Skip to content

Commit

Permalink
Add some SSO documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
Timshel committed Sep 28, 2023
1 parent a87841e commit d5f78b4
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions SSO.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# SSO using OpenId Connect

To use an external source of authentication your SSO will need to support OpendID Connect :

- And OpenID Connect Discovery endpoint should be available
- Client authentication will be done using Id and Secret.

A master password will still required and not controlled by the SSO (depending of your point of view this might be a feature ;).
This introduce another way to control who can use the vault without having to use invitation or using an LDAP.

## Configuration

The following configurations are available

- `SSO_ENABLED` : Activate the SSO
- `SSO_ONLY` : disable email+Master password authentication
- `SSO_AUTHORITY` : the OpendID Connect Discovery endpoint of your SSO
- `SSO_CLIENT_ID` : Client Id
- `SSO_CLIENT_SECRET` : Client Secret
- `SSO_KEY_FILEPATH` : And optional public key that can be used to authenticate the SSO during the exchange flow.

The callback url is : `https://your.domain/identity/connect/oidc-signin`

## Configuration example using GitLab

Create an application in your Gitlab Settings with

- `redirectURI`: https://your.domain/identity/connect/oidc-signin
- `Confidential`: `true`
- `scopes`: `openid`, `profile`, `email`

Then configure your server with `SSO_AUTHORITY=https://gitlab.com`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`.

0 comments on commit d5f78b4

Please sign in to comment.