Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:authssl [2019/10/31 14:45]
cmaudoux [SSL by Ajax]
documentation:latest:authssl [2020/01/31 17:59] (current)
Line 10: Line 10:
   * Allow no certificate to chain with other authentication methods   * Allow no certificate to chain with other authentication methods
  
-===== Configuration =====+===== Configuration ​(as the only authentication module) ​=====
  
 By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG //​(compatible with [[authcombination|Combination]])//,​ you can activate "SSL by Ajax request"​ in the manager. See [[#​ssl_by_Ajax|SSL by Ajax]] below. By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG //​(compatible with [[authcombination|Combination]])//,​ you can activate "SSL by Ajax request"​ in the manager. See [[#​ssl_by_Ajax|SSL by Ajax]] below.
Line 252: Line 252:
 <note warning>​It is incompatible with authentication combination because of Apache parameter "​SSLVerifyClient",​ which must have the value "​require"​. To enable SSL with [[authcombination|Combination]],​ use [[#​ssl_by_ajax|SSL by Ajax]]</​note>​ <note warning>​It is incompatible with authentication combination because of Apache parameter "​SSLVerifyClient",​ which must have the value "​require"​. To enable SSL with [[authcombination|Combination]],​ use [[#​ssl_by_ajax|SSL by Ajax]]</​note>​
  
-===== SSL by Ajax =====+===== Configuration (for Combination/​Choice) ​=====
  
 If you enable this feature, you must configure 2 portal virtual hosts: If you enable this feature, you must configure 2 portal virtual hosts:
Line 296: Line 296:
 **Script source** => '​self'​ "Ajax request URL" **Script source** => '​self'​ "Ajax request URL"
 </​note>​ </​note>​
 +
 +===== Extracting the username attribute =====
 +
 +The "​Extracted certificate field" must be set to the Apache/​Nginx environment variable containing the username attribute.
 +
 +See the [[https://​httpd.apache.org/​docs/​current/​en/​mod/​mod_ssl.html|mod_ssl documentation]] for a list of supported variables names.
 +
 +If your webserver configuration allows multiple CAs, you may configure a different environment variable for each CA.
 +
 +In the "​Conditional extracted certificate field",​ add a line for each CA.
 +
 +  * key: the CA subject DN (will be printed in debug logs)
 +  * value: the variable containing the username when using certificates emitted by this CA