ssoaas.html 9.01 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:ssoaas</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,ssoaas"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="ssoaas.html"/>
<link rel="contents" href="ssoaas.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:ssoaas","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
Xavier Guimard's avatar
Xavier Guimard committed
46 47 48 49 50 51 52 53 54 55 56 57 58
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#our_concept_of_ssoaas">Our concept of SSOaaS</a></div></li>
<li class="level1"><div class="li"><a href="#using_front_reverse-proxies">Using front reverse-proxies</a></div></li>
<li class="level1"><div class="li"><a href="#using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
Xavier Guimard's avatar
Xavier Guimard committed
59 60 61 62

<h1 class="sectionedit1" id="sso_as_a_service_ssoaas">SSO as a service (SSOaaS)</h1>
<div class="level1">

Xavier Guimard's avatar
Xavier Guimard committed
63 64 65 66 67
</div>
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1-41] -->
<h2 class="sectionedit2" id="our_concept_of_ssoaas">Our concept of SSOaaS</h2>
<div class="level2">

Xavier Guimard's avatar
Xavier Guimard committed
68
<p>
Xavier Guimard's avatar
Xavier Guimard committed
69
Access management provides 3 services:
Xavier Guimard's avatar
Xavier Guimard committed
70 71
</p>
<ul>
Xavier Guimard's avatar
Xavier Guimard committed
72
<li class="level1"><div class="li"> Global authentication: Single-Sign-On</div>
Xavier Guimard's avatar
Xavier Guimard committed
73
</li>
Xavier Guimard's avatar
Xavier Guimard committed
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
<li class="level1"><div class="li"> Authorization check: authentication isn&#039;t enough, user rights mus be checked</div>
</li>
<li class="level1"><div class="li"> Accounting: <abbr title="Single Sign On">SSO</abbr> logs + application logs <em>(transactions and results)</em></div>
</li>
</ul>

<p>
LLNG provides all these services (except application logs of course, but headers are provided to permit this). Headers is another LLNG service: LLNG can provide any user attributes to the application <em>(see <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Rules and headers</a>)</em>
</p>

<p>
<code>*aaS</code> means that application can drive undelying layer (IaaS for infrastructure, PaaS for platform,…). So for us, <code>SSOaaS</code> must provide the ability for an app to manage authorizations and to get user attributes. Authentication can&#039;t be really “*aaS”: app must not drive it, only consumes it.
</p>

<p>
LLNG provides some features that can be used to provide <abbr title="Single Sign On">SSO</abbr> as a service: a web application can drive its rules and headers. Docker or VM images (Nginx only) includes LLNG Nginx configuration that points to a global <a href="platformsoverview.html#external_servers_for_nginx" class="wikilink1" title="documentation:2.0:platformsoverview">LLNG authorization server</a>. By default, all authenticated users can access and one header is set: <code>Auth-User</code>. If application gives a RULES_<abbr title="Uniform Resource Locator">URL</abbr> parameter that points to a JSON file, authorization server will read it and apply given rules and set asked headers <em>(see <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>)</em>.
</p>

<p>
Two architectures to do it:
</p>
<ul>
Xavier Guimard's avatar
Xavier Guimard committed
96 97
<li class="level1"><div class="li"> Using a global FastCGI (or uWSGI) server</div>
</li>
Xavier Guimard's avatar
Xavier Guimard committed
98 99
<li class="level1"><div class="li"> Using front reverse-proxies <em>(some cloud installation use reverse-proxies in front of the cloud)</em></div>
</li>
Xavier Guimard's avatar
Xavier Guimard committed
100 101 102 103 104 105 106
</ul>

<p>
In both case, Handler type must be set to <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a>.
</p>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
107 108
<!-- EDIT2 SECTION "Our concept of SSOaaS" [42-1689] -->
<h2 class="sectionedit3" id="using_front_reverse-proxies">Using front reverse-proxies</h2>
Xavier Guimard's avatar
Xavier Guimard committed
109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
<div class="level2">

<p>
Here is a simple Nginx configuration file. It looks like a standard LLNG nginx configuration file except that:
</p>
<ul>
<li class="level1"><div class="li"> VHOSTTYPE parameter force to use DevOps handler</div>
</li>
<li class="level1"><div class="li"> /rules.json nust not be protected by LLNG but by the web server itself</div>
</li>
</ul>

<p>
This configuration handles <code>*.dev.sso.my.domain</code> services and forward authenticated requests to <code>&lt;vhost&gt;.internal.domain</code>. Rules can be defined in the root of the website in the file <code>/rules.json</code>.
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.0.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
<dd><pre class="code file nginx">server {
  server_name &quot;~^(?&lt;vhost&gt;.+?)\.dev\.sso\.my\.domain$&quot;;
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/home/xavier/dev/lemonldap/e2e-tests/conf/llng-fastcgi.sock;
    # Force handler type:
    fastcgi_param VHOSTTYPE DevOps;
    # Drop post datas
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH &quot;&quot;;
    # Keep original hostname
    fastcgi_param HOST $http_host;
Xavier Guimard's avatar
Xavier Guimard committed
139
    # Keep original request (LLNG server will received /lmauth)
Xavier Guimard's avatar
Xavier Guimard committed
140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158
    fastcgi_param X_ORIGINAL_URI  $request_uri;
  }
  location /rules.json {
    auth_request off;
    allow 127.0.0.0/8;
    deny all;
  }
  location / {
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    include /etc/lemonldap-ng/nginx-lua-headers.conf;
    proxy_pass https://$vhost.internal.domain;
  }
}</pre>
</dd></dl>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
159 160
<!-- EDIT3 SECTION "Using front reverse-proxies" [1690-3166] -->
<h2 class="sectionedit4" id="using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</h2>
Xavier Guimard's avatar
Xavier Guimard committed
161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209
<div class="level2">

<p>
In this example, web server templates (Nginx only) are configured to ask authorization to a central FastCGI server
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/ssoaas/codeblock.1.code" title="Download Snippet" class="mediafile mf_conf">test-nginx.conf</a></dt>
<dd><pre class="code file nginx">server {
  server_name myapp.domain.com;
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
    # Central FastCGI server:
    fastcgi_pass 10.1.2.3:9090;
    fastcgi_param VHOSTTYPE DevOps;
    # Drop post datas
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH &quot;&quot;;
    # Keep original hostname
    fastcgi_param HOST $http_host;
    # Keep original request (LLNG server will received /llauth)
    fastcgi_param X_ORIGINAL_URI  $request_uri;
&nbsp;
    # Set dynamically rules (LLNG will poll it every 10 mn)
    fastcgi_param RULES_URL http://rulesserver/my.json
  }
  location /rules.json {
    auth_request off;
    allow 10.1.2.3;
    deny all;
  }
  location ~ ^(.*\.php)$ {
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    include /etc/lemonldap-ng/nginx-lua-headers.conf;
    ...
    # Example with php-fpm:
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  }
  location / {
    try_files $uri $uri/ =404;
  }
}</pre>
</dd></dl>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
210
<!-- EDIT4 SECTION "Using a global FastCGI (or uWSGI) server" [3167-] --></div>
Xavier Guimard's avatar
Xavier Guimard committed
211 212
</body>
</html>