Documentation for #2753

2022-05-18 10:02:54 +02:00 · 2022-05-18 10:02:54 +02:00 · a09072c7ed
parent e90f16ade6
commit a09072c7ed
3 changed files with 97 additions and 54 deletions
--- a/doc/sources/admin/authcas.rst
+++ b/doc/sources/admin/authcas.rst
@ -63,23 +63,48 @@ Then, go in ``CAS parameters``:

 -  **Authentication level**: authentication level for this module.

-Then create the list of CAS servers in the manager. For each, set:
+Then create the list of CAS servers in the manager.
+
+Options
+~~~~~~~

 -  **Server URL** *(required)*: CAS server URL (must use https://)
 -  **Renew authentication** *(default: disabled)*: force authentication
   renewal on CAS server
 -  **Gateways authentication** *(default: disabled)*: force transparent
   authentication on CAS server
+
+Proxied services
+~~~~~~~~~~~~~~~~
+
+In this section, set the list of services for which a proxy ticket is
+requested:
+
+-  **Key**: Service ID
+-  **Value** Service URL (CAS service identifier)
+
+Display
+~~~~~~~
 -  **Display Name**: Name to display. Required if you have more than 1
   CAS server declared
 -  **Icon**: Path to CAS Server icon. Used only if you have more than 1
   CAS server declared
-  **Order**: Number to sort CAS Servers display
-  **Proxied services**: list of services for which a proxy ticket is
-   requested:
+-  **Resolution Rule**: rule that will be applied to preselect a CAS server for
+   a user. You have access to all environment variable *(like user IP address)*
+   and all session keys.

-   -  **Key**: Service ID
-   -  **Value** Service URL (CAS service identifier)
+For example, to preselect this server for users coming from 129.168.0.0/16
+network
+
+::
+
+   $ENV{REMOTE_ADDR} =~ /^192\.168/
+
+To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::
+
+    $_choice eq "MY_SRV"
+
+-  **Order**: Number to sort CAS Servers display


 .. tip::
--- a/doc/sources/admin/authopenidconnect.rst
+++ b/doc/sources/admin/authopenidconnect.rst
@ -210,42 +210,59 @@ So you can define by example:
 Options
 ^^^^^^^

-  **Configuration**:
+Configuration
+"""""""""""""

-   -  **Configuration endpoint**: URL of OP configuration endpoint
-   -  **JWKS data timeout**: After this time, LL::NG will do a request
-      to get a fresh version of JWKS data. Set to 0 to disable it.
-   -  **Client ID**: Client ID given by OP
-   -  **Client secret**: Client secret given by OP
-   -  **Store ID token**: Allows one to store the ID Token (JWT) inside
-      user session. Do not enable it unless you need to replay this token
-      on an application, or if you need the id_token_hint parameter when
-      using logout.
+-  **Configuration endpoint**: URL of OP configuration endpoint
+-  **JWKS data timeout**: After this time, LL::NG will do a request
+   to get a fresh version of JWKS data. Set to 0 to disable it.
+-  **Client ID**: Client ID given by OP
+-  **Client secret**: Client secret given by OP
+-  **Store ID token**: Allows one to store the ID Token (JWT) inside
+   user session. Do not enable it unless you need to replay this token
+   on an application, or if you need the id_token_hint parameter when
+   using logout.

-  **Protocol**:
+Protocol
+""""""""
+-  **Scope**: Value of scope parameter (example: openid profile). The
+   ``openid`` scope is mandatory.
+-  **Display**: Value of display parameter (example: page)
+-  **Prompt**: Value of prompt parameter (example: consent)
+-  **Max age**: Value of max_age parameter (example: 3600)
+-  **UI locales**: Value of ui_locales parameter (example: en-GB en
+   fr-FR fr)
+-  **ACR values**: Value acr_values parameters (example: loa-1)
+-  **Token endpoint authentication method**: Choice between
+   ``client_secret_post`` and ``client_secret_basic``
+-  **Check JWT signature**: Set to 0 to disable JWT signature
+   checking
+-  **ID Token max age**: If defined, LL::NG will check the ID Token
+   date and reject it if too old
+-  **Use Nonce**: If enabled, a nonce will be sent, and verified from
+   the ID Token

-   -  **Scope**: Value of scope parameter (example: openid profile). The
-      ``openid`` scope is mandatory.
-   -  **Display**: Value of display parameter (example: page)
-   -  **Prompt**: Value of prompt parameter (example: consent)
-   -  **Max age**: Value of max_age parameter (example: 3600)
-   -  **UI locales**: Value of ui_locales parameter (example: en-GB en
-      fr-FR fr)
-   -  **ACR values**: Value acr_values parameters (example: loa-1)
-   -  **Token endpoint authentication method**: Choice between
-      ``client_secret_post`` and ``client_secret_basic``
-   -  **Check JWT signature**: Set to 0 to disable JWT signature
-      checking
-   -  **ID Token max age**: If defined, LL::NG will check the ID Token
-      date and reject it if too old
-   -  **Use Nonce**: If enabled, a nonce will be sent, and verified from
-      the ID Token
+Display
+"""""""

-  **Display**:
+-  **Display name**: Name of the application
+-  **Logo**: Logo of the application
+-  **Resolution Rule**: rule that will be applied to preselect an OP
+   for a user. You have access to all environment variable *(like user
+   IP address)* and all session keys.

-   -  **Display name**: Name of the application
-   -  **Logo**: Logo of the application
-   -  **Order**: Number to sort buttons
+For example, to preselect this OP for users coming from 129.168.0.0/16
+network
+
+::
+
+   $ENV{REMOTE_ADDR} =~ /^192\.168/
+
+To preselect this OP when the ``MY_OP`` :doc:`choice <authchoice>` is selected ::
+
+    $_choice eq "MY_OP"
+
+-  **Order**: Number to sort buttons


 .. attention::
@ -254,4 +271,4 @@ Options
    with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.


-    Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
+    Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
--- a/doc/sources/admin/authsaml.rst
+++ b/doc/sources/admin/authsaml.rst
@ -111,20 +111,6 @@ For each attribute, you can set:
 Options
 ^^^^^^^

-General options
-'''''''''''''''
-
-  **Resolution Rule**: rule that will be applied to preselect an IDP
-   for a user. You have access to all environment variable *(like user
-   IP address)* and all session keys.
-
-For example, to preselect this IDP for users coming from 129.168.0.0/16
-network and member of "admin" group:
-
-::
-
-   $ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/
-
 Authentication request
 ''''''''''''''''''''''

@ -212,8 +198,6 @@ Used only if at least 2 SAML Identity Providers are declared

 -  **Display name**: Name of the IDP
 -  **Logo**: Logo of the IDP
-  **Order**: Number used for sorting IDP display
-

 .. tip::

@ -222,6 +206,23 @@ Used only if at least 2 SAML Identity Providers are declared
    icon file name directly in the field and copy the logo file in portal
    icons directory

+-  **Resolution Rule**: rule that will be applied to preselect an IDP
+   for a user. You have access to all environment variable *(like user
+   IP address)* and all session keys.
+
+For example, to preselect this IDP for users coming from 129.168.0.0/16
+network
+
+::
+
+   $ENV{REMOTE_ADDR} =~ /^192\.168/
+
+To preselect this IDP when the ``MY_IDP`` :doc:`choice <authchoice>` is selected ::
+
+    $_choice eq "MY_IDP"
+
+-  **Order**: Number used for sorting IDP display
+
 .. |image0| image:: /documentation/manager-saml-metadata.png
   :class: align-center
 .. |image1| image:: /documentation/manager-saml-attributes.png