You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/sso.md
+124Lines changed: 124 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -151,6 +151,7 @@ Here are descriptions of all the SSO properties:
151
151
|`replace_privileges`| Boolean | Set this to `true` to replace **all** the user's privileges with those mapped via `group_role_map` only. See [User Groups](#user-groups) below for details. |
152
152
|`admin_bootstrap`| String | Temporarily assign full administrator privileges to a given user. This is used for bootstrapping the system on initial setup. See [Admin Bootstrap](#admin-bootstrap) for more. |
153
153
|`logout_url`| String | Set this to the URL to redirect the user to after xyOps performs its own logout. See [Logging Out](#logging-out) below for details. |
154
+
|`command`| String | Optional custom shell command to filter all incoming SSO requests and inject headers. See [Custom Command](#custom-command) below for details. |
154
155
155
156
### Header Map
156
157
@@ -602,6 +603,129 @@ Finally, make sure you set your [IP Whitelist](#ip-whitelist) to only accept hea
602
603
"whitelist": ["127.0.0.1", "::1/128"]
603
604
```
604
605
606
+
## Custom Command
607
+
608
+
The SSO subsystem can optionally launch a custom shell command to filter and transform incoming requests. The idea is that command can read the request and construct proper headers to initiate the SSO flow. The new headers emitted by the command are injected back into the request as it is sent through SSO login. This is for complex integrations where a simple [header map](#header-map) will not suffice, and additional logic needs to take place. The command itself should be placed into the [SSO configuration](#configuration) object as a property named `command`. Example:
609
+
610
+
```json
611
+
"command": "npx xyplug-sso-aws-alb@1.0.0"
612
+
```
613
+
614
+
As with other xyOps Plugin types, communication with the command follows the [xyOps Wire Protocol](xywp.md). Request metadata is sent to the command process via JSON over STDIN, and the process is expected to emit JSON over STDOUT. See below for details.
615
+
616
+
### Command Input
617
+
618
+
When the SSO custom command is invoked, it is passed a JSON document on STDIN (compressed to a single line). This should contain everything needed to validate the request and construct the proper headers for SSO login. The following top-level properties will be present in the object:
619
+
620
+
| Property Name | Type | Description |
621
+
|---------------|------|-------------|
622
+
|`xy`| Number | Indicates the [xyOps Wire Protocol](xywp.md) version. Will be set to `1`. |
623
+
|`type`| String | Indicates the type of action, which will be set to `sso`. |
624
+
|`config`| Object | The complete [SSO Configuration](#configuration) object is included for the command to use. |
625
+
|`method`| String | The request method, which should always be `GET`. |
626
+
|`url`| String | The request URI path, which should always be `/`. |
627
+
|`headers`| Object | The request headers object (all header names are lower-cased). |
628
+
|`cookies`| Object | Any cookies found in the `Cookie` header are parsed and placed into this object. |
629
+
|`id`| String | An internal ID for the request, used for logging. |
630
+
|`ip`| String | The "public" IP address of the request (best effort guess). See [args.ip](https://github.com/jhuckaby/pixl-server-web#argsip). |
631
+
|`ips`| Array | All the IPs of the request, including forwarded proxy IPs. See [args.ips](https://github.com/jhuckaby/pixl-server-web#argsips). |
632
+
633
+
Here is an example JSON document sent to the SSO command's STDIN (pretty-printed for display purposes):
After your custom command validates and processes the request, it needs to send output back to xyOps. This is done by way of a JSON document printed to STDOUT. It should be compressed onto one line, and contain the following top-level properties:
676
+
677
+
| Property Name | Type | Description |
678
+
|---------------|------|-------------|
679
+
|`xy`| Number | Indicates the [xyOps Wire Protocol](xywp.md) version. This must be set to `1`. |
680
+
|`code`| Number | Zero (`0`) indicates success, any other value is an error. |
681
+
|`description`| String | Optional error message, will be displayed to the user if `code` is non-zero. |
682
+
|`headers`| Object | New headers to inject into the request for SSO login. |
683
+
684
+
Here is an example output (pretty-printed for display purposes):
685
+
686
+
```json
687
+
{
688
+
"xy": 1,
689
+
"code": 0,
690
+
"headers": {
691
+
"x-forwarded-user": "jhuckaby",
692
+
"x-forwarded-name": "Joseph Huckaby",
693
+
"x-forwarded-email": "jhuckaby@example.com",
694
+
"x-forwarded-groups": "pixlcore:owners"
695
+
}
696
+
}
697
+
```
698
+
699
+
The idea here is that the command validates and parses the request, using whatever bits of information are required. In the above example it's these two headers which contain the encoded user information:
After decoding the data, the command then produces properly-formatted trusted headers (which match the [Header Map](#header-map)) to initiate the SSO login process:
707
+
708
+
```
709
+
"x-forwarded-user": "jhuckaby",
710
+
"x-forwarded-name": "Joseph Huckaby",
711
+
"x-forwarded-email": "jhuckaby@example.com",
712
+
"x-forwarded-groups": "pixlcore:owners"
713
+
```
714
+
715
+
If something goes wrong and the request cannot be validated, your command should send back a non-zero `code` along with a `description` which will be logged and displayed to the user. Example:
716
+
717
+
```json
718
+
{
719
+
"xy": 1,
720
+
"code": 1,
721
+
"description": "Failed to validate request: Missing x-amzn-oidc-identity header"
722
+
}
723
+
```
724
+
725
+
### Command Debugging
726
+
727
+
To debug custom commands, set your [debug_level](config.md#debug_level) to `9`, and watch the `logs/SSO.log` log. It will contain the full command request and response, including raw STDOUT and STDERR.
728
+
605
729
## Live Production
606
730
607
731
In a production environment, it is crucial to ensure the security and reliability of the SSO implementation. Here is a checklist:
0 commit comments