Documentation for #2753
This commit is contained in:
parent
e90f16ade6
commit
a09072c7ed
|
@ -63,23 +63,48 @@ Then, go in ``CAS parameters``:
|
|||
|
||||
- **Authentication level**: authentication level for this module.
|
||||
|
||||
Then create the list of CAS servers in the manager. For each, set:
|
||||
Then create the list of CAS servers in the manager.
|
||||
|
||||
Options
|
||||
~~~~~~~
|
||||
|
||||
- **Server URL** *(required)*: CAS server URL (must use https://)
|
||||
- **Renew authentication** *(default: disabled)*: force authentication
|
||||
renewal on CAS server
|
||||
- **Gateways authentication** *(default: disabled)*: force transparent
|
||||
authentication on CAS server
|
||||
|
||||
Proxied services
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
In this section, set the list of services for which a proxy ticket is
|
||||
requested:
|
||||
|
||||
- **Key**: Service ID
|
||||
- **Value** Service URL (CAS service identifier)
|
||||
|
||||
Display
|
||||
~~~~~~~
|
||||
- **Display Name**: Name to display. Required if you have more than 1
|
||||
CAS server declared
|
||||
- **Icon**: Path to CAS Server icon. Used only if you have more than 1
|
||||
CAS server declared
|
||||
- **Order**: Number to sort CAS Servers display
|
||||
- **Proxied services**: list of services for which a proxy ticket is
|
||||
requested:
|
||||
- **Resolution Rule**: rule that will be applied to preselect a CAS server for
|
||||
a user. You have access to all environment variable *(like user IP address)*
|
||||
and all session keys.
|
||||
|
||||
- **Key**: Service ID
|
||||
- **Value** Service URL (CAS service identifier)
|
||||
For example, to preselect this server for users coming from 129.168.0.0/16
|
||||
network
|
||||
|
||||
::
|
||||
|
||||
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
||||
|
||||
To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::
|
||||
|
||||
$_choice eq "MY_SRV"
|
||||
|
||||
- **Order**: Number to sort CAS Servers display
|
||||
|
||||
|
||||
.. tip::
|
||||
|
|
|
@ -210,42 +210,59 @@ So you can define by example:
|
|||
Options
|
||||
^^^^^^^
|
||||
|
||||
- **Configuration**:
|
||||
Configuration
|
||||
"""""""""""""
|
||||
|
||||
- **Configuration endpoint**: URL of OP configuration endpoint
|
||||
- **JWKS data timeout**: After this time, LL::NG will do a request
|
||||
to get a fresh version of JWKS data. Set to 0 to disable it.
|
||||
- **Client ID**: Client ID given by OP
|
||||
- **Client secret**: Client secret given by OP
|
||||
- **Store ID token**: Allows one to store the ID Token (JWT) inside
|
||||
user session. Do not enable it unless you need to replay this token
|
||||
on an application, or if you need the id_token_hint parameter when
|
||||
using logout.
|
||||
- **Configuration endpoint**: URL of OP configuration endpoint
|
||||
- **JWKS data timeout**: After this time, LL::NG will do a request
|
||||
to get a fresh version of JWKS data. Set to 0 to disable it.
|
||||
- **Client ID**: Client ID given by OP
|
||||
- **Client secret**: Client secret given by OP
|
||||
- **Store ID token**: Allows one to store the ID Token (JWT) inside
|
||||
user session. Do not enable it unless you need to replay this token
|
||||
on an application, or if you need the id_token_hint parameter when
|
||||
using logout.
|
||||
|
||||
- **Protocol**:
|
||||
Protocol
|
||||
""""""""
|
||||
- **Scope**: Value of scope parameter (example: openid profile). The
|
||||
``openid`` scope is mandatory.
|
||||
- **Display**: Value of display parameter (example: page)
|
||||
- **Prompt**: Value of prompt parameter (example: consent)
|
||||
- **Max age**: Value of max_age parameter (example: 3600)
|
||||
- **UI locales**: Value of ui_locales parameter (example: en-GB en
|
||||
fr-FR fr)
|
||||
- **ACR values**: Value acr_values parameters (example: loa-1)
|
||||
- **Token endpoint authentication method**: Choice between
|
||||
``client_secret_post`` and ``client_secret_basic``
|
||||
- **Check JWT signature**: Set to 0 to disable JWT signature
|
||||
checking
|
||||
- **ID Token max age**: If defined, LL::NG will check the ID Token
|
||||
date and reject it if too old
|
||||
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
|
||||
the ID Token
|
||||
|
||||
- **Scope**: Value of scope parameter (example: openid profile). The
|
||||
``openid`` scope is mandatory.
|
||||
- **Display**: Value of display parameter (example: page)
|
||||
- **Prompt**: Value of prompt parameter (example: consent)
|
||||
- **Max age**: Value of max_age parameter (example: 3600)
|
||||
- **UI locales**: Value of ui_locales parameter (example: en-GB en
|
||||
fr-FR fr)
|
||||
- **ACR values**: Value acr_values parameters (example: loa-1)
|
||||
- **Token endpoint authentication method**: Choice between
|
||||
``client_secret_post`` and ``client_secret_basic``
|
||||
- **Check JWT signature**: Set to 0 to disable JWT signature
|
||||
checking
|
||||
- **ID Token max age**: If defined, LL::NG will check the ID Token
|
||||
date and reject it if too old
|
||||
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
|
||||
the ID Token
|
||||
Display
|
||||
"""""""
|
||||
|
||||
- **Display**:
|
||||
- **Display name**: Name of the application
|
||||
- **Logo**: Logo of the application
|
||||
- **Resolution Rule**: rule that will be applied to preselect an OP
|
||||
for a user. You have access to all environment variable *(like user
|
||||
IP address)* and all session keys.
|
||||
|
||||
- **Display name**: Name of the application
|
||||
- **Logo**: Logo of the application
|
||||
- **Order**: Number to sort buttons
|
||||
For example, to preselect this OP for users coming from 129.168.0.0/16
|
||||
network
|
||||
|
||||
::
|
||||
|
||||
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
||||
|
||||
To preselect this OP when the ``MY_OP`` :doc:`choice <authchoice>` is selected ::
|
||||
|
||||
$_choice eq "MY_OP"
|
||||
|
||||
- **Order**: Number to sort buttons
|
||||
|
||||
|
||||
.. attention::
|
||||
|
@ -254,4 +271,4 @@ Options
|
|||
with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
|
||||
|
||||
|
||||
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
|
||||
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
|
||||
|
|
|
@ -111,20 +111,6 @@ For each attribute, you can set:
|
|||
Options
|
||||
^^^^^^^
|
||||
|
||||
General options
|
||||
'''''''''''''''
|
||||
|
||||
- **Resolution Rule**: rule that will be applied to preselect an IDP
|
||||
for a user. You have access to all environment variable *(like user
|
||||
IP address)* and all session keys.
|
||||
|
||||
For example, to preselect this IDP for users coming from 129.168.0.0/16
|
||||
network and member of "admin" group:
|
||||
|
||||
::
|
||||
|
||||
$ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/
|
||||
|
||||
Authentication request
|
||||
''''''''''''''''''''''
|
||||
|
||||
|
@ -212,8 +198,6 @@ Used only if at least 2 SAML Identity Providers are declared
|
|||
|
||||
- **Display name**: Name of the IDP
|
||||
- **Logo**: Logo of the IDP
|
||||
- **Order**: Number used for sorting IDP display
|
||||
|
||||
|
||||
.. tip::
|
||||
|
||||
|
@ -222,6 +206,23 @@ Used only if at least 2 SAML Identity Providers are declared
|
|||
icon file name directly in the field and copy the logo file in portal
|
||||
icons directory
|
||||
|
||||
- **Resolution Rule**: rule that will be applied to preselect an IDP
|
||||
for a user. You have access to all environment variable *(like user
|
||||
IP address)* and all session keys.
|
||||
|
||||
For example, to preselect this IDP for users coming from 129.168.0.0/16
|
||||
network
|
||||
|
||||
::
|
||||
|
||||
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
||||
|
||||
To preselect this IDP when the ``MY_IDP`` :doc:`choice <authchoice>` is selected ::
|
||||
|
||||
$_choice eq "MY_IDP"
|
||||
|
||||
- **Order**: Number used for sorting IDP display
|
||||
|
||||
.. |image0| image:: /documentation/manager-saml-metadata.png
|
||||
:class: align-center
|
||||
.. |image1| image:: /documentation/manager-saml-attributes.png
|
||||
|
|
Loading…
Reference in New Issue