这是indexloc提供的服务,不要输入任何密码
Skip to content

simple SSO config docs #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 29, 2024
Merged

simple SSO config docs #109

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
40a2b65
simple SSO config docs
timothycarambat Oct 29, 2024
f40a550
Merge branch 'main' into simple-sso-docs-config
timothycarambat Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions pages/configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,69 @@ DISABLE_VIEW_CHAT_HISTORY="enable"
### Disable

Fully remove or comment out the `DISABLE_VIEW_CHAT_HISTORY` environment variable to return to the default behavior.

## Simple SSO Passthrough

<Callout type="error" emoji="️🚨">
**Important:** You should use an independent API key for using this feature so
you can revoke it if needed. This feature configuration is best used for
internally facing AnythingLLM instances that are not exposed to the public
internet for the best security practices.
</Callout>

Modification of the `SIMPLE_SSO_ENABLED` environment variable allows easily enable third party SSO solutions that do not require a full OAuth integration. This environment variable
will enable you to generate a temporary authentication link **per user** that can be visited in browser to automatically login the user.

This feature is most useful for when you have AnythingLLM as a simple sub-service within a much larger system and you want to leverage existing user authentication flows within that system and want to provide a seamless login experience for your users to your AnythingLLM instance.

### Prerequisites

- **Your instance must be in multi-user mode** to use this feature.
- You should provision an API key for AnythingLLM so you can create new users as well as issue temporary authentication links for users.
- The user must already exist within AnythingLLM before using this feature. You can create a user via the in-app interface or the API.

### Enable

Set the `SIMPLE_SSO_ENABLED` environment variable to **_any value_** to enable.

```bash copy
# This can be any value, number, boolean, or string and it will have the same effect.
SIMPLE_SSO_ENABLED="enable"
```

### Integration

Once enabled, you can issue a temporary authentication link for a user leveraging the `/v1/users/{id}/issue-auth-token` endpoint via the AnythingLLM API.
You simply need to provide the user ID and the API key you created earlier to generate a temporary authentication token that can be used by the target user to login to AnythingLLM.

```bash copy
curl -X POST "https://your-anythingllm-instance.com/v1/users/{id}/issue-auth-token" \
-H "Authorization: Bearer {api_key}"
# Example Response
# {
# "token": "1234567890",
# "loginPath": "/sso/simple?token=1234567890"
# }
```

Now, the user can visit the provided `loginPath` URL in their browser to be automatically logged in to AnythingLLM!

```text copy
https://your-anythingllm-instance.com/sso/simple?token=1234567890
```

All temporary authentication tokens expire after 1 hour and are single-use only. Once logged in, the user sessions will be valid for 30 days.
The user will be redirected to the home page of AnythingLLM after logging in.
You can optionally redirect the user to a different URL after logging in by appending `&redirectTo={path/to/redirect}` to the query string of the login path.

For example:

```text copy
https://your-anythingllm-instance.com/sso/simple?token=1234567890&redirectTo=/workspaces/sample-workspace
```

Will redirect the user to the `/workspaces/sample-workspace` chat page after logging in. This can be useful if you want to redirect the user to a specific workspace they have access to after logging in.

### Disable

Fully remove or comment out the `SIMPLE_SSO_ENABLED` environment variable to return to the default behavior.