Proxy
Since version 1.0, Lemonldap::NG is able to transfer authentication credentials to another Lemonldap::NG portal (reverse-proxy). The difference with Remote authentication module is that the client will never be redirect to the main Lemonldap::NG portal. This configuration is usable if you want to expose your internal SSO to another network (DMZ).Configuration
External portal
You just have to set both authentication and userDB to "Proxy" and to set the internal SOAP service address:authentication => 'Proxy', userDB => 'Proxy', soapAuthService => 'https://auth.internal.network/', # If cookie names deffer, set it here: #remoteCookieName => 'lemonldap', # If SOAP session service is not ${soapAuthService}index.pl/sessions, set it here: #soapSessionService => 'https://auth2.internal.network/index.pl/sessions',
Internal portal
The portal must be configured to accept SOAP authentication requests :
Soap => 1,
Don't forget to accept SOAP session request in your apache.conf file :
<Directory /var/lib/lemonldap-ng/portal/index.pl/sessions>
Order deny,allow
Deny from all
Allow from my.external.portal
</Directory>