diff --git a/doc/sources/admin/authcas.rst b/doc/sources/admin/authcas.rst index cb567ff6a..2018af898 100644 --- a/doc/sources/admin/authcas.rst +++ b/doc/sources/admin/authcas.rst @@ -63,23 +63,48 @@ Then, go in ``CAS parameters``: - **Authentication level**: authentication level for this module. -Then create the list of CAS servers in the manager. For each, set: +Then create the list of CAS servers in the manager. + +Options +~~~~~~~ - **Server URL** *(required)*: CAS server URL (must use https://) - **Renew authentication** *(default: disabled)*: force authentication renewal on CAS server - **Gateways authentication** *(default: disabled)*: force transparent authentication on CAS server + +Proxied services +~~~~~~~~~~~~~~~~ + +In this section, set the list of services for which a proxy ticket is +requested: + +- **Key**: Service ID +- **Value** Service URL (CAS service identifier) + +Display +~~~~~~~ - **Display Name**: Name to display. Required if you have more than 1 CAS server declared - **Icon**: Path to CAS Server icon. Used only if you have more than 1 CAS server declared -- **Order**: Number to sort CAS Servers display -- **Proxied services**: list of services for which a proxy ticket is - requested: +- **Resolution Rule**: rule that will be applied to preselect a CAS server for + a user. You have access to all environment variable *(like user IP address)* + and all session keys. - - **Key**: Service ID - - **Value** Service URL (CAS service identifier) +For example, to preselect this server for users coming from 129.168.0.0/16 +network + +:: + + $ENV{REMOTE_ADDR} =~ /^192\.168/ + +To preselect this server when the ``MY_SRV`` :doc:`choice ` is selected :: + + $_choice eq "MY_SRV" + +- **Order**: Number to sort CAS Servers display .. tip:: diff --git a/doc/sources/admin/authopenidconnect.rst b/doc/sources/admin/authopenidconnect.rst index f966406ed..f8d64a5e0 100644 --- a/doc/sources/admin/authopenidconnect.rst +++ b/doc/sources/admin/authopenidconnect.rst @@ -210,42 +210,59 @@ So you can define by example: Options ^^^^^^^ -- **Configuration**: +Configuration +""""""""""""" - - **Configuration endpoint**: URL of OP configuration endpoint - - **JWKS data timeout**: After this time, LL::NG will do a request - to get a fresh version of JWKS data. Set to 0 to disable it. - - **Client ID**: Client ID given by OP - - **Client secret**: Client secret given by OP - - **Store ID token**: Allows one to store the ID Token (JWT) inside - user session. Do not enable it unless you need to replay this token - on an application, or if you need the id_token_hint parameter when - using logout. +- **Configuration endpoint**: URL of OP configuration endpoint +- **JWKS data timeout**: After this time, LL::NG will do a request + to get a fresh version of JWKS data. Set to 0 to disable it. +- **Client ID**: Client ID given by OP +- **Client secret**: Client secret given by OP +- **Store ID token**: Allows one to store the ID Token (JWT) inside + user session. Do not enable it unless you need to replay this token + on an application, or if you need the id_token_hint parameter when + using logout. -- **Protocol**: +Protocol +"""""""" +- **Scope**: Value of scope parameter (example: openid profile). The + ``openid`` scope is mandatory. +- **Display**: Value of display parameter (example: page) +- **Prompt**: Value of prompt parameter (example: consent) +- **Max age**: Value of max_age parameter (example: 3600) +- **UI locales**: Value of ui_locales parameter (example: en-GB en + fr-FR fr) +- **ACR values**: Value acr_values parameters (example: loa-1) +- **Token endpoint authentication method**: Choice between + ``client_secret_post`` and ``client_secret_basic`` +- **Check JWT signature**: Set to 0 to disable JWT signature + checking +- **ID Token max age**: If defined, LL::NG will check the ID Token + date and reject it if too old +- **Use Nonce**: If enabled, a nonce will be sent, and verified from + the ID Token - - **Scope**: Value of scope parameter (example: openid profile). The - ``openid`` scope is mandatory. - - **Display**: Value of display parameter (example: page) - - **Prompt**: Value of prompt parameter (example: consent) - - **Max age**: Value of max_age parameter (example: 3600) - - **UI locales**: Value of ui_locales parameter (example: en-GB en - fr-FR fr) - - **ACR values**: Value acr_values parameters (example: loa-1) - - **Token endpoint authentication method**: Choice between - ``client_secret_post`` and ``client_secret_basic`` - - **Check JWT signature**: Set to 0 to disable JWT signature - checking - - **ID Token max age**: If defined, LL::NG will check the ID Token - date and reject it if too old - - **Use Nonce**: If enabled, a nonce will be sent, and verified from - the ID Token +Display +""""""" -- **Display**: +- **Display name**: Name of the application +- **Logo**: Logo of the application +- **Resolution Rule**: rule that will be applied to preselect an OP + for a user. You have access to all environment variable *(like user + IP address)* and all session keys. - - **Display name**: Name of the application - - **Logo**: Logo of the application - - **Order**: Number to sort buttons +For example, to preselect this OP for users coming from 129.168.0.0/16 +network + +:: + + $ENV{REMOTE_ADDR} =~ /^192\.168/ + +To preselect this OP when the ``MY_OP`` :doc:`choice ` is selected :: + + $_choice eq "MY_OP" + +- **Order**: Number to sort buttons .. attention:: @@ -254,4 +271,4 @@ Options with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``. - Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests`` \ No newline at end of file + Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests`` diff --git a/doc/sources/admin/authsaml.rst b/doc/sources/admin/authsaml.rst index 28c8a96ce..4859277c9 100644 --- a/doc/sources/admin/authsaml.rst +++ b/doc/sources/admin/authsaml.rst @@ -111,20 +111,6 @@ For each attribute, you can set: Options ^^^^^^^ -General options -''''''''''''''' - -- **Resolution Rule**: rule that will be applied to preselect an IDP - for a user. You have access to all environment variable *(like user - IP address)* and all session keys. - -For example, to preselect this IDP for users coming from 129.168.0.0/16 -network and member of "admin" group: - -:: - - $ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/ - Authentication request '''''''''''''''''''''' @@ -212,8 +198,6 @@ Used only if at least 2 SAML Identity Providers are declared - **Display name**: Name of the IDP - **Logo**: Logo of the IDP -- **Order**: Number used for sorting IDP display - .. tip:: @@ -222,6 +206,23 @@ Used only if at least 2 SAML Identity Providers are declared icon file name directly in the field and copy the logo file in portal icons directory +- **Resolution Rule**: rule that will be applied to preselect an IDP + for a user. You have access to all environment variable *(like user + IP address)* and all session keys. + +For example, to preselect this IDP for users coming from 129.168.0.0/16 +network + +:: + + $ENV{REMOTE_ADDR} =~ /^192\.168/ + +To preselect this IDP when the ``MY_IDP`` :doc:`choice ` is selected :: + + $_choice eq "MY_IDP" + +- **Order**: Number used for sorting IDP display + .. |image0| image:: /documentation/manager-saml-metadata.png :class: align-center .. |image1| image:: /documentation/manager-saml-attributes.png