summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristoph (Sheogorath) Kern2019-04-06 21:35:39 +0200
committerGitHub2019-04-06 21:35:39 +0200
commit36c083277e6c74bb6eac495971522e6932cfc207 (patch)
treebd7ed2541fd1f233ac74b4dbd7953e1bb975c73e
parent5379d65edc8edfb6135f43e4e021ee2d7907d957 (diff)
parentdf53f465c0238e9a6a306df21cd7e04731056dd6 (diff)
Merge pull request #30 from codimd/samlConfig
Added a configuration option for passport-saml:
Diffstat (limited to '')
-rw-r--r--config.json.example1
-rw-r--r--docs/configuration-env-vars.md1
-rw-r--r--lib/config/default.js1
-rw-r--r--lib/config/environment.js1
-rw-r--r--lib/config/hackmdEnvironment.js1
-rw-r--r--lib/web/auth/saml/index.js3
6 files changed, 7 insertions, 1 deletions
diff --git a/config.json.example b/config.json.example
index cb2bf3a5..d1c1cc5c 100644
--- a/config.json.example
+++ b/config.json.example
@@ -93,6 +93,7 @@
"idpCert": "change: certificate file path of IdP in PEM format",
"issuer": "change or delete: identity of the service provider (default: serverurl)",
"identifierFormat": "change or delete: name identifier format (default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress')",
+ "disableRequestedAuthnContext": "change or delete: true to allow any authentication method, false restricts to password authentication method (default: false)",
"groupAttribute": "change or delete: attribute name for group list (ex: memberOf)",
"requiredGroups": [ "change or delete: group names that allowed" ],
"externalGroups": [ "change or delete: group names that not allowed" ],
diff --git a/docs/configuration-env-vars.md b/docs/configuration-env-vars.md
index c81deab9..b512f485 100644
--- a/docs/configuration-env-vars.md
+++ b/docs/configuration-env-vars.md
@@ -183,6 +183,7 @@ defaultNotePath can't be set from env-vars
| `CMD_SAML_IDPSSOURL` | `https://idp.example.com/sso` | authentication endpoint of IdP. for details, see [guide](guides/auth/saml-onelogin.md). |
| `CMD_SAML_IDPCERT` | `/path/to/cert.pem` | certificate file path of IdP in PEM format |
| `CMD_SAML_ISSUER` | no example | identity of the service provider (optional, default: serverurl)" |
+| `CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT` | `true` or `false` | true to allow any authentication method, false restricts to password authentication (PasswordProtectedTransport) method (default: false) |
| `CMD_SAML_IDENTIFIERFORMAT` | no example | name identifier format (optional, default: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`) |
| `CMD_SAML_GROUPATTRIBUTE` | `memberOf` | attribute name for group list (optional) |
| `CMD_SAML_REQUIREDGROUPS` | `codimd-users` | group names that allowed (use vertical bar to separate) (optional) |
diff --git a/lib/config/default.js b/lib/config/default.js
index 9e401f38..98ccee91 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -138,6 +138,7 @@ module.exports = {
idpCert: undefined,
issuer: undefined,
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+ disableRequestedAuthnContext: false,
groupAttribute: undefined,
externalGroups: [],
requiredGroups: [],
diff --git a/lib/config/environment.js b/lib/config/environment.js
index fc757cf1..882df140 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -115,6 +115,7 @@ module.exports = {
idpCert: process.env.CMD_SAML_IDPCERT,
issuer: process.env.CMD_SAML_ISSUER,
identifierFormat: process.env.CMD_SAML_IDENTIFIERFORMAT,
+ disableRequestedAuthnContext: toBooleanConfig(process.env.CMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
groupAttribute: process.env.CMD_SAML_GROUPATTRIBUTE,
externalGroups: toArrayConfig(process.env.CMD_SAML_EXTERNALGROUPS, '|', []),
requiredGroups: toArrayConfig(process.env.CMD_SAML_REQUIREDGROUPS, '|', []),
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index bc20e58a..e5ffeb8a 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -109,6 +109,7 @@ module.exports = {
idpCert: process.env.HMD_SAML_IDPCERT,
issuer: process.env.HMD_SAML_ISSUER,
identifierFormat: process.env.HMD_SAML_IDENTIFIERFORMAT,
+ disableRequestedAuthnContext: toBooleanConfig(process.env.HMD_SAML_DISABLEREQUESTEDAUTHNCONTEXT),
groupAttribute: process.env.HMD_SAML_GROUPATTRIBUTE,
externalGroups: toArrayConfig(process.env.HMD_SAML_EXTERNALGROUPS, '|', []),
requiredGroups: toArrayConfig(process.env.HMD_SAML_REQUIREDGROUPS, '|', []),
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
index b8d98340..3cdb7fe2 100644
--- a/lib/web/auth/saml/index.js
+++ b/lib/web/auth/saml/index.js
@@ -17,7 +17,8 @@ passport.use(new SamlStrategy({
entryPoint: config.saml.idpSsoUrl,
issuer: config.saml.issuer || config.serverURL,
cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
- identifierFormat: config.saml.identifierFormat
+ identifierFormat: config.saml.identifierFormat,
+ disableRequestedAuthnContext: config.saml.disableRequestedAuthnContext
}, function (user, done) {
// check authorization if needed
if (config.saml.externalGroups && config.saml.groupAttribute) {