Backend choice by users

Authentication

Users

Password

Presentation

By default, only the configured authentication backend is available for users.

Contrary to multiple backend stacking, backend choice will present all available authentication methods to users, who will choose the one they want.

The choice will concern three backends:

  • Authentication

  • Users

  • Password

The chosen backends will be registered in session:

  • $_auth

  • $_userDB

  • $_passwordDB

Authentication choice will also be registered in session:

  • $_authChoice

Configuration

In Manager, go in General Parameters > Authentication modules and choose Choice for authentication.

Attention

When Choice is selected for authentication, values for Users and Password modules are also forced to Choice.

Then, go in Choice Parameters:

  • URL parameter: parameter name used to set choice value (default: lmAuth)

  • Allowed modules: click on New chain to add a choice.

  • Choice used for password authentication: authentication module used by AuthBasic handler and OAuth2.0 Password Grant

  • FindUser plugin parameter: authentication module called by Find user plugin (Find user plugin)

  • Auto-select only method: if only one authentication method is available, automatically select it

image0

Define here:

  • Name: Text displayed on choice tab.

  • Authentication module

  • Users module

  • Password module

  • URL: optional, can be used to redirect on another URL (for example https://authssl.example.com). This is mandatory if you want to use an Apache authentication module, which is run by Apache before showing the LemonLDAP::NG portal page.

  • Condition: optional, can be used to evaluate an expression to display the tab. For example, to display a tab only if redirected by Handler from application test1.example.com, you can set this condition:

$env->{urldc} =~ /test1\.example\.com/

Changed in version 2.20.0: Starting with version 2.20.0, you can use the same syntax as regular rules. In addition to the following special variables

  • $targetAuthnLevel: authentication level requested by the current application

Ordering of choices on the main login page

You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces.

For example, use 2_France_Connect to use France Connect as the second choice.

Parameter override

You can also override some LLNG parameters for each chain. See Parameters list to have the key names to use

Issues with persistent data

Federated authentication need pdata cookie. SameSite cookie value must be set to “Lax” or “None”. See SSO cookie parameters

Authentication request to another URL than Portal URL can lead to a persistent loop between Portal and a redirection URL (pdata is not removed because domains mismatch). To avoid this, you have to set pdata cookie domain by editing lemonldap-ng.ini in section [portal]:

[portal]
pdataDomain = example.com