From 773314f0cd7e9d4aecda8e34379d5e8cbc3cd64f Mon Sep 17 00:00:00 2001 From: Samuel MARTIN MORO Date: Tue, 15 Sep 2020 12:17:44 +0200 Subject: [PATCH] wip(sso): merge in bigbluebutton/greenlight#1194 & bigbluebutton/greenlight#1334 --- Gemfile | 4 +- Gemfile.lock | 56 ++++++-- app/assets/stylesheets/main.scss | 78 +++++++++++ app/helpers/application_helper.rb | 12 +- config/initializers/omniauth.rb | 222 ++++++++++++++++++++++++++++-- config/locales/en.yml | 7 + lib/omniauth_options.rb | 16 ++- sample.env | 97 ++++++++++++- 8 files changed, 463 insertions(+), 29 deletions(-) diff --git a/Gemfile b/Gemfile index 57d811e7ef..573c4def81 100644 --- a/Gemfile +++ b/Gemfile @@ -48,12 +48,12 @@ gem 'sprockets', '< 4.0.0' # Authentication. gem 'omniauth' +gem 'omniauth-saml' gem 'omniauth-twitter' -gem 'omniauth-google-oauth2' +gem 'omniauth_openid_connect' gem 'omniauth-bn-launcher', '~> 0.1.3' gem 'net-ldap' gem 'bn-ldap-authentication', '~> 0.1.4' -gem 'omniauth-bn-office365', '~> 0.1.1' # BigBlueButton API wrapper. gem 'bigbluebutton-api-ruby', git: 'https://github.com/mconf/bigbluebutton-api-ruby.git', branch: 'master' diff --git a/Gemfile.lock b/Gemfile.lock index 2395d097fa..55f451f87f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -68,8 +68,10 @@ GEM tzinfo (~> 1.1) addressable (2.7.0) public_suffix (>= 2.0.2, < 5.0) + aes_key_wrap (1.0.1) arel (9.0.0) ast (2.4.0) + attr_required (1.0.1) autoprefixer-rails (9.7.6) execjs aws-eventstream (1.1.0) @@ -89,6 +91,7 @@ GEM aws-sigv4 (1.2.1) aws-eventstream (~> 1, >= 1.0.2) bcrypt (3.1.13) + bindata (2.4.7) bindex (0.8.1) bn-ldap-authentication (0.1.4) net-ldap (~> 0) @@ -191,6 +194,10 @@ GEM jquery-ui-rails (6.0.1) railties (>= 3.2.16) json (2.3.0) + json-jwt (1.11.0) + activesupport (>= 4.2) + aes_key_wrap + bindata jwt (2.2.1) listen (3.0.8) rb-fsevent (~> 0.9, >= 0.9.4) @@ -234,22 +241,32 @@ GEM omniauth-bn-launcher (0.1.3) omniauth (~> 1.3, >= 1.3.2) omniauth-oauth2 (= 1.5.0) - omniauth-bn-office365 (0.1.1) - omniauth (>= 1.3.2) - omniauth-oauth2 (>= 1.5.0) - omniauth-google-oauth2 (0.7.0) - jwt (>= 2.0) - omniauth (>= 1.1.1) - omniauth-oauth2 (>= 1.5) omniauth-oauth (1.1.0) oauth omniauth (~> 1.0) omniauth-oauth2 (1.5.0) oauth2 (~> 1.1) omniauth (~> 1.2) + omniauth-saml (1.10.1) + omniauth (~> 1.3, >= 1.3.2) + ruby-saml (~> 1.7) omniauth-twitter (1.4.0) omniauth-oauth (~> 1.1) rack + omniauth_openid_connect (0.3.3) + addressable (~> 2.5) + omniauth (~> 1.9) + openid_connect (~> 1.1) + openid_connect (1.1.8) + activemodel + attr_required (>= 1.0.0) + json-jwt (>= 1.5.0) + rack-oauth2 (>= 1.6.1) + swd (>= 1.0.0) + tzinfo + validate_email + validate_url + webfinger (>= 1.0.1) os (1.1.0) pagy (3.8.1) parallel (1.19.1) @@ -260,6 +277,12 @@ GEM public_suffix (4.0.5) puma (3.12.6) rack (2.2.3) + rack-oauth2 (1.11.0) + activesupport + attr_required + httpclient + json-jwt (>= 1.11.0) + rack (>= 2.1.0) rack-test (1.1.0) rack (>= 1.0, < 3) rails (5.2.4.3) @@ -338,6 +361,8 @@ GEM rubocop-ast (0.0.3) parser (>= 2.7.0.1) ruby-progressbar (1.10.1) + ruby-saml (1.11.0) + nokogiri (>= 1.5.10) rubyzip (2.3.0) safe_yaml (1.0.5) sassc (2.3.0) @@ -373,6 +398,10 @@ GEM activesupport (>= 4.0) sprockets (>= 3.0.0) sqlite3 (1.3.13) + swd (1.1.2) + activesupport (>= 3) + attr_required (>= 0.0.5) + httpclient (>= 2.4) sync (0.5.0) syslog_protocol (0.9.2) term-ansicolor (1.7.1) @@ -393,11 +422,20 @@ GEM uglifier (4.2.0) execjs (>= 0.3.0, < 3) unicode-display_width (1.7.0) + validate_email (0.1.6) + activemodel (>= 3.0) + mail (>= 2.2.5) + validate_url (1.0.8) + activemodel (>= 3.0.0) + public_suffix web-console (3.7.0) actionview (>= 5.0) activemodel (>= 5.0) bindex (>= 0.4.0) railties (>= 5.0) + webfinger (1.1.0) + activesupport + httpclient (>= 2.4) webmock (3.8.3) addressable (>= 2.3.6) crack (>= 0.3.2) @@ -438,9 +476,9 @@ DEPENDENCIES net-ldap omniauth omniauth-bn-launcher (~> 0.1.3) - omniauth-bn-office365 (~> 0.1.1) - omniauth-google-oauth2 + omniauth-saml omniauth-twitter + omniauth_openid_connect pagy pg (~> 0.18) puma (~> 3.12) diff --git a/app/assets/stylesheets/main.scss b/app/assets/stylesheets/main.scss index 15cce7003e..f22aafb38a 100755 --- a/app/assets/stylesheets/main.scss +++ b/app/assets/stylesheets/main.scss @@ -133,6 +133,84 @@ } } +.customBtn-facebook { + @extend .customBtn; + background: #4267b2; + + .customBtn-image { + background: #ffffff image-url("facebook-logo.png") no-repeat left top; + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + +.customBtn-linkedin { + @extend .customBtn; + background: #4377b1; + + .customBtn-image { + background: #ffffff image-url("linkedin-logo.png") no-repeat left top; + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + +.customBtn-github { + @extend .customBtn; + background: #000000; + + .customBtn-image { + background: #ffffff image-url("github-logo.png") no-repeat left top; + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + +.customBtn-instagram { + @extend .customBtn; + background: linear-gradient(90deg, #c6002d, #6a0975); + + .customBtn-image { + background: #ffffff image-url("instagram-logo.png") no-repeat left top; + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + +.customBtn-apple { + @extend .customBtn; + background: #000000; + + .customBtn-image { + background: #ffffff image-url("apple-logo.png") no-repeat left top; + transform: scale(2.2); + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + +.customBtn-openid_connect { + @extend .customBtn; + background: #f7931e; + + .customBtn-image { + background: #ffffff image-url("openid-logo.png") no-repeat left top; + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + +.customBtn-saml { + @extend .customBtn; + background: $button-color-blue; + + .customBtn-image { + background: #ffffff image-url("saml-logo.png") no-repeat left top; + background-size: 18px 18px; + padding:10px 10px 10px 10px; + } +} + .customBtn-microsoft_windows { @extend .customBtn; background: #00a1f1; diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index dff6e29bb6..eee6f8ec4c 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -22,7 +22,17 @@ module ApplicationHelper # Determines which providers can show a login button in the login modal. def iconset_providers - providers = configured_providers & [:google, :twitter, :office365, :ldap] + providers = configured_providers & [:google, + :twitter, + :office365, + :saml, + :apple, + :facebook, + :github, + :instagram, + :linkedin, + :openid_connect, + :ldap] providers.delete(:twitter) if session[:old_twitter_user_id] diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 9f0598e540..bb78ba23d4 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true -require 'office365' +require 'jwt' +require 'uri' require 'omniauth_options' include OmniauthOptions @@ -16,8 +17,27 @@ Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present? && ENV['GOOGLE_OAUTH2_SECRET'].present? Rails.application.config.omniauth_office365 = ENV['OFFICE365_KEY'].present? && ENV['OFFICE365_SECRET'].present? +Rails.application.config.omniauth_apple = ENV['APPLE_CLIENT_ID'].present? && + ENV['APPLE_TEAM_ID'].present? && + ENV['APPLE_KEY_ID'].present? && + ENV['APPLE_PRIVATE_KEY'].present? +Rails.application.config.omniauth_facebook = ENV['FACEBOOK_CLIENT_ID'].present? && + ENV['FACEBOOK_CLIENT_SECRET'].present? +Rails.application.config.omniauth_github = ENV['GITHUB_CLIENT_ID'].present? && + ENV['GITHUB_CLIENT_SECRET'].present? +Rails.application.config.omniauth_instagram = ENV['INSTAGRAM_CLIENT_ID'].present? && + ENV['INSTAGRAM_CLIENT_SECRET'].present? +Rails.application.config.omniauth_linkedin = ENV['LINKEDIN_CLIENT_ID'].present? && + ENV['LINKEDIN_CLIENT_SECRET'].present? +Rails.application.config.omniauth_openid_connect = ENV['OPENID_CONNECT_CLIENT_ID'].present? && + ENV['OPENID_CONNECT_CLIENT_SECRET'].present? && + ENV['OPENID_CONNECT_ISSUER'].present? +Rails.application.config.omniauth_saml = ENV['SAML_ISSUER'].present? && ENV['SAML_IDP_URL'].present? && + ENV['SAML_IDP_CERT_FINGERPRINT'].present? SETUP_PROC = lambda do |env| + env['omniauth.strategy'].options[:client_options][:redirect_uri] ||= + (env['omniauth.strategy'].full_host + env['omniauth.strategy'].script_name + env['omniauth.strategy'].callback_path) OmniauthOptions.omniauth_options env end @@ -38,26 +58,204 @@ provider :twitter, ENV['TWITTER_ID'], ENV['TWITTER_SECRET'] end + if Rails.configuration.omniauth_saml + Rails.application.config.providers << :saml + + provider :saml, + issuer: ENV['SAML_ISSUER'], + idp_sso_target_url: ENV['SAML_IDP_URL'], + idp_cert_fingerprint: ENV['SAML_IDP_CERT_FINGERPRINT'], + name_identifier_format: ENV['SAML_NAME_IDENTIFIER'], + attribute_statements: { + nickname: [ENV['SAML_USERNAME_ATTRIBUTE'] || 'urn:mace:dir:attribute-def:eduPersonPrincipalName'], + email: [ENV['SAML_EMAIL_ATTRIBUTE'] || 'urn:mace:dir:attribute-def:mail'], + name: [ENV['SAML_COMMONNAME_ATTRIBUTE'] || 'urn:mace:dir:attribute-def:cn'] + }, + uid_attribute: ENV['SAML_UID_ATTRIBUTE'] + end if Rails.configuration.omniauth_google Rails.application.config.providers << :google - redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "google", "callback") : nil + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'google', 'callback') : nil - provider :google_oauth2, ENV['GOOGLE_OAUTH2_ID'], ENV['GOOGLE_OAUTH2_SECRET'], - scope: %w(profile email), - access_type: 'online', - name: 'google', - redirect_uri: redirect, - setup: SETUP_PROC + provider :openid_connect, + name: :google, + issuer: 'https://accounts.google.com', + discovery: true, + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + identifier: ENV['GOOGLE_OAUTH2_ID'], + secret: ENV['GOOGLE_OAUTH2_SECRET'], + redirect_uri: redirect + }, + setup: SETUP_PROC end if Rails.configuration.omniauth_office365 Rails.application.config.providers << :office365 - redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "office365", "callback") : nil + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'office365', 'callback') : nil - provider :office365, ENV['OFFICE365_KEY'], ENV['OFFICE365_SECRET'], - redirect_uri: redirect, - setup: SETUP_PROC + provider :openid_connect, + name: :office365, + issuer: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize', + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + host: 'login.microsoftonline.com', + authorization_endpoint: '/common/oauth2/v2.0/authorize', + token_endpoint: '/common/oauth2/v2.0/token', + identifier: ENV['OFFICE365_KEY'], + secret: ENV['OFFICE365_SECRET'], + redirect_uri: redirect + }, + setup: SETUP_PROC + end + if Rails.configuration.omniauth_apple + Rails.application.config.providers << :apple + + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'apple', 'callback') : nil + + ecdsa_key = OpenSSL::PKey::EC.new ENV['APPLE_PRIVATE_KEY'] + + headers = { + 'kid' => ENV['APPLE_KEY_ID'] + } + + claims = { + 'iss' => ENV['APPLE_TEAM_ID'], + 'iat' => Time.now.to_i, + 'exp' => Time.now.to_i + 300, # expires in 5 minutes + 'aud' => 'https://appleid.apple.com', + 'sub' => ENV['APPLE_CLIENT_ID'], + } + + token = JWT.encode claims, ecdsa_key, 'ES256', headers + + provider :openid_connect, + name: :apple, + issuer: 'https://appleid.apple.com/auth/authorize', + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + host: 'appleid.apple.com', + authorization_endpoint: '/auth/authorize', + token_endpoint: '/auth/token', + identifier: ENV['APPLE_CLIENT_ID'], + secret: token, + redirect_uri: redirect + }, + setup: SETUP_PROC + end + if Rails.configuration.omniauth_facebook + Rails.application.config.providers << :facebook + + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'facebook', 'callback') : nil + + provider :openid_connect, + name: :facebook, + issuer: 'https://www.facebook.com/v6.0/dialog/oauth', + discovery: true, + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + identifier: ENV['FACEBOOK_CLIENT_ID'], + secret: ENV['FACEBOOK_CLIENT_SECRET'], + redirect_uri: redirect + }, + setup: SETUP_PROC + end + if Rails.configuration.omniauth_github + Rails.application.config.providers << :github + + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'github', 'callback') : nil + + provider :openid_connect, + name: :github, + issuer: 'https://github.com/login/oauth/authorize', + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + host: 'github.com', + authorization_endpoint: '/login/oauth/authorize', + token_endpoint: '/login/oauth/access_token', + identifier: ENV['GITHUB_CLIENT_ID'], + secret: ENV['GITHUB_CLIENT_SECRET'], + redirect_uri: redirect + }, + setup: SETUP_PROC + end + if Rails.configuration.omniauth_instagram + Rails.application.config.providers << :instagram + + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'instagram', 'callback') : nil + + provider :openid_connect, + name: :instagram, + issuer: 'https://api.instagram.com/oauth/authorize', + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + host: 'api.instagram.com', + authorization_endpoint: '/oauth/authorize', + token_endpoint: '/oauth/access_token', + identifier: ENV['INSTAGRAM_CLIENT_ID'], + secret: ENV['INSTAGRAM_CLIENT_SECRET'], + redirect_uri: redirect + }, + setup: SETUP_PROC + end + if Rails.configuration.omniauth_linkedin + Rails.application.config.providers << :linkedin + + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'linkedin', 'callback') : nil + + provider :openid_connect, + name: :linkedin, + issuer: 'https://www.linkedin.com/oauth/v2/authorization', + scope: [:openid, :email, :profile], + response_type: :code, + client_options: { + host: 'www.linkedin.com', + authorization_endpoint: '/oauth/v2/authorization', + token_endpoint: '/oauth/v2/accessToken', + identifier: ENV['LINKEDIN_CLIENT_ID'], + secret: ENV['LINKEDIN_CLIENT_SECRET'], + redirect_uri: redirect + }, + setup: SETUP_PROC + end + if Rails.configuration.omniauth_openid_connect + Rails.application.config.providers << :openid_connect + + redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], 'auth', 'openid_connect', 'callback') : nil + + uri = URI(ENV['OPENID_CONNECT_SITE'].present? ? ENV['OPENID_CONNECT_SITE'] : '') + + client_options = { + identifier: ENV['OPENID_CONNECT_CLIENT_ID'], + secret: ENV['OPENID_CONNECT_CLIENT_SECRET'], + redirect_uri: redirect, + scheme: uri.scheme, + host: uri.host, + port: uri.port + }.compact + + { + authorization_endpoint: 'OPENID_CONNECT_AUTHORIZATION_ENDPOINT', + token_endpoint: 'OPENID_CONNECT_TOKEN_ENDPOINT', + end_session_endpoint: 'OPENID_CONNECT_END_SESSION_ENDPOINT' + }.each { |key, value| client_options[key] = ENV[value] if ENV[value].present? } + + provider :openid_connect, + name: :openid_connect, + issuer: ENV['OPENID_CONNECT_ISSUER'], + discovery: !(ENV['OPENID_CONNECT_DISCOVERY'].present? && ENV['OPENID_CONNECT_DISCOVERY'] == 'false'), + scope: [:openid, :email, :profile], + response_type: :code, + uid_field: ENV['OPENID_CONNECT_UID_FIELD'].present? ? ENV['OPENID_CONNECT_UID_FIELD'] : 'sub', + client_options: client_options, + setup: SETUP_PROC end end end diff --git a/config/locales/en.yml b/config/locales/en.yml index b428f3fcd7..7e17aa8205 100755 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -470,6 +470,13 @@ en: office365: Office 365 twitter: Twitter ldap: LDAP + saml: SAML + apple: Apple + facebook: Facebook + github: GitHub + instagram: Instagram + linkedin: LinkedIn + openid_connect: OpenID Connect recaptcha: errors: recaptcha_unreachable: Oops, we failed to validate your reCAPTCHA response. Please try again. diff --git a/lib/omniauth_options.rb b/lib/omniauth_options.rb index 0440f527e3..cfe1e7c2f1 100644 --- a/lib/omniauth_options.rb +++ b/lib/omniauth_options.rb @@ -20,6 +20,16 @@ module OmniauthOptions module_function def omniauth_options(env) + env_hd = { + 'google' => 'GOOGLE_OAUTH2_HD', + 'office365' => 'OFFICE365_HD', + 'apple' => 'APPLE_HD', + 'facebook' => 'FACEBOOK_HD', + 'github' => 'GITHUB_HD', + 'instagram' => 'INSTAGRAM_HD', + 'linkedin' => 'LINKEDIN_HD', + 'openid_connect' => 'OPENID_CONNECT_HD', + }[env['omniauth.strategy'].options[:name]] if env['omniauth.strategy'].options[:name] == "bn_launcher" protocol = Rails.env.production? ? "https" : env["rack.url_scheme"] @@ -33,10 +43,8 @@ def omniauth_options(env) # This is only used in the old launcher and should eventually be removed env['omniauth.strategy'].options[:checksum] = generate_checksum(user_domain, customer_redirect_url, Rails.configuration.launcher_secret) - elsif env['omniauth.strategy'].options[:name] == "google" - set_hd(env, ENV['GOOGLE_OAUTH2_HD']) - elsif env['omniauth.strategy'].options[:name] == "office365" - set_hd(env, ENV['OFFICE365_HD']) + elsif !env_hd.nil? + set_hd(env, ENV[env_hd]) end end diff --git a/sample.env b/sample.env index 0a0c50e568..8b83912758 100644 --- a/sample.env +++ b/sample.env @@ -51,6 +51,75 @@ OFFICE365_KEY= OFFICE365_SECRET= OFFICE365_HD= +# Apple id Login Provider (optional) +# +# For in-depth steps on setting up an Apple id Login Provider, see: +# +# https://docs.bigbluebutton.org/greenlight/gl-config.html#apple-oauth2 +# +APPLE_CLIENT_ID= +APPLE_TEAM_ID= +APPLE_KEY_ID= +APPLE_PRIVATE_KEY= +APPLE_HD= + +# Facebook Login Provider (optional) +# +# For in-depth steps on setting up a Facebook Login Provider, see: +# +# https://docs.bigbluebutton.org/greenlight/gl-config.html#facebook-oauth2 +# +FACEBOOK_CLIENT_ID= +FACEBOOK_CLIENT_SECRET= +FACEBOOK_HD= + +# GitHub Login Provider (optional) +# +# For in-depth steps on setting up a GitHub Login Provider, see: +# +# https://docs.bigbluebutton.org/greenlight/gl-config.html#github-oauth2 +# +GITHUB_CLIENT_ID= +GITHUB_CLIENT_SECRET= +GITHUB_HD= + +# Instagram Login Provider (optional) +# +# For in-depth steps on setting up an Instagram Login Provider, see: +# +# https://docs.bigbluebutton.org/greenlight/gl-config.html#instagram-oauth2 +# +INSTAGRAM_CLIENT_ID= +INSTAGRAM_CLIENT_SECRET= +INSTAGRAM_HD= + +# LinkedIn Login Provider (optional) +# +# For in-depth steps on setting up a LinkedIn Login Provider, see: +# +# https://docs.bigbluebutton.org/greenlight/gl-config.html#linkedin-oauth2 +# +LINKEDIN_CLIENT_ID= +LINKEDIN_CLIENT_SECRET= +LINKEDIN_HD= + +# OpenID Connect Provider (optional) +# +# For in-depth steps on setting up a OpenID Connect Login Provider, see: +# +# https://docs.bigbluebutton.org/greenlight/gl-config.html#openid-connect +# +OPENID_CONNECT_CLIENT_ID= +OPENID_CONNECT_CLIENT_SECRET= +OPENID_CONNECT_ISSUER= +OPENID_CONNECT_SITE= +OPENID_CONNECT_DISCOVERY= +OPENID_CONNECT_UID_FIELD= +OPENID_CONNECT_AUTHORIZATION_ENDPOINT= +OPENID_CONNECT_TOKEN_ENDPOINT= +OPENID_CONNECT_END_SESSION_ENDPOINT= +OPENID_CONNECT_HD= + # OAUTH2_REDIRECT allows you to specify the redirect_url passed to oauth on sign in. # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy OAUTH2_REDIRECT= @@ -86,6 +155,32 @@ LDAP_ROLE_FIELD= LDAP_FILTER= LDAP_ATTRIBUTE_MAPPING= +# SAML Login Provider (optional) +# +# You can use SAML authentication by providing the values below. +# SAML_ISSUER is the name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login. +# The location of this SP's metadata can be used here; For example : https://bigbluebutton.yourdomain.tld/auth/saml/metadata +# SAML_IDP_URL is the URL to which the authentication request should be sent. This would be on the identity provider. It can be found in the +# IDP's metadata in the tag +# SAML_IDP_CERT_FINFERPRINT is the fingerprint of the certificate used by the IDP, for example "25:72:85:66:C9:94:22:98:36:84:11:E1:88:C7:AC:40:98:F9:E7:82". +# You can get the fingerprint by downloading the IDP's certificate and running : +# openssl x509 -noout -in torproject.pem -fingerprint -sha1 +# SAML_NAME_IDENTIFIER describes the format of the username required by this application. +# If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 +# for other options. Note that the identity provider might not support all options. If not specified, the IdP is free to choose the name identifier format used in the response +# SAML_...._ATTRIBUTE : Attributes from the SAML response should be mapped to the attributes used by greenlight. The defaults are based upon https://wiki.surfnet.nl/display/surfconextdev/Attributes+in+SURFconext +# +# The information about this SP (metadata) can be found on your server http:///auth/saml/metadata +# +SAML_ISSUER= +SAML_IDP_URL= +SAML_IDP_CERT_FINGERPRINT= +SAML_NAME_IDENTIFIER= +SAML_UID_ATTRIBUTE= +SAML_USERNAME_ATTRIBUTE= +SAML_EMAIL_ATTRIBUTE= +SAML_COMMONNAME_ATTRIBUTE= + # Set this to true if you want GreenLight to support user signup and login without # Omniauth. For more information, see: # @@ -279,4 +374,4 @@ DEFAULT_REGISTRATION=open # GCS_CLIENT_ID= # GCS_CLIENT_CERT= # GCS_PROJECT= -# GCS_BUCKET= \ No newline at end of file +# GCS_BUCKET=