Documentation for #2753
This commit is contained in:
parent
e90f16ade6
commit
a09072c7ed
|
@ -63,23 +63,48 @@ Then, go in ``CAS parameters``:
|
||||||
|
|
||||||
- **Authentication level**: authentication level for this module.
|
- **Authentication level**: authentication level for this module.
|
||||||
|
|
||||||
Then create the list of CAS servers in the manager. For each, set:
|
Then create the list of CAS servers in the manager.
|
||||||
|
|
||||||
|
Options
|
||||||
|
~~~~~~~
|
||||||
|
|
||||||
- **Server URL** *(required)*: CAS server URL (must use https://)
|
- **Server URL** *(required)*: CAS server URL (must use https://)
|
||||||
- **Renew authentication** *(default: disabled)*: force authentication
|
- **Renew authentication** *(default: disabled)*: force authentication
|
||||||
renewal on CAS server
|
renewal on CAS server
|
||||||
- **Gateways authentication** *(default: disabled)*: force transparent
|
- **Gateways authentication** *(default: disabled)*: force transparent
|
||||||
authentication on CAS server
|
authentication on CAS server
|
||||||
|
|
||||||
|
Proxied services
|
||||||
|
~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
In this section, set the list of services for which a proxy ticket is
|
||||||
|
requested:
|
||||||
|
|
||||||
|
- **Key**: Service ID
|
||||||
|
- **Value** Service URL (CAS service identifier)
|
||||||
|
|
||||||
|
Display
|
||||||
|
~~~~~~~
|
||||||
- **Display Name**: Name to display. Required if you have more than 1
|
- **Display Name**: Name to display. Required if you have more than 1
|
||||||
CAS server declared
|
CAS server declared
|
||||||
- **Icon**: Path to CAS Server icon. Used only if you have more than 1
|
- **Icon**: Path to CAS Server icon. Used only if you have more than 1
|
||||||
CAS server declared
|
CAS server declared
|
||||||
- **Order**: Number to sort CAS Servers display
|
- **Resolution Rule**: rule that will be applied to preselect a CAS server for
|
||||||
- **Proxied services**: list of services for which a proxy ticket is
|
a user. You have access to all environment variable *(like user IP address)*
|
||||||
requested:
|
and all session keys.
|
||||||
|
|
||||||
- **Key**: Service ID
|
For example, to preselect this server for users coming from 129.168.0.0/16
|
||||||
- **Value** Service URL (CAS service identifier)
|
network
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
||||||
|
|
||||||
|
To preselect this server when the ``MY_SRV`` :doc:`choice <authchoice>` is selected ::
|
||||||
|
|
||||||
|
$_choice eq "MY_SRV"
|
||||||
|
|
||||||
|
- **Order**: Number to sort CAS Servers display
|
||||||
|
|
||||||
|
|
||||||
.. tip::
|
.. tip::
|
||||||
|
|
|
@ -210,42 +210,59 @@ So you can define by example:
|
||||||
Options
|
Options
|
||||||
^^^^^^^
|
^^^^^^^
|
||||||
|
|
||||||
- **Configuration**:
|
Configuration
|
||||||
|
"""""""""""""
|
||||||
|
|
||||||
- **Configuration endpoint**: URL of OP configuration endpoint
|
- **Configuration endpoint**: URL of OP configuration endpoint
|
||||||
- **JWKS data timeout**: After this time, LL::NG will do a request
|
- **JWKS data timeout**: After this time, LL::NG will do a request
|
||||||
to get a fresh version of JWKS data. Set to 0 to disable it.
|
to get a fresh version of JWKS data. Set to 0 to disable it.
|
||||||
- **Client ID**: Client ID given by OP
|
- **Client ID**: Client ID given by OP
|
||||||
- **Client secret**: Client secret given by OP
|
- **Client secret**: Client secret given by OP
|
||||||
- **Store ID token**: Allows one to store the ID Token (JWT) inside
|
- **Store ID token**: Allows one to store the ID Token (JWT) inside
|
||||||
user session. Do not enable it unless you need to replay this token
|
user session. Do not enable it unless you need to replay this token
|
||||||
on an application, or if you need the id_token_hint parameter when
|
on an application, or if you need the id_token_hint parameter when
|
||||||
using logout.
|
using logout.
|
||||||
|
|
||||||
- **Protocol**:
|
Protocol
|
||||||
|
""""""""
|
||||||
|
- **Scope**: Value of scope parameter (example: openid profile). The
|
||||||
|
``openid`` scope is mandatory.
|
||||||
|
- **Display**: Value of display parameter (example: page)
|
||||||
|
- **Prompt**: Value of prompt parameter (example: consent)
|
||||||
|
- **Max age**: Value of max_age parameter (example: 3600)
|
||||||
|
- **UI locales**: Value of ui_locales parameter (example: en-GB en
|
||||||
|
fr-FR fr)
|
||||||
|
- **ACR values**: Value acr_values parameters (example: loa-1)
|
||||||
|
- **Token endpoint authentication method**: Choice between
|
||||||
|
``client_secret_post`` and ``client_secret_basic``
|
||||||
|
- **Check JWT signature**: Set to 0 to disable JWT signature
|
||||||
|
checking
|
||||||
|
- **ID Token max age**: If defined, LL::NG will check the ID Token
|
||||||
|
date and reject it if too old
|
||||||
|
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
|
||||||
|
the ID Token
|
||||||
|
|
||||||
- **Scope**: Value of scope parameter (example: openid profile). The
|
Display
|
||||||
``openid`` scope is mandatory.
|
"""""""
|
||||||
- **Display**: Value of display parameter (example: page)
|
|
||||||
- **Prompt**: Value of prompt parameter (example: consent)
|
|
||||||
- **Max age**: Value of max_age parameter (example: 3600)
|
|
||||||
- **UI locales**: Value of ui_locales parameter (example: en-GB en
|
|
||||||
fr-FR fr)
|
|
||||||
- **ACR values**: Value acr_values parameters (example: loa-1)
|
|
||||||
- **Token endpoint authentication method**: Choice between
|
|
||||||
``client_secret_post`` and ``client_secret_basic``
|
|
||||||
- **Check JWT signature**: Set to 0 to disable JWT signature
|
|
||||||
checking
|
|
||||||
- **ID Token max age**: If defined, LL::NG will check the ID Token
|
|
||||||
date and reject it if too old
|
|
||||||
- **Use Nonce**: If enabled, a nonce will be sent, and verified from
|
|
||||||
the ID Token
|
|
||||||
|
|
||||||
- **Display**:
|
- **Display name**: Name of the application
|
||||||
|
- **Logo**: Logo of the application
|
||||||
|
- **Resolution Rule**: rule that will be applied to preselect an OP
|
||||||
|
for a user. You have access to all environment variable *(like user
|
||||||
|
IP address)* and all session keys.
|
||||||
|
|
||||||
- **Display name**: Name of the application
|
For example, to preselect this OP for users coming from 129.168.0.0/16
|
||||||
- **Logo**: Logo of the application
|
network
|
||||||
- **Order**: Number to sort buttons
|
|
||||||
|
::
|
||||||
|
|
||||||
|
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
||||||
|
|
||||||
|
To preselect this OP when the ``MY_OP`` :doc:`choice <authchoice>` is selected ::
|
||||||
|
|
||||||
|
$_choice eq "MY_OP"
|
||||||
|
|
||||||
|
- **Order**: Number to sort buttons
|
||||||
|
|
||||||
|
|
||||||
.. attention::
|
.. attention::
|
||||||
|
@ -254,4 +271,4 @@ Options
|
||||||
with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
|
with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
|
||||||
|
|
||||||
|
|
||||||
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
|
Go to: ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
|
||||||
|
|
|
@ -111,20 +111,6 @@ For each attribute, you can set:
|
||||||
Options
|
Options
|
||||||
^^^^^^^
|
^^^^^^^
|
||||||
|
|
||||||
General options
|
|
||||||
'''''''''''''''
|
|
||||||
|
|
||||||
- **Resolution Rule**: rule that will be applied to preselect an IDP
|
|
||||||
for a user. You have access to all environment variable *(like user
|
|
||||||
IP address)* and all session keys.
|
|
||||||
|
|
||||||
For example, to preselect this IDP for users coming from 129.168.0.0/16
|
|
||||||
network and member of "admin" group:
|
|
||||||
|
|
||||||
::
|
|
||||||
|
|
||||||
$ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/
|
|
||||||
|
|
||||||
Authentication request
|
Authentication request
|
||||||
''''''''''''''''''''''
|
''''''''''''''''''''''
|
||||||
|
|
||||||
|
@ -212,8 +198,6 @@ Used only if at least 2 SAML Identity Providers are declared
|
||||||
|
|
||||||
- **Display name**: Name of the IDP
|
- **Display name**: Name of the IDP
|
||||||
- **Logo**: Logo of the IDP
|
- **Logo**: Logo of the IDP
|
||||||
- **Order**: Number used for sorting IDP display
|
|
||||||
|
|
||||||
|
|
||||||
.. tip::
|
.. tip::
|
||||||
|
|
||||||
|
@ -222,6 +206,23 @@ Used only if at least 2 SAML Identity Providers are declared
|
||||||
icon file name directly in the field and copy the logo file in portal
|
icon file name directly in the field and copy the logo file in portal
|
||||||
icons directory
|
icons directory
|
||||||
|
|
||||||
|
- **Resolution Rule**: rule that will be applied to preselect an IDP
|
||||||
|
for a user. You have access to all environment variable *(like user
|
||||||
|
IP address)* and all session keys.
|
||||||
|
|
||||||
|
For example, to preselect this IDP for users coming from 129.168.0.0/16
|
||||||
|
network
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
$ENV{REMOTE_ADDR} =~ /^192\.168/
|
||||||
|
|
||||||
|
To preselect this IDP when the ``MY_IDP`` :doc:`choice <authchoice>` is selected ::
|
||||||
|
|
||||||
|
$_choice eq "MY_IDP"
|
||||||
|
|
||||||
|
- **Order**: Number used for sorting IDP display
|
||||||
|
|
||||||
.. |image0| image:: /documentation/manager-saml-metadata.png
|
.. |image0| image:: /documentation/manager-saml-metadata.png
|
||||||
:class: align-center
|
:class: align-center
|
||||||
.. |image1| image:: /documentation/manager-saml-attributes.png
|
.. |image1| image:: /documentation/manager-saml-attributes.png
|
||||||
|
|
Loading…
Reference in New Issue