mirror of https://github.com/MISP/MISP
1.8 KiB
1.8 KiB
MISP OpenID Connect Authentication
This plugin provides ability to use OpenID as Single sign-on for login users to MISP. When plugin is enabled, users are directly redirected to SSO provider and it is not possible to login with passwords stored in MISP.
Usage
- Install required library using composer
cd app
php composer.phar require jakub-onderka/openid-connect-php:1.0.0-rc1
- Enable in
app/Config/config.php
$config = array(
...
'Security' => array(
...
'auth' => 'array('OidcAuth.Oidc')',
),
...
- Configure in
app/Config/config.php(replace variables in{{ }}with your values)
$config = array(
...
'OidcAuth' = [
'provider_url' => '{{ OIDC_PROVIDER }}',
'issuer' => '{{ OIDC_ISSUER }}', // If omitted, it defaults to provider_url
'client_id' => '{{ OIDC_CLIENT_ID }}',
'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
'role_mapper' => [ // if user has multiple roles, first role that match will be assigned to user
'misp-user' => 3, // User
'misp-admin' => 1, // Admin
],
'default_org' => '{{ MISP_ORG }}',
],
...
Caveats
When user is blocked in SSO (IdM), he/she will be not blocked in MISP. He could not log in, but users authentication keys will still work and also he/she will still receive all emails.
To solve this problem:
- set
OidcAuth.offline_accesstotrue- with that, IdP will be requested to provide offline access token - set
OidcAuth.check_user_validityto number of seconds, after which user will be revalidated if he is still active in IdP. Zero means that this functionality is disabled. Recommended value is300. - because offline tokens will expire when not used, you can run
cake user check_user_validityto check all user in one call