At line 1 changed 3 lines |
!!Enterprise Licenses Only\\ |
This plugin allows you to delegate access of OAuth providers.\\ |
Currently __Google Sign-In__, __Microsoft Sign-In__ and __Azure Active Directory B2C__ are supported.\\ |
Constraint: __Enterprise Licenses Only__\\ |
This plugin allows you to delegate access to OAuth ([https://en.wikipedia.org/wiki/OAuth]) providers. On the CrushFTP's login page next to the login button will appear the enabled provider's "__Signed in"__ button".\\ |
Currently __Google Sign-In__([Google Sign in Configuration]), __Microsoft Sign-In__([Microsoft Sign in Configuration]), __Azure Active Directory B2C Sign in__([Azure Active Directory B2C Configuration]) and __Amazon Cognito Sign in__([Amazon Cognito Configuration]) are supported.\\ |
At line 5 changed one line |
!!1. Google Sign-In\\ |
It only works through __HTTP__ or __HTTPS__ protocol.\\ |
First configure an HTTP(S) port item with OAuth Sign In configuration.\\ |
[attachments|http_port_oauth_item_settings.png]\\ |
At line 7 changed 2 lines |
You will start at the API credentials manager:\\ |
[https://console.developers.google.com/projectselector/apis/credentials]\\ |
!!Supported types:\\ |
!1. Google Sign-In\\ |
See [Google Sign in Configuration]\\ |
!2. Microsoft Sign-In\\ |
See [Microsoft Sign in Configuration]\\ |
!3. Azure Active Directory B2C\\ |
See [Azure Active Directory B2C Configuration]\\ |
!4. Amazon Cognito\\ |
See [Amazon Cognito Configuration]\\ |
At line 10 changed 2 lines |
You first need to make a project. My example calls this CrushFTP-Test.\\ |
[attachments|gDriveSetup/create_project.png]\\ |
!!Plugin Settings\\ |
At line 13 changed 2 lines |
Next select create credentials, and choose the Web Application type.\\ |
[attachments|gDriveSetup/create_credentials.png]\\ |
|
__1.__ __Username matching__ -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principal name). Allow multiple values separated by a comma. Domain filter is allowed (like *mydomain.com).\\ |
At line 16 changed one line |
[attachments|gDriveSetup/oauth_consent.png]\\ |
__2.__ __Allowed authentication types__: Google Sign-In, Microsoft Sign-In, Azure Active Directory B2C Sign in and Amazon Cognito Sign. Configure the sign-in button on HTTP(S) server.\\ |
At line 18 changed 2 lines |
When configuring the credential, you have to tell Google the domain you will be originating from when creating the auth token, so this is the URL you use for server administration. Just the protocol://dns_or_ip:port Don't have a trailing slash or it will complain.\\ |
You also need to put in the redirect URL of where Google is going to send back the Id token (Id Token : That will be used for authentication of the google user). Copy the Client ID that will be required to integrate the Google Sing-In Button.\\ |
__3.__\\ |
__a.__ __Skip OTP processing__: CrushOAuth plugin is not compatible with [OTP Settings] as IDP (identity provider) can have its own two-factor authentication. Turning the flag to true will skip OAuth users from CrushFTP's OTP process.\\ |
__b.__ __Remove email suffix from username__: It removes the email suffix of the user name. Like username "my_user@email.com" will be "my_user".\\ |
__c.__ __Get Cognito user info__: Gets more info about Amazon Cognito users (like custom attributes). It is related only to __Amazon Cognito Sign in__.\\ |
At line 21 changed one line |
__Integrate Google Sign-In button__\\ |
__4.__ OAuth only used for Authentication ([User Manager] defines user's access.) -> If users already exist in CrushFTP's User Manager, you can use the CrushOAuth plugin __just for authentication__.\\ |
At line 23 changed one line |
[attachments|gsign_in_button.png]\\ |
__5.__ __Template Username__ -> The signed-in user inherits not just the settings, but the VFS items too (as Linked [VFS]). |
At line 25 changed one line |
Go to the __Preferences-> Ip/Servers__ and select the __HTTP__ or __HTTPS__ port item (OAuth Sign In Tab) where you want to enable the Google Sing-In button. Check the __"Enable Google Sign in"__ flag and provide the __Client ID__ of you Google project(mentioned above).\\ |
__Import settings from CrushFTP user__ -> The signed-in user inherits just the settings from this user. __It must have a value! __Default value would be : __default__ -> the default user of CrushFTP\\ |
At line 27 changed 32 lines |
[attachments|port_item_settings.png]\\ |
\\ |
!!2. Microsoft Sign-In\\ |
\\ |
It requires Microsoft Graph Application registration. Start at the Microsoft azure portal:\\ |
[https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
\\ |
__Application registration__: Go to the App registrations and click on New registration:\\ |
\\ |
[attachments|SMTP Microsoft Graph XOAUTH 2 Integration/new_registration.png]\\ |
\\ |
Name it. Select __Single-page Application__ as platform. The redirect url must ends with :__WebInterface/login.html__. Then click on register.\\ |
\\ |
[CrushOAuth/app_reg_config.png]\\ |
\\ |
Make sure that MSAL.js 2.0, Implicit grant (Access Token, ID Token) grant types are permitted.\\ |
\\ |
[CrushOAuth/app_reg_auth_config.png]\\ |
\\ |
Get Client Id and Tenant Id from App registration -> Overview.\\ |
\\ |
[MicrosoftMails/client_id.png]\\ |
\\ |
Go to the Preferences-> Ip/Servers and select the HTTP or HTTPS port item((OAuth Sign In Tab) where you want to enable the __Microsoft Sing-In__ button. Check the __"Enable Microsoft Sign in"__ flag and provide the __Client ID__ and __Tenant ID__ of your App registration(mentioned above).\\ |
[CrushOAuth/port_item_settings_ms.png]\\ |
\\ |
!!3. Azure Active Directory B2C\\ |
\\ |
About Azure Directory B2C : [https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview]\\ |
\\ |
!!4. Plugin Settings\\ |
\\ |
__6__ __OAuth Roles__ -> You can configure different Template Users (see 5.) based on IDP's (identity provider) attributes.\\ |
IDP Attribute examples:\\ |
{{{ |
At line 60 changed one line |
__1.__ Username matching -> It filters the OAuth user name (Google Auth: email address, Microsoft Auth: user principle name). You can put multiple value separated by comma. Domain filter is allowed to (like *mydomain.com).\\ |
Google Sign-In: |
email_verified, idp_user_info, given_name, family_name, email_verified, group |
|
Microsoft Sign-In: |
mail, idp_user_info, displayName, jobTitle, businessPhones, mobilePhone, officeLocation, group |
|
Amazon Cognito Sign-in: |
email, username, identities, cognito:username, cognito:groups, custom:<<defined custom attributes>> |
}}} |
Role examples : |
{{{ |
|
<<IDP attribute name>>=<<IDP attribute value>>,<<IDP attribute name>>=<<IDP attribute value>> : tmeplate user name |
|
Like: |
cognito:groups=Azure_SAML,custom:groups:test_group_one |
or |
cognito:groups=*SAML*,custom:groups:test_group_one |
or |
cognito:groups=REGEX:.*SAML$,custom:groups:test_group_one |
}}} |
At line 62 changed one line |
__2.__ Allowed authentication types\\ |
IDP attribute value: Exact match, Simple Match (like *mail.com*), Regex match (like REGEX:<<the regular expression>>), if the value is an array you can reference only one of the array element (exact match only). Like (IDP Attribute value -> __groups:[["group1","group2"]__ -> you can match with __group1__)\\ |
\\ |
At line 64 changed one line |
__3.__ OAuth only used for Authentication (User manager then defines user's access.) -> If the users already exists with username of the OAuth, you can use the plugin just for authentication.\\ |
__7.__ VFS-related settings -> You can set custom [VFS] for CrushOAuth users.\\ |
At line 66 changed one line |
__4.__ Template Username -> The signed in user inherits no just the settings, but the VFS items too (as Linked VFS).\\ |
[attachments|plugin_settings.png]\\ |
At line 68 changed one line |
Import settings from CrushFTP user -> The signed in user inherits just the settings from this user.\\ |
!!DMZ\\ |
At line 70 changed one line |
__5.__ VFS related settings : You can also assign a VFS item for the signed in user.\\ |
__1.__ Configure your OAuth Sign In settings on the DMZ's HTTP(S) port item.\\ |
__2.__ Configure the same OAuth Sign In settings on the Internal (Main) HTTP(S) port item. This port item must match with the port item configured at the DMZ template user's VFS. (See [DMZ])\\ |
At line 72 changed one line |
[attachments|plugin_settings.png]\\ |
[attachments|dmz_template_user_internal_port.png]\\ |
At line 77 added 2 lines |
__3.__ Configure the OAuth plugin __only on the Internal (Main) instance__. !!!Do not configure the OAuth plugin on the DMZ too. See __Plugin Settings__ on the current page.\\ |
\\ |