@webbio/strapi-plugin-sso

3.0.0 • Public • Published

Strapi plugin SSO

This Strapi plugin enables Single Sign-On (SSO) capabilities for your Strapi applications, allowing users to authenticate using their selected provider accounts. Once configured, it streamlines the login process, enhancing the user experience by providing a quick and secure way to access the application without the need for separate usernames and passwords.

Providers

The following providers are supported:

Google

type GoogleConfig = {
	enabled?: boolean;
	clientId: string;
	clientSecret: string;
	redirectUrl: string;
	isDeveloperLogin?: boolean; // Changes this login to a developer login, which will show a sublte login link on the bottom of the page
	order?: number; // Order of the SSO provider, lowest number will be shown first
};

MSAL

type MsalConfig = {
	enabled?: boolean;
	clientId: string;
	clientSecret: string;
	redirectUrl: string;
	authority: string;
	isDeveloperLogin?: boolean; // Changes this login to a developer login, which will show a sublte login link on the bottom of the page
	order?: number; // Order of the SSO provider, lowest number will be shown first
};

Microsoft SAML

type MicrosoftSamlConfig = {
	enabled: boolean;
	callbackUrl: string; // Url of the callback, must have the pathname of /sso/microsoft-saml/redirect/postResponse (e.g. http://localhost:1337/sso/microsoft-saml/redirect/postResponse)
	issuer: string; // Url of your app (e.g. http://localhost:1337)
	federationUrl: string; // Url to Federation Metadata XML of Provider,
	isDeveloperLogin?: boolean; // Changes this login to a developer login, which will show a sublte login link on the bottom of the page
	order?: number; // Order of the SSO provider, lowest number will be shown first
};

Plugin Config

To enable this plugin. Add it to plugins.ts

sso: {
  enabled: true,
  config: PluginConfig
}

Config type:

type PluginConfig = {
	role: string; // Must be a valid role in your Strapi installation.
	autoRegistration?: boolean; // Enables autoregistration for new SSO users.
	useSessionStorage?: boolean; // Enables session storage instead of localstorage
	disableCredentialsLogin?: boolean; // Disables credentials login and routes, so no login or registration via credentials is allowed (including API calls)
	developerLoginText?: string; // When a developer login is enabled, it will subtly display the login. This value will override the default text.
	msal?: MsalConfig;
	google?: GoogleConfig;
	microsoftSaml?: MicrosoftSamlConfig;
};

Microsoft SAML

For Microsoft SAML to work correctly, we nee to create an App Metadata XML. This XML is used by the SSO Tenant to create their Federation Metadata XML, which your Strapi app can use to read all the correct data (this url is used for the env MICROSOFT_SAML_FEDERATION_URL).

Creating the App Metadata XML to send to the tenant:

  1. Download the (Mellon Create Metadata)[https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh] bash script. If this url isn't available anymore, see the dist folder and look for the mellon_create_metadata.sh file (latest version of Sep 4, 2018).
  2. Execute the script: bash ./mellon_create_metadata.sh APP_ISSUER APP_CALLBACK_URL. Example: bash ./mellon_create_metadata.sh http://localhost:1337 http://localhost:1337/sso/microsoft-saml/redirect.
  3. Three files should be created: *.xml, *.key and *.cert. If no xml is generated, make sure line 57 doesn't contain RANDFILE = /dev/urandom. Remove if it exists.
  4. Send the XML to the Tenant provider. They will be able to create the Federation Metadata XML url for you.

Important

  • To make the script work correctly, make sure you add the "'unsafe-inline'" directive to your middlewares strapi::security config. Example:
export default ({ env }) => [
	// ...
	{
		name: 'strapi::security',
		config: {
			contentSecurityPolicy: {
				// ...
				directives: {
					// ...
					'script-src': [
					// ...
					"'unsafe-inline'", 
					// ...
					],
					// ...
					upgradeInsecureRequests: null
				}
			}
		}
	},
	// ...
];
  • When starting the admin for the first time, a register must take place with credentials. Later you can login with SSO.
  • When deploying the app with this plugin on production. Make sure to add proxy: true to your server.ts config. (Documentation)[https://docs.strapi.io/dev-docs/configurations/server]
  • To edit the admin login page, we inject HTML via a script server-side by editing the root index.html file. When developing in watch-mode this file does not exist, so we edit the index.html inside the .strapi/client folder. This may cause some weird behaviour and you may need to refresh the page before the 'patched' admin login page is shown.
  • When developing and changing the injectable login.html file. Make sure to run yarn build inside the plugin folder. This will copy the html file to the dist folder, where it's read to be used.
  • A new property is added to the Admin User: isSsoProvider. This property can only be viewed on the server and can be used to prevent sending welcome mails with password reset tokens for example.
  • When a new or an existing user logs in with SSO, the isSsoProvider prop is set to true. Also, a new random password will be generated for security reasons.
  • If in dev mode, the Google Auth keeps hanging after confirming your login. Make sure the redirect url is correct. It makes a difference if you're using localhost or 127.0.0.1.

Readme

Keywords

none

Package Sidebar

Install

npm i @webbio/strapi-plugin-sso

Weekly Downloads

20

Version

3.0.0

License

MIT

Unpacked Size

312 kB

Total Files

98

Last publish

Collaborators

  • fred-webbio
  • smdehaas
  • jaapwebbio
  • rowanpaul
  • mikewebbio
  • hayedewit
  • tomwebbio
  • maikelm
  • joerismits
  • martijn-webbio