@webbio/strapi-plugin-sso
v3.0.0
Published
This is the description of the plugin.
Downloads
147
Maintainers
Keywords
Readme
Strapi plugin SSO
This Strapi plugin enables Single Sign-On (SSO) capabilities for your Strapi applications, allowing users to authenticate using their selected provider accounts. Once configured, it streamlines the login process, enhancing the user experience by providing a quick and secure way to access the application without the need for separate usernames and passwords.
Providers
The following providers are supported:
type GoogleConfig = {
enabled?: boolean;
clientId: string;
clientSecret: string;
redirectUrl: string;
isDeveloperLogin?: boolean; // Changes this login to a developer login, which will show a sublte login link on the bottom of the page
order?: number; // Order of the SSO provider, lowest number will be shown first
};
MSAL
type MsalConfig = {
enabled?: boolean;
clientId: string;
clientSecret: string;
redirectUrl: string;
authority: string;
isDeveloperLogin?: boolean; // Changes this login to a developer login, which will show a sublte login link on the bottom of the page
order?: number; // Order of the SSO provider, lowest number will be shown first
};
Microsoft SAML
type MicrosoftSamlConfig = {
enabled: boolean;
callbackUrl: string; // Url of the callback, must have the pathname of /sso/microsoft-saml/redirect/postResponse (e.g. http://localhost:1337/sso/microsoft-saml/redirect/postResponse)
issuer: string; // Url of your app (e.g. http://localhost:1337)
federationUrl: string; // Url to Federation Metadata XML of Provider,
isDeveloperLogin?: boolean; // Changes this login to a developer login, which will show a sublte login link on the bottom of the page
order?: number; // Order of the SSO provider, lowest number will be shown first
};
Plugin Config
To enable this plugin. Add it to plugins.ts
sso: {
enabled: true,
config: PluginConfig
}
Config type:
type PluginConfig = {
role: string; // Must be a valid role in your Strapi installation.
autoRegistration?: boolean; // Enables autoregistration for new SSO users.
useSessionStorage?: boolean; // Enables session storage instead of localstorage
disableCredentialsLogin?: boolean; // Disables credentials login and routes, so no login or registration via credentials is allowed (including API calls)
developerLoginText?: string; // When a developer login is enabled, it will subtly display the login. This value will override the default text.
msal?: MsalConfig;
google?: GoogleConfig;
microsoftSaml?: MicrosoftSamlConfig;
};
Microsoft SAML
For Microsoft SAML to work correctly, we nee to create an App Metadata XML. This XML is used by the SSO Tenant to create their Federation Metadata XML, which your Strapi app can use to read all the correct data (this url is used for the env MICROSOFT_SAML_FEDERATION_URL
).
Creating the App Metadata XML to send to the tenant:
- Download the (Mellon Create Metadata)[https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh] bash script. If this url isn't available anymore, see the dist folder and look for the
mellon_create_metadata.sh
file (latest version of Sep 4, 2018). - Execute the script:
bash ./mellon_create_metadata.sh APP_ISSUER APP_CALLBACK_URL
. Example:bash ./mellon_create_metadata.sh http://localhost:1337 http://localhost:1337/sso/microsoft-saml/redirect
. - Three files should be created:
*.xml
,*.key
and*.cert
. If noxml
is generated, make sure line57
doesn't containRANDFILE = /dev/urandom
. Remove if it exists. - Send the XML to the Tenant provider. They will be able to create the Federation Metadata XML url for you.
Important
- To make the script work correctly, make sure you add the
"'unsafe-inline'"
directive to your middlewaresstrapi::security
config. Example:
export default ({ env }) => [
// ...
{
name: 'strapi::security',
config: {
contentSecurityPolicy: {
// ...
directives: {
// ...
'script-src': [
// ...
"'unsafe-inline'",
// ...
],
// ...
upgradeInsecureRequests: null
}
}
}
},
// ...
];
- When starting the admin for the first time, a register must take place with credentials. Later you can login with SSO.
- When deploying the app with this plugin on production. Make sure to add
proxy: true
to yourserver.ts
config. (Documentation)[https://docs.strapi.io/dev-docs/configurations/server] - To edit the admin login page, we inject HTML via a script server-side by editing the root index.html file. When developing in watch-mode this file does not exist, so we edit the index.html inside the
.strapi/client
folder. This may cause some weird behaviour and you may need to refresh the page before the 'patched' admin login page is shown. - When developing and changing the injectable
login.html
file. Make sure to runyarn build
inside the plugin folder. This will copy the html file to the dist folder, where it's read to be used. - A new property is added to the Admin User:
isSsoProvider
. This property can only be viewed on the server and can be used to prevent sending welcome mails with password reset tokens for example. - When a new or an existing user logs in with SSO, the
isSsoProvider
prop is set to true. Also, a new random password will be generated for security reasons. - If in dev mode, the Google Auth keeps hanging after confirming your login. Make sure the redirect url is correct. It makes a difference if you're using
localhost
or127.0.0.1
.