213 lines
9.0 KiB
HTML
213 lines
9.0 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:ssoaas</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="noindex,nofollow"/>
|
|
<meta name="keywords" content="documentation,2.0,ssoaas"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="ssoaas.html"/>
|
|
<link rel="contents" href="ssoaas.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:ssoaas","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#our_concept_of_ssoaas">Our concept of SSOaaS</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#using_front_reverse-proxies">Using front reverse-proxies</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</a></div></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="sso_as_a_service_ssoaas">SSO as a service (SSOaaS)</h1>
|
|
<div class="level1">
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1-41] -->
|
|
<h2 class="sectionedit2" id="our_concept_of_ssoaas">Our concept of SSOaaS</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Access management provides 3 services:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Global authentication: Single-Sign-On</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Authorization check: authentication isn't enough, user rights mus be checked</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Accounting: <abbr title="Single Sign On">SSO</abbr> logs + application logs <em>(transactions and results)</em></div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
LLNG provides all these services (except application logs of course, but headers are provided to permit this). Headers is another LLNG service: LLNG can provide any user attributes to the application <em>(see <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Rules and headers</a>)</em>
|
|
</p>
|
|
|
|
<p>
|
|
<code>*aaS</code> means that application can drive undelying layer (IaaS for infrastructure, PaaS for platform,…). So for us, <code>SSOaaS</code> must provide the ability for an app to manage authorizations and to get user attributes. Authentication can't be really “*aaS”: app must not drive it, only consumes it.
|
|
</p>
|
|
|
|
<p>
|
|
LLNG provides some features that can be used to provide <abbr title="Single Sign On">SSO</abbr> as a service: a web application can drive its rules and headers. Docker or VM images (Nginx only) includes LLNG Nginx configuration that points to a global <a href="platformsoverview.html#external_servers_for_nginx" class="wikilink1" title="documentation:2.0:platformsoverview">LLNG authorization server</a>. By default, all authenticated users can access and one header is set: <code>Auth-User</code>. If application gives a RULES_<abbr title="Uniform Resource Locator">URL</abbr> parameter that points to a JSON file, authorization server will read it and apply given rules and set asked headers <em>(see <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>)</em>.
|
|
</p>
|
|
|
|
<p>
|
|
Two architectures to do it:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> Using a global FastCGI (or uWSGI) server</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Using front reverse-proxies <em>(some cloud installation use reverse-proxies in front of the cloud)</em></div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
In both case, Handler type must be set to <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Our concept of SSOaaS" [42-1689] -->
|
|
<h2 class="sectionedit3" id="using_front_reverse-proxies">Using front reverse-proxies</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Here is a simple Nginx configuration file. It looks like a standard LLNG nginx configuration file except that:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> VHOSTTYPE parameter force to use DevOps handler</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> /rules.json nust not be protected by LLNG but by the web server itself</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
This configuration handles <code>*.dev.sso.my.domain</code> services and forward authenticated requests to <code><vhost>.internal.domain</code>. Rules can be defined in the root of the website in the file <code>/rules.json</code>.
|
|
</p>
|
|
<dl class="file">
|
|
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.0.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
|
|
<dd><pre class="code file nginx">server {
|
|
server_name "~^(?<vhost>.+?)\.dev\.sso\.my\.domain$";
|
|
location = /lmauth {
|
|
internal;
|
|
include /etc/nginx/fastcgi_params;
|
|
fastcgi_pass unix:/home/xavier/dev/lemonldap/e2e-tests/conf/llng-fastcgi.sock;
|
|
# Force handler type:
|
|
fastcgi_param VHOSTTYPE DevOps;
|
|
# Drop post datas
|
|
fastcgi_pass_request_body off;
|
|
fastcgi_param CONTENT_LENGTH "";
|
|
# Keep original hostname
|
|
fastcgi_param HOST $http_host;
|
|
# Keep original request (LLNG server will received /lmauth)
|
|
fastcgi_param X_ORIGINAL_URI $request_uri;
|
|
}
|
|
location /rules.json {
|
|
auth_request off;
|
|
allow 127.0.0.0/8;
|
|
deny all;
|
|
}
|
|
location / {
|
|
auth_request /lmauth;
|
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
|
auth_request_set $lmlocation $upstream_http_location;
|
|
error_page 401 $lmlocation;
|
|
include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
|
proxy_pass https://$vhost.internal.domain;
|
|
}
|
|
}</pre>
|
|
</dd></dl>
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Using front reverse-proxies" [1690-3166] -->
|
|
<h2 class="sectionedit4" id="using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
In this example, web server templates (Nginx only) are configured to ask authorization to a central FastCGI server
|
|
</p>
|
|
<dl class="file">
|
|
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.1.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
|
|
<dd><pre class="code file nginx">server {
|
|
server_name myapp.domain.com;
|
|
location = /lmauth {
|
|
internal;
|
|
include /etc/nginx/fastcgi_params;
|
|
# Central FastCGI server:
|
|
fastcgi_pass 10.1.2.3:9090;
|
|
fastcgi_param VHOSTTYPE DevOps;
|
|
# Drop post datas
|
|
fastcgi_pass_request_body off;
|
|
fastcgi_param CONTENT_LENGTH "";
|
|
# Keep original hostname
|
|
fastcgi_param HOST $http_host;
|
|
# Keep original request (LLNG server will received /llauth)
|
|
fastcgi_param X_ORIGINAL_URI $request_uri;
|
|
|
|
# Set dynamically rules (LLNG will poll it every 10 mn)
|
|
fastcgi_param RULES_URL http://rulesserver/my.json
|
|
}
|
|
location /rules.json {
|
|
auth_request off;
|
|
allow 10.1.2.3;
|
|
deny all;
|
|
}
|
|
location ~ ^(.*\.php)$ {
|
|
auth_request /lmauth;
|
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
|
auth_request_set $lmlocation $upstream_http_location;
|
|
error_page 401 $lmlocation;
|
|
include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
|
...
|
|
# Example with php-fpm:
|
|
include snippets/fastcgi-php.conf;
|
|
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
|
|
}
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
}</pre>
|
|
</dd></dl>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "Using a global FastCGI (or uWSGI) server" [3167-] --></div>
|
|
</body>
|
|
</html>
|