diff --git a/SSO.md b/SSO.md new file mode 100644 index 0000000000..7b250ab99a --- /dev/null +++ b/SSO.md @@ -0,0 +1,32 @@ +# SSO using OpenId Connect + +To use an external source of authentication your SSO will need to support OpendID Connect : + + - And OpenID Connect Discovery endpoint should be available + - Client authentication will be done using Id and Secret. + +A master password will still required and not controlled by the SSO (depending of your point of view this might be a feature ;). +This introduce another way to control who can use the vault without having to use invitation or using an LDAP. + +## Configuration + +The following configurations are available + + - `SSO_ENABLED` : Activate the SSO + - `SSO_ONLY` : disable email+Master password authentication + - `SSO_AUTHORITY` : the OpendID Connect Discovery endpoint of your SSO + - `SSO_CLIENT_ID` : Client Id + - `SSO_CLIENT_SECRET` : Client Secret + - `SSO_KEY_FILEPATH` : And optional public key that can be used to authenticate the SSO during the exchange flow. + +The callback url is : `https://your.domain/identity/connect/oidc-signin` + +## Configuration example using GitLab + +Create an application in your Gitlab Settings with + +- `redirectURI`: https://your.domain/identity/connect/oidc-signin +- `Confidential`: `true` +- `scopes`: `openid`, `profile`, `email` + +Then configure your server with `SSO_AUTHORITY=https://gitlab.com`, `SSO_CLIENT_ID` and `SSO_CLIENT_SECRET`.