LemonLDAP::NG Logo
2.0
  • Documentation index

Getting started

  • Presentation
  • Installation

Configuration

  • Configuration first steps
    • Configuration overview
    • Single Sign On cookie, domain and portal URL
      • SSO cookie
      • Portal URL
    • Redirections
    • Exported variables
    • Manage virtual hosts
    • Sessions
    • Command-line tools
  • Portal configuration
  • Handlers
  • LemonLDAP::NG Databases

Application protection

  • Writing rules and headers
  • Variables
  • Protect your application
  • Form replay
  • Custom handlers
  • WebServices / API
  • WebSocket Applications
  • HTTP Basic Authentication
  • Applications

Advanced topics

  • Advanced features
  • Mini Howtos
  • Exploitation
  • Development
LemonLDAP::NG
  • »
  • Configuration first steps »
  • Single Sign On cookie, domain and portal URL
  • View page source

Single Sign On cookie, domain and portal URL¶

SSO cookie¶

The SSO cookie is built by the portal (as described in the login kinematic), or by the Handler for cross domain authentication (see CDA kinematic).

To edit SSO cookie parameters, go in Manager, General Parameters > Cookies:

  • Cookie name: name of the cookie, can be changed to avoid conflicts with other LemonLDAP::NG installations

  • Domain: validity domain for the cookie (the cookie will not be sent on other domains)

  • Multiple domains: enable cross domain mechanism (without this, you cannot extend SSO to other domains)

  • Secured cookie: 4 options:

    • Non secured cookie: the cookie can be sent over HTTP and HTTPS connections

    • Secured cookie: the cookie can only be sent over HTTPS

    • Double cookie: two cookies are delivered, one for HTTP and HTTPS connections, the other for HTTPS only

    • Double cookie for single session: same as double cookie but only one session is created in session database

  • Javascript protection: set httpOnly flag, to prevent cookie from being leaked by malicious javascript code

  • Cookie expiration time: by default, SSO cookie is a session cookie, which means it will be destroyed when browser is closed. You can change this behavior by setting a cookie expiration time. It must be an integer. Cookie Expiration Time value is a number of seconds until the cookie expires. Set a zero value to disable expiration time and use a session cookie.

  • Cookie SameSite value: the value of the SameSite cookie attribute. By default, LemonLDAP::NG will set it to “Lax” in most cases, and “None” if you use federated authentiication like SAML or OIdC. Using “None” requires Secured Cookies, and accessing applications over HTTPS on most web browsers.

Danger

When you change cookie expiration time, it is written on the user hard disk unlike session cookie

Attention

Changing the domain value will not update other configuration parameters, like virtual host names, portal URL, etc. You have to update them by yourself.

Portal URL¶

Portal URL is the address used to redirect users on the authentication portal by:

  • Handler: user is redirected if he has no SSO cookie (or in CDA mode)

  • Portal: the portal redirect on itself in many cases (credentials POST, SAML, etc.)

Danger

The portal URL must be inside SSO domain. If secured cookie is enabled, the portal URL must be HTTPS.

Next Previous

© Copyright 2022, LemonLDAP::NG.

Built with Sphinx using a theme provided by Read the Docs.