fix: posts structure
This commit is contained in:
@ -6,7 +6,7 @@ slug: "authelia-selfhosted-sso"
|
||||
tags: ["tools", "sso"]
|
||||
---
|
||||
|
||||
First of all, what is an SSO?
|
||||
## What's an SSO ?
|
||||
|
||||
> Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
|
||||
|
||||
@ -18,7 +18,7 @@ There are several advantages :
|
||||
- Add double authentification
|
||||
- Login regulation (Anti brute force)
|
||||
|
||||
---
|
||||
## Instalation
|
||||
|
||||
Now that we have seen what an SSO is and the interest it can have in a Homelab, let's start the installation!
|
||||
|
||||
@ -52,7 +52,7 @@ Let's start by generating the secret JWT. For that I use this [site](https://www
|
||||
jwt_secret: [example_secret]
|
||||
```
|
||||
|
||||
## Session
|
||||
### Session
|
||||
Several elements must be configured in this part:
|
||||
- **secret** : generate a password with the site of your choice
|
||||
- **domain** : indicate your domain (`ex. youdomain.com`)
|
||||
@ -76,7 +76,7 @@ session:
|
||||
minimum_idle_connections: 0
|
||||
```
|
||||
|
||||
## User
|
||||
### User
|
||||
It is in this part that you will have to add the users who will be able to connect to the SSO. No element has to be modified in the configuration file, but you will have to create a second file: `users_database.yml`. This file is composed as follows:
|
||||
|
||||
```
|
||||
@ -106,7 +106,7 @@ If this does not work you can manually create the hash using this [site](https:/
|
||||
|
||||
<img class="thumbnailshadow" src="img/image-2.png"/>
|
||||
|
||||
## Access control
|
||||
### Access control
|
||||
For the access policy we will do something simple with a single role. But nothing prevents you from creating several roles with different rights and access.
|
||||
So we are going to create a `user` group that will have to use the double authentication and will have access to all the subdomains. For this you have to modify the two `exemple.org` in the template file.
|
||||
|
||||
@ -121,7 +121,7 @@ access_control:
|
||||
policy: two_factor
|
||||
```
|
||||
|
||||
## Storage
|
||||
### Storage
|
||||
For the storage part we will use our database created with Mysql. You have to modify the following values in the template:
|
||||
- **encryption_key** : generate a password with the site of your choice
|
||||
- **mysql** : indicate ip, port, database name, user and mysql password
|
||||
@ -137,7 +137,7 @@ storage:
|
||||
password: [mysql_password]
|
||||
```
|
||||
|
||||
## Regulation
|
||||
### Regulation
|
||||
For the anti brute force security, we will set up a regulation policy with 3 attempts maximum in 2 min before a ban of 5 min. This regulation is not the ultimate solution, it is always preferable to also set up a Fail2ban to complete this solution.
|
||||
|
||||
```
|
||||
@ -147,7 +147,7 @@ regulation:
|
||||
ban_time: 5m
|
||||
```
|
||||
|
||||
## Notification
|
||||
### Notification
|
||||
To set up email notifications, you must fill in the following part of the template. This part is not mandatory but it is used to reset your password in case you forget...
|
||||
|
||||
```
|
||||
@ -164,12 +164,12 @@ smtp:
|
||||
disable_html_emails: false
|
||||
```
|
||||
|
||||
## Double Authentification
|
||||
### Double Authentification
|
||||
For the double authentication several solutions are offered to you. The two most interesting celons me are the following:
|
||||
TOTP
|
||||
This is the most famous method, you just have to use an application like Google Auth to get a code that changes every 30 seconds. The configuration is very simple, just customize the `issuer` field with the name you want. This name will be displayed in your
|
||||
|
||||
### TOTP
|
||||
#### TOTP
|
||||
```
|
||||
application.totp:
|
||||
issuer: [example.example.org]
|
||||
@ -177,7 +177,7 @@ application.totp:
|
||||
skew: 1
|
||||
```
|
||||
|
||||
### Duo Push Notification
|
||||
#### Duo Push Notification
|
||||
This is the most practical method, when you connect to your SSO, you will receive a notification that will allow you to validate your access. The configuration requires 3 elements that we will create directly on the [Duo](https://duo.com) website. In the Applications tab, click on Protect an Application and look for Partner Auth API. You can now retrieve the following elements and enter them in the Authelia configuration:
|
||||
- **Integration key**
|
||||
- **Secret Key**
|
||||
@ -194,7 +194,7 @@ duo_api:
|
||||
|
||||
You can now start the Authelia docker, if all goes well there should be no errors. If this is the case you can go on, if not you can correct the problems until there are no more. To solve the problems you can use the Authelia [documentation](https://www.authelia.com/docs), but also their [github](https://github.com/authelia/authelia).
|
||||
|
||||
## Nginx Proxy Manager
|
||||
## Integration with a reverse proxy
|
||||
First of all we will have to set up our Authelia subdomain so that it is accessible from the outside, but also protected with certificates. To do this, create an entry in your reverse proxy and add your subdomain, see:
|
||||
|
||||
{{< article link="/posts/how-to-host-multiple-services-on-one-public-ip/" >}}
|
||||
@ -295,3 +295,7 @@ You can connect with one of the credencials you created in the `users_database.y
|
||||
To configure/modify the double authentication method, go to the subdomain you have configured for Authelia (`ex. auth.youdomain.com`). Then select `Methods`:
|
||||
|
||||
<img class="thumbnailshadow" src="img/image-5.png"/>
|
||||
|
||||
## Conclusion
|
||||
|
||||
You now have SSO with dual authentication. This is particularly useful if you want to use the same account on several applications, add authentication to certain applications, or manage access rights to applications.
|
||||
|
||||
Reference in New Issue
Block a user