mirror of https://github.com/MISP/MISP
34c85cfe7e | ||
---|---|---|
.. | ||
Controller/Component/Auth | ||
Lib | ||
README.md |
README.md
MISP OpenID Connect Authentication
This plugin provides ability to use OpenID as Single sign-on for login users to MISP. When plugin is enabled, users are directly redirected to SSO provider and it is not possible to login with passwords stored in MISP.
Usage
- Install required library using composer
cd app
php composer.phar require jakub-onderka/openid-connect-php:1.0.0-rc1
- Enable in
app/Config/config.php
$config = array(
...
'Security' => array(
...
'auth' => 'array('OidcAuth.Oidc')',
),
...
- Configure in
app/Config/config.php
(replace variables in{{ }}
with your values)
$config = array(
...
'OidcAuth' = [
'provider_url' => '{{ OIDC_PROVIDER }}',
'issuer' => '{{ OIDC_ISSUER }}', // If omitted, it defaults to provider_url
'client_id' => '{{ OIDC_CLIENT_ID }}',
'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
'role_mapper' => [ // if user has multiple roles, first role that match will be assigned to user
'misp-user' => 3, // User
'misp-admin' => 1, // Admin
],
'default_org' => '{{ MISP_ORG }}',
],
...
Caveats
When user is blocked in SSO (IdM), he/she will be not blocked in MISP. He could not log in, but users authentication keys will still work and also he/she will still receive all emails.
To solve this problem:
- set
OidcAuth.offline_access
totrue
- with that, IdP will be requested to provide offline access token - set
OidcAuth.check_user_validity
to number of seconds, after which user will be revalidated if he is still active in IdP. Zero means that this functionality is disabled. Recommended value is300
. - because offline tokens will expire when not used, you can run
cake user check_user_validity
to check all user in one call