
||||
Portal > Customization > Main Logo.
|
||||
Portal > Customization > Main logo.
|
||||
|
||||
A blank value disables Main Logo display.
|
||||
A blank value disables Main logo display.
|
||||
|
||||
|
||||
.. tip::
|
||||
|
@ -44,14 +44,14 @@ Custom CSS file
|
|||
~~~~~~~~~~~~~~~
|
||||
|
||||
You can define a custom CSS file, for example ``custom.css``, which will
|
||||
be loaded after default CSS files. This file needs to be created in the
|
||||
be loaded after default CSS files. This file must be created in the
|
||||
static repository
|
||||
(``/usr/share/lemonldap-ng/portal/htdocs/static/bootstrap/css``).
|
||||
|
||||
Then set this value in Custom CSS parameter :
|
||||
Then set this value in Custom CSS parameter:
|
||||
``bootstrap/css/custom.css``.
|
||||
|
||||
Sample CSS file, to remove white background of main logo:
|
||||
CSS file example to remove white background of main logo:
|
||||
|
||||
.. code-block:: css
|
||||
|
||||
|
@ -65,9 +65,9 @@ Sample CSS file, to remove white background of main logo:
|
|||
Skin
|
||||
----
|
||||
|
||||
LemonLDAP::NG is shipped with bootstrap skin.
|
||||
LemonLDAP::NG is shipped with a bootstrap skin.
|
||||
|
||||
But you can make your own. See Skin customization below.
|
||||
But you can provide your own. See Skin customization below.
|
||||
|
||||
Default skin
|
||||
~~~~~~~~~~~~
|
||||
|
@ -83,8 +83,7 @@ Skin background
|
|||
|
||||
Go in ``General Parameters`` > ``Portal`` > ``Customization`` >
|
||||
``Skin background``. You can define a background by selecting one of the
|
||||
available image. Use ``None`` to use the default skin background
|
||||
configuration.
|
||||
available image. Select ``None`` to use the default skin background configuration.
|
||||
|
||||
|image0|
|
||||
|
||||
|
@ -112,7 +111,7 @@ user.
|
|||
|
||||
To achieve this, you can create a rule in the Manager: select
|
||||
``General Parameters`` > ``Portal`` > ``Customization`` >
|
||||
``Skin display rules`` on click on "New key". Then fill the two fields;
|
||||
``Skin display rules`` and click on "New entry". Then fill the two fields;
|
||||
|
||||
- **Key**: a Perl expression (you can use ``%ENV`` hash to get environment
|
||||
variables, or ``$_url`` to get URL called before redirection, or ``$ipAddr``
|
||||
|
@ -131,7 +130,7 @@ Skin files
|
|||
|
||||
A skin is composed of different files:
|
||||
|
||||
- **.tpl**: Perl HTML::Template files, for HTML content
|
||||
- **.tpl**: Perl `HTML::Template <https://metacpan.org/pod/HTML::Template>`__ files, for HTML content
|
||||
- **.css**: CSS (styles)
|
||||
- **.js**: Javascript
|
||||
- images and other media files
|
||||
|
@ -213,12 +212,18 @@ lemonldap-ng-cli:
|
|||
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portalSkin 'myskin' portalSkinBackground ''
|
||||
|
||||
You can find additional documentation on the syntax of template files in the
|
||||
`official documentation of the HTML::Template module
|
||||
<https://metacpan.org/pod/HTML::Template>`__
|
||||
|
||||
.. _intlmessages:
|
||||
|
||||
Messages
|
||||
~~~~~~~~
|
||||
|
||||
Messages are defined in source code. If they really do not please you,
|
||||
Messages are defined in source code. If they really do not suit you,
|
||||
override them! You just need to know the ID of the message (look at
|
||||
Portal/Simple.pm).
|
||||
Portal/Main/Constants.pm).
|
||||
|
||||
There are two methods to do this:
|
||||
|
||||
|
@ -240,7 +245,7 @@ boxes by using the bareword ``_hide_`` :
|
|||
.. code-block:: ini
|
||||
|
||||
error_en_0 = Big brother is watching you, authenticated user
|
||||
error_fr_0 = Souriez vous êtes surveillés !
|
||||
error_fr_0 = Souriez, vous êtes surveillés !
|
||||
msg_fr_lastLogins = Dernières connexions
|
||||
error_9 = _hide_
|
||||
|
||||
|
@ -309,28 +314,26 @@ You can also display environment variables, with the prefix ``env_``:
|
|||
|
||||
Your IP is <TMPL_VAR NAME="env_REMOTE_ADDR">
|
||||
|
||||
Buttons
|
||||
-------
|
||||
Buttons on login page
|
||||
---------------------
|
||||
|
||||
This node allows one to enable/disable buttons on the login page:
|
||||
|
||||
- **Check last logins**: display a checkbox on login form, allowing
|
||||
user to check his login history right after opening session
|
||||
- **Register new account**: display a link to :doc:`register page<register>` (for
|
||||
password based authentication backends)
|
||||
- **Reset your certificate**: display a link to :doc:`reset certificate page<resetcertificate>` (for
|
||||
password based authentication backends)
|
||||
- **Reset password**: display a link to
|
||||
:doc:`reset your password page<resetpassword>` (for password based
|
||||
authentication backends). Number of allowed retries can be set (3
|
||||
times by default)
|
||||
- **Register**: display a link to :doc:`register page<register>` (for
|
||||
password based authentication backends)
|
||||
- **Reset certificate**: display a link to :doc:`reset certificate page<resetcertificate>` (for
|
||||
password based authentication backends)
|
||||
- **Max reset password retries**: number of retries allowed for resetting password
|
||||
|
||||
Password management
|
||||
-------------------
|
||||
|
||||
General
|
||||
~~~~~~~
|
||||
|
||||
- **Require old password**: used only in the password changing module
|
||||
of the menu, will check the old password before updating it
|
||||
- **Hide old password**: used only if the password need to be reset by
|
||||
|
@ -343,21 +346,26 @@ General
|
|||
revealed. Disabled by default.
|
||||
|
||||
Password Policy
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
.. tip::
|
||||
|
||||
Available since version 2.0.6
|
||||
|
||||
- **Activation**: enable/disable password policy. You can set a rule
|
||||
to enable policy for specific users only
|
||||
- **Display policy in password form**: enable this option to display an
|
||||
information message about password policy constraints
|
||||
- **Minimal size**: leave 0 to bypass the check
|
||||
- **Minimal lower characters**: leave 0 to bypass the check
|
||||
- **Minimal upper characters**: leave 0 to bypass the check
|
||||
- **Minimal digit characters**: leave 0 to bypass the check
|
||||
- **Minimal special characters**: leave 0 to bypass the check
|
||||
- **Allowed special characters**: set '__ALL__' value to allow ALL special characters. A blanck value forbids ALL special characters (Note that ``_`` is not a special character)
|
||||
- **Display policy in password form**: enable this to display an
|
||||
information message about password policy constraints
|
||||
|
||||
.. _portalcustom-other-parameters:
|
||||
|
||||
Other parameters
|
||||
----------------
|
||||
Other
|
||||
-----
|
||||
|
||||
- **User attribute**: which session attribute will be used to display
|
||||
``Connected as`` in the menu
|
||||
|
@ -365,15 +373,16 @@ Other parameters
|
|||
- **Anti iframe protection**: Set ``X-Frame-Options`` and CSP
|
||||
``frame-ancestors`` headers (see `Browser
|
||||
compatibility <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility>`__)
|
||||
- **Ping interval**: Number of milliseconds between each ping (Ajax
|
||||
- **Ping interval**: number of milliseconds between each ping (Ajax
|
||||
request) on the portal menu. Set to 0 to dismiss checks.
|
||||
- **Show error on expired session**: Display the error "Session
|
||||
- **Show error on expired session**: display the error "Session
|
||||
expired", which stops the authentication process. This is enabled by
|
||||
default but can be disabled to prevent transparent authentication
|
||||
(like SSL or Kerberos) to be stopped.
|
||||
- **Show error on mail not found**: Display error if provided mail is
|
||||
- **Show error on mail not found**: display error if provided mail is
|
||||
not found in password reset by mail process. Disabled by default to
|
||||
prevent mail enumeration from this page.
|
||||
- **Display rights refresh link**: enable/disable link in Portal menu to allow users to refresh their rights
|
||||
|
||||
.. |image0| image:: /documentation/manager-skin-background.png
|
||||
:class: align-center
|
||||
|
|
|
@ -56,13 +56,13 @@ Mail second factor".
|
|||
code against the Radius server, use this attribute as the login and
|
||||
the OTP code as password. By default, the attribute designated as
|
||||
``whatToTrace`` is used.
|
||||
- **Authentication timeout** (Optional) :
|
||||
- **Authentication timeout** (Optional): Allowed time to perform authentication
|
||||
- **Authentication level** (Optional): if you want to overwrite the
|
||||
value sent by your authentication module, you can define here the new
|
||||
authentication level. Example: 5
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
|
||||
Vendor specific
|
||||
~~~~~~~~~~~~~~~
|
||||
|
|
|
@ -4,30 +4,43 @@ Register a new account
|
|||
Presentation
|
||||
------------
|
||||
|
||||
This feature is a page that allows a user to create an account. The
|
||||
steps are the following:
|
||||
This feature is a page that allows a user to create an account.
|
||||
Following steps are performed:
|
||||
|
||||
#. User click on the button "Create a new account"
|
||||
#. He enters first name, last name and email
|
||||
#. He gets a mail with a confirmation link
|
||||
#. After clicking, his entry is added
|
||||
#. He gets a mail with his login and his password
|
||||
#. They enter first name, last name and email
|
||||
#. They receive an email with a confirmation link
|
||||
#. After clicking, their account is created
|
||||
#. An email with his login and password is sent
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
You can enable the "Create your account" button in
|
||||
:doc:`portal customization parameters<portalcustom>`.
|
||||
The "Create your account" button can be enabled in
|
||||
:doc:`Portal customization parameters<portalcustom>`.
|
||||
|
||||
Then, go in ``Portal`` > ``Advanced parameters`` >
|
||||
``Register new account``:
|
||||
Then, go in ``General Parameters`` > ``Plugins`` > ``Register new account``:
|
||||
|
||||
- **Module**: Choose the backend to use to create the new account.
|
||||
- **Module**: Backend used for creating new account.
|
||||
- **Page URL**: URL of register page
|
||||
- **Validity time of a register request**: duration in seconds of a new
|
||||
- **Validity time of a register request**: Duration in seconds of a new
|
||||
account request. The request will be deleted after this time if user
|
||||
do not click on the link.
|
||||
- **Subject for confirmation mail**: Subject of the mail containing the
|
||||
- **Subject for confirmation mail**: Subject of the email containing the
|
||||
confirmation link
|
||||
- **Subject for done mail**: Subject of the mail giving login and
|
||||
password
|
||||
- **Body for confirmation mail**: The plain text content of the confirmation email the user will
|
||||
receive. If you leave it blank, the ``mail_register_confirm`` HTML template will be used.
|
||||
Confirmation link is stored in the ``$url`` variable
|
||||
- **Subject for done mail**: Subject of the email providing login and password.
|
||||
- **Body for done mail**: The plain text content of the done email the user will
|
||||
receive. If you leave it blank, the ``mail_register_done`` HTML template will be used.
|
||||
Login and generated password are stored in the corresponding ``$login`` and ``$password`` variables
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
Following variables are available in:
|
||||
|
||||
\* Register email body => ``$expMailDate``, ``$expMailTime``, ``$url``, ``$mail``, ``$firstname``, ``$lastname`` and ``$ipAddr``
|
||||
|
||||
\* Done email body => ``$login``, ``$password`` and ``$url``
|
|
@ -98,7 +98,7 @@ The script provide the following options
|
|||
* -h (--help): print this message
|
||||
* -m (--metadata): URL of metadata document
|
||||
* -s (--spconfprefix): Prefix used to set SP configuration key
|
||||
* --ignore-sp: ignore SP maching this entityID (can be specified multiple times)
|
||||
* --ignore-sp: ignore SP matching this entityID (can be specified multiple times)
|
||||
* --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
|
||||
* -a (--nagios): output statistics in Nagios format
|
||||
* -n (--dry-run): print statistics but do not apply changes
|
||||
|
|
|
@ -20,9 +20,9 @@ Second Factors » REST 2nd Factor".
|
|||
- **Authentication level** (Optional): if you want to overwrite the
|
||||
value sent by your authentication module, you can define here the new
|
||||
authentication level. Example: 5
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
|
||||
Arguments
|
||||
---------
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1.4.5 (GNU/Linux)
|
||||
|
||||
mQGiBEpOEcERBACHzHP7ICtjmsG4YgwlstQw0ubp6154i57BN45siMoovioQ1nP5
|
||||
kXNR+fZjEW5BRqtJExQoWLdXTFL1gvsdW5V+zx7B7DIlP6H+oz1PFh8hGXUmnqb9
|
||||
pL1A0WUrhbye6nlzpxt9jhGn6ymbilAi8iIWSrFxC09GONGwBGCLwbbp5wCg/75n
|
||||
DHecwFtSwEt7o3YV5B6k9WcD/RcPtY3mwa3RfaC+rsGdaqmni/jy6P1OrgmQX59C
|
||||
Zm813j/JnXYoeV+xIdCs144xPvzrCH+k/czVFBjvcA3xr2F/kuW7Kn8F+u8Ma3lb
|
||||
EghlG6CdJpCeXwiou5lPfPURIM7n7TDi2zVktRxGUnIa3fyBC9Orar/HbWgDGSYR
|
||||
1R+vBACEcHOknp09FT8UB2YY/98cG4n5RaiBiUb6Znwd6MrEtdBC0x8PdR6PPrWf
|
||||
ujUZ1dgUlKUtTN2V7OC8Ql3fls8TlxLY3L2ql6PrjuF5/zhC/1lEl7QzS+tCHAzU
|
||||
FlDMbb3F5o+EZwxxK3Lrdf+SbmKiYq7gqv79+BJbPiLkQvLfTbQqQ2xlbWVudCBP
|
||||
VURPVCAoT1cyKSA8Y2xlbS5vdWRvdEBnbWFpbC5jb20+iGAEExECACAFAkpOEcEC
|
||||
GwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBUixe/gfGOej2rAKD/mzoSicDh
|
||||
f2fhAEA3t+8qkJlwgACgvLUn30yj81bNjOo84p3NjEzpt6W5Ag0ESk4RwhAIAILk
|
||||
DF6M5GglCqysxF6gmO4RB24nkJELOmYAfknM0qmZPED3f//wgWFfYC3t2Hsic1HM
|
||||
9Dq1fQc9ziFfL7Ntt2oCu0YDoT4lrRL7eWwRn+H5sPmBisyfpTohZlObnNDOuGUZ
|
||||
jWZDP+7bIiNuj32TuR1Gl9q9hygm5rzjg/7d0eQfgMMSJ5D1x8FAcDRIgtF9dfQ0
|
||||
XLXF1SBuPqp6E7Q92rNxWlryifnGBIcOvVIYgayyxqgLf4+hkCOi47GDVlS+E4FQ
|
||||
Xc5DVHuhH8JJrMsBAd14m435c1uM9gTYhOtmpgDPocPUr5APSOd/zhV+b/8t+PDm
|
||||
ySa5qHVmShC/NFziyY8AAwUH/jBiZQ+qOyXaanAgIz2/uiqpJxO1MR+S6m+cazvk
|
||||
X4nXD9N8rsUYKnXxU6bNX731t6P2StG8kfkV84xkaPBTkssDBfQIFSwYFUuyBr/m
|
||||
6V8ulebig/6XHp7dVJ96DvQu8HHiLZ8YXeOVImCoEXp5fa8HgyhxVSLbVsAENYOd
|
||||
IEY7G4Lh/RAyrkRaLSGZuHnwXk3ioNQHCHB4m48q8tmQ2v4U8FJhXhxCmyKPKAru
|
||||
PPIKQ9kjPzX92NADmZc+n8RxzyBa9fppQ3z0v8mJ9SjoJ3qAO9ks+yQADLiZ8HsN
|
||||
jNS3Nf35jqQ5bKFF/uAygMLPzhi8iQtcBF1Q+3NDk/DRFfSISQQYEQIACQUCSk4R
|
||||
wgIbDAAKCRBUixe/gfGOekmNAKC4jduVjzzfeLDyH3Hnkz3G0MIFsACffY2Wv6ef
|
||||
bH9spStkLDt2jxvJ42Y=
|
||||
=6pG1
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -144,7 +144,7 @@ To define keys, you can:
|
|||
|
||||
.. versionchanged:: 2.0.10
|
||||
|
||||
The signature method can now be overriden for a SP or IDP. This will only work
|
||||
The signature method can now be overridden for a SP or IDP. This will only work
|
||||
if you are using a certificate for signature instead of a public key.
|
||||
|
||||
|
||||
|
@ -153,6 +153,9 @@ To define keys, you can:
|
|||
If you are running a version under 2.0.10, the choice of a signature
|
||||
algorithm will affect all SP and IDP.
|
||||
|
||||
|
||||
.. _samlservice-convert-certificate:
|
||||
|
||||
Converting a RSA public key to a certificate
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
|
|
@ -29,6 +29,14 @@ The E-Mail, External and REST 2F modules
|
|||
parameters.
|
||||
|
||||
|
||||
Self-care on Portal
|
||||
-------------------
|
||||
|
||||
User may register second factors themselves on the Portal by using the 2FA Manager.
|
||||
|
||||
The link will be displayed if at least one SFA module is enabled. You can set a
|
||||
rule to display or not the link.
|
||||
|
||||
Registration on first use
|
||||
-------------------------
|
||||
|
||||
|
@ -38,21 +46,6 @@ If you want to force a 2F registration on first login, you can use the *Force
|
|||
You can use a `rule<writingrulesand_headers>` to enable this behavior only for
|
||||
some users.
|
||||
|
||||
Second factor expiration
|
||||
------------------------
|
||||
|
||||
You can display a message if an expired second factor has been removed by
|
||||
enabling *Display a message if an expired SF is removed* option or setting a
|
||||
rule.
|
||||
|
||||
Self-care on Portal
|
||||
-------------------
|
||||
|
||||
User may register second factors themselves on the Portal by using the 2FA Manager.
|
||||
|
||||
The link will be displayed if at least one SFA module is enabled. You can set a
|
||||
rule to display or not the link.
|
||||
|
||||
Session upgrade through 2FA
|
||||
---------------------------
|
||||
|
||||
|
@ -68,6 +61,20 @@ of doing a complete reauthentication.
|
|||
|
||||
.. |beta| image:: /documentation/beta.png
|
||||
|
||||
Registration timeout
|
||||
--------------------
|
||||
|
||||
Allowed time to register a TOTP.
|
||||
|
||||
Second factor expiration
|
||||
------------------------
|
||||
|
||||
You can display a message if an expired second factor has been removed by
|
||||
enabling *Display a message if an expired SF is removed* option or setting a
|
||||
rule.
|
||||
SF name(s) or number of removed SF can be displayed in message BODY by using
|
||||
`_nameSF_` or `_removedSF_` respectively.
|
||||
|
||||
Providing tokens from an external source
|
||||
----------------------------------------
|
||||
|
||||
|
|
|
@ -44,15 +44,15 @@ Handler parameters
|
|||
SecureToken parameters are the following:
|
||||
|
||||
- **Memcached servers**: addresses of Memcached servers, separated with
|
||||
spaces.
|
||||
spaces
|
||||
- **Token expiration**: time in seconds for token expiration (remove
|
||||
from Memcached server).
|
||||
- **Attribute to store**: the session key that will be stored in
|
||||
Memcached.
|
||||
from Memcached server)
|
||||
- **Attribute to store**: session key that will be stored in
|
||||
Memcached
|
||||
- **Protected URLs**: Regexp of URLs for which the secure token will be
|
||||
sent, separated by spaces
|
||||
- **Header name**: name of the HTTP header carrying by the secure
|
||||
token.
|
||||
token
|
||||
- **Allow requests in error**: allow a request that has generated an
|
||||
error in token generation to be forwarded to the protected
|
||||
application without secure token (default: yes)
|
||||
|
|
|
@ -9,13 +9,13 @@ To configure sessions, go in Manager, ``General Parameters`` »
|
|||
``Sessions``:
|
||||
|
||||
- **Store user password in session data**: see
|
||||
:doc:`password store documentation<passwordstore>`.
|
||||
- **Display session identifier**: Should the session ID be displayed in the manager's session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators.
|
||||
- **Sessions timeout**: Maximum lifetime of a session. Old sessions are
|
||||
deleted by a cron script.
|
||||
- **Sessions activity timeout**: Maximum inactivity duration.
|
||||
- **Sessions update interval**: Minimum interval used to update session
|
||||
when activity timeout is set.
|
||||
:doc:`password store documentation<passwordstore>`
|
||||
- **Display session identifier**: should the session ID be displayed in the manager's session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators
|
||||
- **Sessions timeout**: maximum lifetime of a session. Old sessions are
|
||||
deleted by a cron script
|
||||
- **Sessions activity timeout**: maximum inactivity duration
|
||||
- **Sessions update interval**: minimum interval used to update session
|
||||
when activity timeout is set
|
||||
|
||||
|
||||
.. danger::
|
||||
|
@ -56,13 +56,13 @@ To configure sessions, go in Manager, ``General Parameters`` »
|
|||
disable persistent sessions storage to avoid too many database
|
||||
tuples.
|
||||
|
||||
- **Disable storage**: Do not store user persitent sessions.
|
||||
- **Disable storage**: do not store user persitent sessions
|
||||
|
||||
|
||||
.. attention::
|
||||
|
||||
Note that since HTTP protocol is not connected,
|
||||
restrictions are not applied to the new session: the oldest are
|
||||
restrictions are not applied to the new session. The oldest are
|
||||
destroyed.
|
||||
|
||||
Command-line tools
|
||||
|
|
|
@ -1,6 +1,11 @@
|
|||
Documentation for LemonLDAP::NG 3.0
|
||||
===================================
|
||||
|
||||
.. image:: logos/logo_llng_600px.png
|
||||
:alt: LL::NG logo
|
||||
:align: center
|
||||
:target: https://www.lemonldap-ng.org
|
||||
|
||||
.. toctree::
|
||||
|
||||
Documentation index<documentation>
|
||||
|
@ -285,12 +290,13 @@ Name Description
|
|||
:doc:`Grant Sessions<grantsession>` Rules to apply before allowing a user to open a session
|
||||
:doc:`Impersonation<impersonation>` [11]_\ |new| Allow users to use another identity
|
||||
:doc:`Find user<finduser>` [12]_\ |new| Search for user account
|
||||
:doc:`Notifications system<notifications>` DIsplay a message during log in process
|
||||
:doc:`NewLocationWarning<newlocationwarning>` [13]_\ |beta| Send an email when user sign in from a new location
|
||||
:doc:`Notifications system<notifications>` Display a message during log in process
|
||||
:doc:`Portal Status<status>` Experimental portal status page
|
||||
:doc:`Public pages<public_pages>` Enable public pages system
|
||||
:doc:`Refresh session API<refreshsessionapi>` [13]_ Plugin that provides an API to refresh a user session
|
||||
:doc:`Refresh session API<refreshsessionapi>` [14]_ Plugin that provides an API to refresh a user session
|
||||
:doc:`Reset password by mail<resetpassword>` Send a mail to reset its password
|
||||
:doc:`Reset certificate by mail<resetcertificate>` [14]_\ |new| Allow users to reset their certificate
|
||||
:doc:`Reset certificate by mail<resetcertificate>` [15]_\ |new| Allow users to reset their certificate
|
||||
:doc:`REST services<restservices>` |new| REST server for :doc:`Proxy<authproxy>`
|
||||
:doc:`SOAP services<soapservices>` |deprecated| SOAP server for :doc:`Proxy<authproxy>`
|
||||
:doc:`Stay connected<stayconnected>` |new| Enable persistent connection on same browser
|
||||
|
@ -308,12 +314,12 @@ Handlers are software control agents to be installed on your web servers
|
|||
==================================================================== ========== ============================================================= =========================================== ================================================================================== =============================================== ======================================================================================================================
|
||||
Handler type Apache LLNG FastCGI/uWSGI server (Nginx, or :doc:`SSOaaS<ssoaas>`) `Plack servers <https://plackperl.org>`__ Node.js ( `express apps <http://expressjs.com/>`__\ or :doc:`SSOaaS<ssoaas>`) :doc:`Self protected apps<selfmadeapplication>` Comment
|
||||
==================================================================== ========== ============================================================= =========================================== ================================================================================== =============================================== ======================================================================================================================
|
||||
Main *(default handler)* ✔ ✔ ✔ :doc:`Partial<nodehandler>` ** [15]_ ** ✔
|
||||
Main *(default handler)* ✔ ✔ ✔ :doc:`Partial<nodehandler>` ** [16]_ ** ✔
|
||||
:doc:`AuthBasic<handlerauthbasic>` ✔ ✔ ✔ ✔ Designed for some server-to-server applications
|
||||
:doc:`CDA<cda>` ✔ ✔ ✔ ✔ For Cross Domain Authentication
|
||||
:doc:`DevOps<devopshandler>` (:doc:`SSOaaS<ssoaas>`) |new| ✔ ✔ ✔ ✔ Allows application developers to define their own rules and headers inside their applications
|
||||
:doc:`DevOpsST<devopssthandler>` (:doc:`SSOaaS<ssoaas>`) |new| ✔ ✔ ✔ ✔ Enables both :doc:`DevOps<devopshandler>` and :doc:`Service Token<servertoserver>`
|
||||
:doc:`OAuth2<oauth2handler>` [16]_\ |new| ✔ ✔ ✔ ✔ Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services
|
||||
:doc:`OAuth2<oauth2handler>` [17]_\ |new| ✔ ✔ ✔ ✔ Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services
|
||||
:doc:`Secure Token<securetoken>` ✔ ✔ ✔ Designed to secure exchanges between a LLNG reverse-proxy and a remote app
|
||||
:doc:`Service Token<servertoserver>` |new| *(Server-to-Server)* ✔ ✔ ✔ ✔ ✔ Designed to permit underlying requests *(API-Based Infrastructure)*
|
||||
:doc:`Zimbra PreAuth<applications/zimbra>` ✔ ✔ ✔
|
||||
|
@ -598,18 +604,22 @@ by your language code):
|
|||
2.0.11
|
||||
|
||||
.. [13]
|
||||
:doc:`NewLocationWarning<newlocationwarning>` is available
|
||||
with LLNG ≥ 2.0.14
|
||||
|
||||
.. [14]
|
||||
:doc:`Refresh session API plugin<refreshsessionapi>` is available
|
||||
with LLNG ≥ 2.0.7
|
||||
|
||||
.. [14]
|
||||
.. [15]
|
||||
:doc:`Reset certificate by mail plugin<resetcertificate>` is
|
||||
available with LLNG ≥ 2.0.7
|
||||
|
||||
.. [15]
|
||||
.. [16]
|
||||
:doc:`Node.js handler<nodehandler>` has not yet reached the same
|
||||
level of functionalities
|
||||
|
||||
.. [16]
|
||||
.. [17]
|
||||
:doc:`OAuth2 Handler<oauth2handler>` is available with LLNG ≥ 2.0.4
|
||||
|
||||
.. |image0| image:: /icons/kthememgr.png
|
||||
|
|
|
@ -12,5 +12,6 @@ Just enable it in the manager (section “plugins”).
|
|||
- **Parameters**:
|
||||
|
||||
- **Activation**: Enable / Disable this plugin
|
||||
- **Do not check fingerprint**: Enable / Disable browser fingerprint checking
|
||||
- **Expiration time**: Persistent session connection and cookie timeout
|
||||
- **Cookie name**: Persistent connection cookie name
|
|
@ -8,9 +8,9 @@ We use in this example a public OIDC provider based on LL::NG: `<https://oidctes
|
|||
Authentication
|
||||
--------------
|
||||
|
||||
The first step is to obtain a valid SSO session on the portal. Several solutions:
|
||||
* Use a web browser and log into the portal, then get the value of the SSO cookie
|
||||
* Use portal REST API, and adapt the `requireToken` configuration to get cookie value in JSON response (see :doc:`REST services<restservices>`)
|
||||
The first step is to obtain a valid SSO session on the portal. The standard solution is to use a web browser and log into the portal, then get the value of the SSO cookie.
|
||||
|
||||
In our case, to be able to use only command lines, we will use portal REST API (which requires to adapt the `requireToken` configuration to get cookie value in JSON response (see :doc:`REST services<restservices>`). This should not be what you will on a production service.
|
||||
|
||||
Example of REST service usage, with credentials `dwho`/`dwho`:
|
||||
|
||||
|
@ -130,3 +130,68 @@ JSON response:
|
|||
"preferred_username" : "dwho",
|
||||
"sub" : "dwho"
|
||||
}
|
||||
|
||||
Introspection
|
||||
-------------
|
||||
|
||||
You can the validity of the access token with the introspection endpoint.
|
||||
|
||||
Parameters needed:
|
||||
* Client ID and Client Secret, used as basic authorization
|
||||
* Access token, sent as POST data
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
curl -u private:tardis -X POST -d 'token=a88b8dde538719e55c3cb8fbd14d06ed77853c685a62abf6ecb88d86228a9c64' 'https://oidctest.wsweet.org/oauth2/introspect' | json_pp
|
||||
|
||||
JSON response:
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"active" : true,
|
||||
"client_id" : "private",
|
||||
"exp" : 1630684115,
|
||||
"iss" : "https://oidctest.wsweet.org/",
|
||||
"scope" : "openid profile email",
|
||||
"sub" : "dwho"
|
||||
}
|
||||
|
||||
Refresh an access token
|
||||
-----------------------
|
||||
|
||||
If the access token has expired, you can get a new one with the refresh token.
|
||||
|
||||
Parameters needed:
|
||||
* Grant type: we use here `refresh_token`, sent as POST data
|
||||
* Refresh token, sent as POST data
|
||||
* Client ID and Client Secret, used as basic authorization
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
curl -X POST -d grant_type=refresh_token -d refresh_token=19434440ed4da2803e8ba9d91cb2eabd5b8bd12af2609429bda03ed487e6ef57 -u 'private:tardis' 'https://oidctest.wsweet.org/oauth2/token' | json_pp
|
||||
|
||||
JSON response:
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"access_token" : "78929118546b1a11a2e3b607f607d0ccb73d72bbd95c59d0b03ae69ffa17f41a",
|
||||
"expires_in" : 3600,
|
||||
"id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6Im9pZGN0ZXN0IiwidHlwIjoiSldUIn0.eyJhdXRoX3RpbWUiOjE2MTQxNjAwMDYsImlhdCI6MTYxNDE2MzIxOCwiaXNzIjoiaHR0cHM6Ly9vaWRjdGVzdC53c3dlZXQub3JnLyIsImF0X2hhc2giOiJIVGswOVNjSjRObEFua3k5SGFFX2VRIiwiYWNyIjoibG9hLTIiLCJleHAiOjE2MTQxNjY4MTgsInN1YiI6ImR3aG8iLCJhenAiOiJwcml2YXRlIiwiYXVkIjpbInByaXZhdGUiXX0.N3TNufjKLzKM3qiIitA7JHUei4L572XjF6AcVl7UAFB6efdGUCiAL7amlUl0FgjZfzW9bzvulBVDidoYSicIaysIdI4KkjmjpVN0Z3gOSu0ecuk5p8fD1KbX6-tmA3txeR18nzfhdckq-S-6Lx7wrWpPNyrzGx-FImbOaUPN2yeVhKPXhdyHJbzI0RqJETxnBkyW-CLEzAJyq3rCUVX-D8kHADvg6a42QQyPdxvBuGrdBfyDDDb_Py13H1qhn40NnuFknR1wSahsY6U97uUooyk-0_U4J3XJAHySjCtivtSeP0fM_5eblMuh6WdVjrfnUF0xnCTbCa2gYRlTS38BkqcsWY26PXoRAOo31a1cmB5sMSZyPtRF9UZcmGiNBIymMMdFgVAJONb6uliiTS5j9-nkmHOqVC-XJ6tuiU3ZSBQ8nCRyNW2LaCzpJ5c3ytP9yYQtyT8HmhN0VnXob3K1uJEA_Xcu4sADjtrm-LbrGiwaVMkfu-C6YIrbuC9riOW6TneV2gAzAjXPOW_UZeXrCrx66GHIJPsJIq29UfbTN5Pxo9SH2yKw6PSfxevkZhBIhEXCOMaIUHrlWz2jDBBzPIWeiSRbK_MRtejQmdRUs8nqdq-McVwnFiUMDt1KZXxqScTtMDF_Lo9oK2RaCijEJ7MSPEscr_YOyp3KIq2FLVg",
|
||||
"token_type" : "Bearer"
|
||||
}
|
||||
|
||||
Logout
|
||||
------
|
||||
|
||||
To kill SSO session, call the OIDC logout endpoint. By default a confirmation is requested, but you can bypass it by adding `confirm=1` to URL.
|
||||
|
||||
Parameters needed:
|
||||
* SSO session id (will be passed in `lemonldap` cookie)
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/logout?confirm=1'
|
||||
|
||||
The session is deleted on server side and the cookie is destroyed in the browser. You can use the introspection endpoint to verify that the access token is no longer valid.
|
||||
|
|
|
@ -43,24 +43,23 @@ In the manager (advanced parameters), you just have to enable it:
|
|||
- **Activation**: set it to "on"
|
||||
- **Self registration**: set it to "on" if users are authorized to
|
||||
generate themselves a TOTP secret
|
||||
- **Allow users to remove TOTP**: If enabled, users can unregister
|
||||
TOTP
|
||||
- **Issuer name** (Optional): default to portal hostname
|
||||
- **Interval**: interval for TOTP algorithm (default: 30)
|
||||
- **Range of attempts**: number of additional intervals to test (default: 1)
|
||||
- **Number of digits**: number of digit by codes (default: 6)
|
||||
- **Authentication level**: you can overwrite here auth level for TOTP
|
||||
registered users. Leave it blank keeps auth level provided by first
|
||||
authentication module *(default: 2 for user/password based modules)*.
|
||||
**It is recommended to set an higher value here if you want to give
|
||||
access to some apps only to users enrolled**
|
||||
- **Issuer**: default to portal hostname
|
||||
- **Interval**: interval for TOTP algorithm (default: 30)
|
||||
- **Range**: number of additional intervals to test (default: 1)
|
||||
- **Digits**: number of digit by codes (default: 6)
|
||||
- **Allow users to remove TOTP**: If enabled, users can unregister
|
||||
TOTP.
|
||||
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
|
||||
TTL is checked at each login process if set. If TTL is expired,
|
||||
relative TOTP is removed.
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
access to some apps only for enrolled users**
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Lifetime** (Optional): Unlimited by default. Set a Time To Live in seconds.
|
||||
TTL is checked at each login process if set. If TTL is expired,
|
||||
relative TOTP is removed.
|
||||
|
||||
.. attention::
|
||||
|
||||
|
|
|
@ -43,20 +43,19 @@ In the manager (second factors), you just have to enable it:
|
|||
- **Activation**: set it to "on"
|
||||
- **Self registration**: set it to "on" if users are authorized to
|
||||
register their keys
|
||||
- **Allow users to remove U2F key**: If enabled, users can unregister
|
||||
enrolled U2F device
|
||||
- **Authentication level**: you can overwrite here auth level for U2F
|
||||
registered users. Leave it blank keeps auth level provided by first
|
||||
authentication module *(default: 2 for user/password based modules)*.
|
||||
**It is recommended to set an higher value here if you want to give
|
||||
access to some apps only for enrolled users**
|
||||
- **Allow users to remove U2F key**: If enabled, users can unregister
|
||||
enrolled U2F device.
|
||||
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
|
||||
TTL is checked at each login process if set. If TTL is expired,
|
||||
relative 2F device is removed.
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Lifetime** (Optional): Unlimited by default. Set a Time To Live in seconds.
|
||||
TTL is checked at each login process if set. If TTL is expired,
|
||||
relative 2F device is removed.
|
||||
|
||||
.. attention::
|
||||
|
||||
|
|
|
@ -26,6 +26,90 @@ Known regressions in the latest released version
|
|||
|
||||
None
|
||||
|
||||
2.0.14
|
||||
------
|
||||
|
||||
LemonLDAP::NG version is returned by the CheckState plugin
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you use the `/checkstate` URL to monitor LemonLDAP::NG, you may notice a slight change in the output format:
|
||||
|
||||
*2.0.13* :
|
||||
|
||||
```
|
||||
{"result":1}
|
||||
```
|
||||
|
||||
*2.0.14* :
|
||||
|
||||
```
|
||||
{"result":1,"version":"2.0.14"}
|
||||
```
|
||||
|
||||
Depending on your load balancer or monitoring configuration, this can cause false negatives.
|
||||
|
||||
This plugin is disabled by default, and you may use a shared secret to hide this information to regular users and bots, please check the :doc:`checkstate` documentation for more information.
|
||||
|
||||
Empty scopes now rejected in OAuth2.0 grants
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Previously, it was possible to be granted an empty scope, or an automatic
|
||||
``openid`` scope when doing :ref:`OAuth2.0 Password Grant
|
||||
<resource-owner-password-grant>` or :ref:`Client Credentials Grant
|
||||
<client-credentials-grant>`.
|
||||
|
||||
Starting with *2.0.14*, empty scopes are no longer allowed (:rfc:`6749#section-3.3`).
|
||||
You need to either add a `scope` parameter to your request, or define a default
|
||||
scope in your Relying Party's :ref:`Scope Rules <oidcscoperules>`.
|
||||
|
||||
|
||||
Portal templates changes
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If you defined the "Register page URL" or the password "Reset page URL" to an external application, you need to fix the ``standardform.tpl`` template by applying the following patch:
|
||||
|
||||
.. code:: diff
|
||||
|
||||
diff --git a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
|
||||
index 3a6256e59..d5192f0ce 100644
|
||||
--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
|
||||
+++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
|
||||
@@ -48,14 +48,14 @@
|
||||
|
||||
<div class="actions">
|
||||
<TMPL_IF NAME="DISPLAY_RESETPASSWORD">
|
||||
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAIL_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
|
||||
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAIL_URL"><TMPL_UNLESS NAME="MAIL_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
|
||||
<span class="fa fa-info-circle"></span>
|
||||
<span trspan="resetPwd">Reset my password</span>
|
||||
</a>
|
||||
</TMPL_IF>
|
||||
|
||||
<TMPL_IF NAME="DISPLAY_UPDATECERTIF">
|
||||
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAILCERTIF_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
|
||||
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAILCERTIF_URL"><TMPL_UNLESS NAME="MAILCERTIF_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
|
||||
<span class="fa fa-refresh"></span>
|
||||
<span trspan="certificateReset">Reset my certificate</span>
|
||||
</a>
|
||||
@@ -69,7 +69,7 @@
|
||||
</TMPL_IF>
|
||||
|
||||
<TMPL_IF NAME="DISPLAY_REGISTER">
|
||||
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="REGISTER_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
|
||||
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="REGISTER_URL"><TMPL_UNLESS NAME="REGISTER_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
|
||||
<span class="fa fa-plus-circle"></span>
|
||||
<span trspan="createAccount">Create an account</span>
|
||||
</a>
|
||||
|
||||
|
||||
2.0.13
|
||||
------
|
||||
|
||||
Portal templates changes
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Some ``autocomplete`` attributes have been added to improve accessibility in the following files: ``checkdevops.tpl``, ``checkuser.tpl``, ``register.tpl``, ``ext2fcheck.tpl``, ``totp2fcheck.tpl``, ``utotp2fcheck.tpl``.
|
||||
|
||||
|
||||
2.0.12
|
||||
------
|
||||
|
@ -357,7 +441,7 @@ Please note that it is HIGHLY recommended to set certificate validation to `requ
|
|||
- OAuth2.0 Handler: a VHost protected by the OAuth2.0 handler will now
|
||||
return a 401 when called without an Access Token, instead of
|
||||
redirecting to the portal, as specified by
|
||||
`RFC6750 <https://tools.ietf.org/html/rfc6750>`__
|
||||
:rfc:`6750#section-3`.
|
||||
|
||||
- If you encounter the following issue:
|
||||
|
||||
|
|
|
@ -21,9 +21,9 @@ In the manager (second factors), you just have to enable it:
|
|||
authentication module (By default: 2 for user/password based
|
||||
modules). It is recommended to set an higher value here if you want
|
||||
to give access to apps just for enrolled users.
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
|
||||
|
||||
.. tip::
|
||||
|
|
|
@ -58,10 +58,9 @@ For example:
|
|||
Introspection
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Introspection endpoint is defined in `RFC
|
||||
7662 <https://tools.ietf.org/html/rfc7662>`__. It requires an
|
||||
authentication (same as the authentication for the token endpoint) and
|
||||
takes to access token as parameter.
|
||||
Introspection endpoint is defined in :rfc:`7662`. It requires an authentication
|
||||
(same as the authentication for the token endpoint) and takes to access token
|
||||
as parameter.
|
||||
|
||||
For example:
|
||||
|
||||
|
|
Before Width: | Height: | Size: 12 KiB |
|
@ -23,27 +23,27 @@ In the manager (second factors), you just have to enable it:
|
|||
- **Activation**: set it to "on"
|
||||
- **Self registration**: set it to "on" if users are authorized to
|
||||
register their keys
|
||||
- **Allow users to remove Yubikey**: If enabled, users can unregister
|
||||
Yubikey device.
|
||||
- **API client ID**: given by Yubico or another service
|
||||
- **API secret key**: given by Yubico or another service
|
||||
- **Nonce** (optional): if any
|
||||
- **Service URL**: service URL (leave it blank to use Yubico cloud services)
|
||||
- **OTP public ID part size**: leave it to default (12) unless you know
|
||||
what you are doing
|
||||
- **Get Yubikey ID from session attribute**: if non-empty, the Yubikey ID will
|
||||
be read from this session attribute. This allows external provisionning of Yubikeys.
|
||||
- **Authentication level**: you can overwrite here auth level for
|
||||
Yubikey registered users. Leave it blank keeps auth level provided by
|
||||
first authentication module *(default: 2 for user/password based
|
||||
modules)*. **It is recommended to set an higher value here if you
|
||||
want to give access to some apps only to enrolled users**
|
||||
- **Client ID**: given by Yubico or another service
|
||||
- **API secret key**: given by Yubico or another service
|
||||
- **Nonce (optional)**: if any
|
||||
- **URL**: Url of service (leave blank to use Yubico cloud services)
|
||||
- **OTP public ID part size**: leave it to default (12) unless you know
|
||||
what you are doing
|
||||
- **Allow users to remove Yubikey**: If enabled, users can unregister
|
||||
Yubikey device.
|
||||
- **Get Yubikey ID from session attribute**: If non-empty, the Yubikey ID will
|
||||
be read from this session attribute. This allows external provisionning of Yubikeys.
|
||||
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
|
||||
TTL is checked at each login process if set. If TTL is expired,
|
||||
relative Yubikey is removed.
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
want to give access to some apps only for enrolled users**
|
||||
- **Label** (Optional): label that should be displayed to the user on
|
||||
the choice screen
|
||||
- **Logo** (Optional): logo file *(in static/<skin> directory)*
|
||||
- **Lifetime** (Optional): Unlimited by default. Set a Time To Live in seconds.
|
||||
TTL is checked at each login process if set. If TTL is expired,
|
||||
relative Yubikey is removed.
|
||||
|
||||
|
||||
.. attention::
|
||||
|
|
|
@ -16,7 +16,7 @@ ldapBindPassword = admin
|
|||
checkXSS = 0
|
||||
portalSkin = bootstrap
|
||||
staticPrefix = /static
|
||||
languages = fr, en, vi, it, ar, tr
|
||||
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW, pt_BR, he
|
||||
templateDir = __pwd__/lemonldap-ng-portal/site/templates
|
||||
portalStatus = 1
|
||||
;totp2fActivation = 1
|
||||
|
|
|
@ -13,7 +13,7 @@ dbiChain = dbi:SQLite:dbname=__pwd__/e2e-tests/conf/config.db
|
|||
checkXSS = 0
|
||||
portalSkin = bootstrap
|
||||
staticPrefix = /static
|
||||
languages = fr, en, vi, it, ar, tr
|
||||
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW, pt_BR, he
|
||||
templateDir = __pwd__/lemonldap-ng-portal/site/templates
|
||||
portalStatus = 1
|
||||
;totp2fActivation = 1
|
||||
|
|
|
@ -22,7 +22,7 @@ dirName=__pwd__/e2e-tests/conf
|
|||
checkXSS = 1
|
||||
portalSkin = bootstrap
|
||||
staticPrefix = /static
|
||||
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW
|
||||
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW, pt_BR, he
|
||||
templateDir = __pwd__/lemonldap-ng-portal/site/templates
|
||||
portalStatus = 1
|
||||
totp2fActivation = 1
|
||||
|
|
|
@ -143,6 +143,7 @@
|
|||
"locationRules": {
|
||||
"auth.example.com" : {
|
||||
"(?#checkUser)^/checkuser": "$uid eq \"dwho\"",
|
||||
"(?#checkDevOps)^/checkdevops": "$uid eq \"dwho\"",
|
||||
"(?#errors)^/lmerror/": "accept",
|
||||
"default" : "accept"
|
||||
},
|
||||
|
|
|
@ -231,7 +231,7 @@ Use \s-1OW2\s0 system to report bug or ask for features:
|
|||
.SH "DOWNLOAD"
|
||||
.IX Header "DOWNLOAD"
|
||||
Lemonldap::NG is available at
|
||||
<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
<https://lemonldap-ng.org/download>
|
||||
.SH "COPYRIGHT AND LICENSE"
|
||||
.IX Header "COPYRIGHT AND LICENSE"
|
||||
.IP "Copyright (C) 2008\-2016 by Xavier Guimard, <x.guimard@free.fr>" 4
|
||||
|
|
|
@ -290,7 +290,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
L<https://lemonldap-ng.org/download>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
},
|
||||
"runtime" : {
|
||||
"recommends" : {
|
||||
"Apache::Session::Browseable" : "0",
|
||||
"Apache::Session::Browseable" : "v1.3.9",
|
||||
"Convert::Base32" : "0",
|
||||
"Cookie::Baker::XS" : "0",
|
||||
"Crypt::URandom" : "0",
|
||||
|
|
|
@ -21,7 +21,7 @@ no_index:
|
|||
- t
|
||||
- inc
|
||||
recommends:
|
||||
Apache::Session::Browseable: '0'
|
||||
Apache::Session::Browseable: v1.3.9
|
||||
Convert::Base32: '0'
|
||||
Cookie::Baker::XS: '0'
|
||||
Crypt::URandom: '0'
|
||||
|
|
|
@ -43,7 +43,7 @@ WriteMakefile(
|
|||
},
|
||||
META_MERGE => {
|
||||
'recommends' => {
|
||||
'Apache::Session::Browseable' => 0,
|
||||
'Apache::Session::Browseable' => '1.3.9',
|
||||
'Convert::Base32' => 0,
|
||||
'Cookie::Baker::XS' => 0,
|
||||
'Crypt::URandom' => 0,
|
||||
|
@ -106,5 +106,6 @@ WriteMakefile(
|
|||
'scripts/convertSessions' => 'blib/man1/convertSessions.1p',
|
||||
'scripts/lemonldap-ng-cli' => 'blib/man1/lemonldap-ng-cli.1p',
|
||||
'scripts/lemonldap-ng-sessions' => 'blib/man1/lemonldap-ng-sessions.1p',
|
||||
'scripts/importMetadata' => 'blib/man1/importMetadata.1p',
|
||||
},
|
||||
);
|
||||
|
|
|
@ -196,7 +196,7 @@ staticPrefix = __PORTALSTATICDIR__
|
|||
templateDir = __PORTALTEMPLATESDIR__
|
||||
|
||||
; languages: available languages for portal interface
|
||||
languages = en, fr, vi, it, ar, de, fi, tr, pl, zh_TW, es
|
||||
languages = en, fr, vi, it, ar, de, fi, tr, pl, zh_TW, es, pt_BR, he
|
||||
|
||||
; II - Optional parameters (overwrite configuration)
|
||||
|
||||
|
|
|
@ -38,7 +38,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
L<https://lemonldap-ng.org/download>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
|
|
|
@ -397,7 +397,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
L<https://lemonldap-ng.org/download>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
|
|
|
@ -418,7 +418,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
L<https://lemonldap-ng.org/download>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
|
|
|
@ -95,7 +95,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
L<https://lemonldap-ng.org/download>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
|
|
|
@ -107,6 +107,7 @@ sub new {
|
|||
$self->{localStorage}->new( $self->{localStorageOptions} );
|
||||
}
|
||||
}
|
||||
|
||||
return $self;
|
||||
}
|
||||
|
||||
|
@ -119,7 +120,6 @@ sub saveConf {
|
|||
my ( $self, $conf, %args ) = @_;
|
||||
|
||||
my $last = $self->lastCfg;
|
||||
return UNKNOWN_ERROR if $last < 1;
|
||||
|
||||
# If configuration was modified, return an error
|
||||
if ( not $args{force} ) {
|
||||
|
@ -190,6 +190,7 @@ sub getConf {
|
|||
eval { $r = $self->{refLocalStorage}->get('conf') }
|
||||
if ( $> and not $args->{noCache} );
|
||||
$msg .= "Warn: $@" if ($@);
|
||||
|
||||
if ( ref($r)
|
||||
and $r->{cfgNum}
|
||||
and $args->{cfgNum}
|
||||
|
@ -241,7 +242,11 @@ sub getConf {
|
|||
return $res;
|
||||
}
|
||||
|
||||
# Set default values
|
||||
## @method hashRef setDefault(hashRef conf, hashRef localPrm)
|
||||
# Set default params
|
||||
# @param $conf Lemonldap::NG configuration hashRef
|
||||
# @param $localPrm Local parameters
|
||||
# @return conf
|
||||
sub setDefault {
|
||||
my ( $self, $conf, $localPrm ) = @_;
|
||||
if ( defined $localPrm ) {
|
||||
|
@ -415,7 +420,7 @@ sub _launch {
|
|||
alarm 0;
|
||||
die $@ if $@;
|
||||
};
|
||||
if($@) {
|
||||
if ($@) {
|
||||
$msg .= $@;
|
||||
print STDERR "MSG $msg\n";
|
||||
return undef;
|
||||
|
@ -601,7 +606,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
|
|||
=head1 DOWNLOAD
|
||||
|
||||
Lemonldap::NG is available at
|
||||
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
|
||||
L<https://lemonldap-ng.org/download>
|
||||
|
||||
=head1 COPYRIGHT AND LICENSE
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
|
|||
);
|
||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|ScopeRule|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)s)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||
our $arrayParameters = qr/^mySessionAuthorizedRWKeys$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|heck(?:DevOps(?:Download)?|State|User|XSS)|rowdsec|da)|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|to(?:tp2fUserCanRemoveKey|kenUseGlobalStorage)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|(?:wsdlServ|findUs)er)$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|t(?:ayConnected(?:BypassFG)?|orePassword)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|heck(?:DevOps(?:D(?:isplayNormalizedHeaders|ownload)|CheckSessionAttributes)?|State|User|XSS)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|rowdsec|da)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxy(?:AuthServiceImpersonation|UseSoap))|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|n(?:o(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|ewLocationWarning)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|to(?:tp2fUserCanRemoveKey|kenUseGlobalStorage)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|(?:wsdlServ|findUs)er)$/;
|
||||
|
||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||
|
||||
|
|
|
@ -35,14 +35,18 @@ sub defaultValues {
|
|||
'certificateResetByMailURL' =>
|
||||
'http://auth.example.com/certificateReset',
|
||||
'certificateResetByMailValidityDelay' => 0,
|
||||
'checkDevOpsCheckSessionAttributes' => 1,
|
||||
'checkDevOpsDisplayNormalizedHeaders' => 1,
|
||||
'checkDevOpsDownload' => 1,
|
||||
'checkTime' => 600,
|
||||
'checkUserDisplayComputedSession' => 1,
|
||||
'checkUserDisplayEmptyHeaders' => 0,
|
||||
'checkUserDisplayEmptyValues' => 0,
|
||||
'checkUserDisplayHiddenAttributes' => 0,
|
||||
'checkUserDisplayHistory' => 0,
|
||||
'checkUserDisplayNormalizedHeaders' => 0,
|
||||
'checkUserDisplayPersistentInfo' => 0,
|
||||
'checkUserHiddenAttributes' => '_loginHistory _session_id hGroups',
|
||||
'checkUserHiddenAttributes' => '_loginHistory, _session_id, hGroups',
|
||||
'checkUserIdRule' => 1,
|
||||
'checkXSS' => 1,
|
||||
'confirmFormMethod' => 'post',
|
||||
|
@ -108,10 +112,10 @@ sub defaultValues {
|
|||
'groups' => {},
|
||||
'handlerInternalCache' => 15,
|
||||
'handlerServiceTokenTTL' => 30,
|
||||
'hiddenAttributes' => '_password _2fDevices',
|
||||
'hiddenAttributes' => '_password, _2fDevices',
|
||||
'httpOnly' => 1,
|
||||
'https' => -1,
|
||||
'impersonationHiddenAttributes' => '_2fDevices _loginHistory',
|
||||
'impersonationHiddenAttributes' => '_2fDevices, _loginHistory',
|
||||
'impersonationIdRule' => 1,
|
||||
'impersonationMergeSSOgroups' => 0,
|
||||
'impersonationPrefix' => 'real_',
|
||||
|
@ -186,6 +190,9 @@ sub defaultValues {
|
|||
'multiValuesSeparator' => '; ',
|
||||
'mySessionAuthorizedRWKeys' =>
|
||||
[ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
|
||||
'newLocationWarningLocationAttribute' => 'ipAddr',
|
||||
'newLocationWarningLocationDisplayAttribute' => '',
|
||||
'newLocationWarningMaxValues' => '0',
|
||||
'notificationDefaultCond' => '',
|
||||
'notificationServerPOST' => 1,
|
||||
'notificationServerSentAttributes' =>
|
||||
|
@ -266,6 +273,7 @@ sub defaultValues {
|
|||
'portalSkin' => 'bootstrap',
|
||||
'portalUserAttr' => '_user',
|
||||
'proxyAuthnLevel' => 2,
|
||||
'proxyAuthServiceChoiceParam' => 'lmAuth',
|
||||
'radius2fActivation' => 0,
|
||||
'radius2fTimeout' => 20,
|
||||
'radiusAuthnLevel' => 3,
|
||||
|
@ -322,9 +330,9 @@ sub defaultValues {
|
|||
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
|
||||
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
|
||||
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' =>
|
||||
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
|
||||
'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
|
||||
'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' =>
|
||||
'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
|
||||
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
|
||||
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
|
||||
'samlSPSSODescriptorSingleLogoutServiceHTTPPost' =>
|
||||
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
|
||||
|
@ -377,7 +385,7 @@ sub defaultValues {
|
|||
'useRedirectOnError' => 1,
|
||||
'useSafeJail' => 1,
|
||||
'utotp2fActivation' => 0,
|
||||
'viewerHiddenKeys' => 'samlIDPMetaDataNodes samlSPMetaDataNodes',
|
||||
'viewerHiddenKeys' => 'samlIDPMetaDataNodes, samlSPMetaDataNodes',
|
||||
'webIDAuthnLevel' => 1,
|
||||
'webIDExportedVars' => {},
|
||||
'whatToTrace' => 'uid',
|
||||
|
|
|
@ -16,7 +16,7 @@ our $specialNodeHash = {
|
|||
samlIDPMetaDataNodes => [qw(samlIDPMetaDataXML samlIDPMetaDataExportedAttributes samlIDPMetaDataOptions)],
|
||||
samlSPMetaDataNodes => [qw(samlSPMetaDataXML samlSPMetaDataExportedAttributes samlSPMetaDataOptions samlSPMetaDataMacros)],
|
||||
oidcOPMetaDataNodes => [qw(oidcOPMetaDataJSON oidcOPMetaDataJWKS oidcOPMetaDataOptions oidcOPMetaDataExportedVars)],
|
||||
oidcRPMetaDataNodes => [qw(oidcRPMetaDataOptions oidcRPMetaDataExportedVars oidcRPMetaDataOptionsExtraClaims oidcRPMetaDataMacros)],
|
||||
oidcRPMetaDataNodes => [qw(oidcRPMetaDataOptions oidcRPMetaDataExportedVars oidcRPMetaDataOptionsExtraClaims oidcRPMetaDataMacros oidcRPMetaDataScopeRules)],
|
||||
casSrvMetaDataNodes => [qw(casSrvMetaDataOptions casSrvMetaDataExportedVars)],
|
||||
casAppMetaDataNodes => [qw(casAppMetaDataOptions casAppMetaDataExportedVars casAppMetaDataMacros)],
|
||||
};
|
||||
|
@ -30,7 +30,7 @@ our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)
|
|||
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
|
||||
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
|
||||
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
|
||||
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
|
||||
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|DevOpsRulesUrl|Https|Port)|(?:exportedHeader|locationRule)s|post)';
|
||||
|
||||
our $authParameters = {
|
||||
adParams => [qw(ADPwdMaxAge ADPwdExpireWarning)],
|
||||
|
@ -51,7 +51,7 @@ our $authParameters = {
|
|||
oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
|
||||
openidParams => [qw(openIdAuthnLevel openIdExportedVars openIdSecret openIdIDPList)],
|
||||
pamParams => [qw(pamAuthnLevel pamService)],
|
||||
proxyParams => [qw(proxyAuthnLevel proxyAuthService proxySessionService remoteCookieName proxyUseSoap)],
|
||||
proxyParams => [qw(proxyAuthnLevel proxyUseSoap proxyAuthService proxySessionService proxyAuthServiceChoiceParam proxyAuthServiceChoiceValue proxyCookieName proxyAuthServiceImpersonation)],
|
||||
radiusParams => [qw(radiusAuthnLevel radiusSecret radiusServer)],
|
||||
remoteParams => [qw(remotePortal remoteCookieName remoteGlobalStorage remoteGlobalStorageOptions)],
|
||||
restParams => [qw(restAuthnLevel restAuthUrl restUserDBUrl restPwdConfirmUrl restPwdModifyUrl)],
|
||||
|
|