- Notifications
You must be signed in to change notification settings - Fork6
CryptPad official SSO plugin
License
cryptpad/sso
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
The CryptPad SSO plugin can be manually installed to allow a CryptPad instance to be connected to a single sign-on (SSO) system.
This allows to restrict registrations to only SSO users or to display a “Register with SSONAME” button on the connection and registration screen.
Users will still be able to create a personal password which will be used to derive the “encryption key” of their drive secret from SSO Administrators.
- OIDC and SAML SSO connectors;
- Allow logging in using one or more SSO systems;
- Allow restricting login to only SSO;
- Store public key information of SSO users on the CryptPad server.
- Store extra information from users coming from SSO;
- Allow sharing documents with SSO users without the need to connect with them;
- Allow administrators to manage SSO users (see their storage use, delete their data, etc.);
- Allow synchronizing OIDC roles/groups with CryptPad teams;
- Additional SSO protocols.
If you are interested in these extra features and wish to sponsor them, contact XWiki SAS atsales@cryptpad.org
- Go the cryptpad/lib/plugins directory on your server
cd cryptpad/lib/pluginsgit clone https://github.com/cryptpad/sso/- Go to the cryptpad/config directory on your server
cd ../../configcp sso.example.js sso.jsEdit the
sso.jsconfig file to set the credentials to your SSO server (more instructions here)Flush the cache on your Cryptpad instance
On the web interface, login, and then go to:Administration > General (default) > Flush HTTP Cache > click "FLUSH CACHE"
At this point you may be done, but if issues persist try restarting your Cryptpad instance with
systemctl restart ...,service ... restart, orreboot
The SSO module has been successfully tested using KeyCloak and Univention UCS using default settings.When setting up the client credentials on your OpenIDC Connect server the following redirect URI needs to be set
https://<yourdomain>/ssoauth
(In case you are still using a local test http server the URL should behttp://<yourdomain>:<yourport>/ssoauth)
Here follows an example configuration file forsso.js showing examples for KeyCloak, Univention UCS and SAML:
// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors//// SPDX-License-Identifier: AGPL-3.0-or-later//const fs = require('node:fs');module.exports = { // Enable SSO login on this instance enabled: true, // Block registration for non-SSO users on this instance enforced: false, // Allow users to add an additional CryptPad password to their SSO account cpPassword: true, // You can also force your SSO users to add a CryptPad password forceCpPassword: true, // List of SSO providers list: [ { name: 'keycloak', type: 'oidc', url: 'https://<keycloakserver/realms/<realm>', client_id: "cryptpad", client_secret: "<clientsecret>", jwt_alg: 'RS256', username_scope: 'profile', (optional) username_claim: 'name', (optional) }, /* // Sample Univention UCS Configuration (using Kopano Connect) { name: 'xwiki', type: 'oidc', url: 'https://ucs-sso.<yourdomain>', client_id: "cryptpad", client_secret: "<yoursecret", jwt_alg: 'PS256' }, // Sample Google Configuration { name: 'google', type: 'oidc', url: 'https://accounts.google.com', client_id: "{your_client_id}", client_secret: "{your_client_secret}", jwt_alg: 'RS256' (optional) }, // Sample SAML Configuration { name: 'samltest', type: 'saml', url: 'https://samltest.id/idp/profile/SAML2/Redirect/SSO', issuer: 'your-cryptpad-issuer-id', cert: String or fs.readFileSync("./your/cert/location", "utf-8"), privateKey: fs.readFileSync("./your/private/key/location", "utf-8"), signingCert: fs.readFileSync("./your/signing/cert/location", "utf-8"), } */ ]};About
CryptPad official SSO plugin
