Lemonldap::NG documentation: 4.5-Proxy-authentication-module.html

Proxy

Configuration
- External portal
- Internal portal

Since version 1.0, Lemonldap::NG is able to transfer authentication credentials to another Lemonldap::NG portal (reverse-proxy).

The difference with Remote authentication module is that the client will never be redirect to the main Lemonldap::NG portal. This configuration is usable if you want to expose your internal SSO to another network (DMZ).

Configuration

External portal

You just have to set both authentication and userDB to "Proxy" and to set the internal SOAP service address:

authentication => 'Proxy',
  userDB => 'Proxy',
  soapAuthService => 'https://auth.internal.network/',
  # If cookie names deffer, set it here:
  #remoteCookieName => 'lemonldap',
  # If SOAP session service is not ${soapAuthService}index.pl/sessions, set it here:
  #soapSessionService => 'https://auth2.internal.network/index.pl/sessions',

Internal portal

The portal must be configured to accept SOAP authentication requests :

Soap => 1,

Don't forget to accept SOAP session request in your apache.conf file :

<Directory /var/lib/lemonldap-ng/portal/index.pl/sessions>
    Order deny,allow
    Deny from all
    Allow from my.external.portal
</Directory>