---

login:
  title: "luzifer.io - Login"
  default_method: "simple"
  default_redirect: "https://luzifer.io/"
  hide_mfa_field: false
  names:
    simple: "Username / Password"
    yubikey: "Yubikey"

cookie:
  domain: ".example.com"
  authentication_key: "Ff1uWJcLouKu9kwxgbnKcU3ps47gps72sxEz79TGHFCpJNCPtiZAFDisM4MWbstH"
  expire: 3600        # Optional, default: 3600
  prefix: "nginx-sso" # Optional, default: nginx-sso
  secure: true        # Optional, default: false

# Optional, default: 127.0.0.1:8082
listen:
  addr: "127.0.0.1"
  port: 8082

audit_log:
  targets:
    - fd://stdout
    - file:///var/log/nginx-sso/audit.jsonl
  events: ['access_denied', 'login_success', 'login_failure', 'logout', 'validate']
  headers: ['x-origin-uri']
  trusted_ip_headers: ["X-Forwarded-For", "RemoteAddr", "X-Real-IP"]

acl:
  rule_sets:
  - rules:
    - field: "host"
      equals: "test.example.com"
    - field: "x-origin-uri"
      regexp: "^/api"
    allow: ["luzifer", "@admins"]

mfa:
  yubikey:
    # Get your client / secret from https://upgrade.yubico.com/getapikey/
    client_id: "12345"
    secret_key: "foobar"

  duo:
    # Get your ikey / skey / host from  https://duo.com/docs/duoweb#first-steps
    ikey: "IKEY"
    skey: "SKEY"
    host: "HOST"
    user_agent: "nginx-sso"

plugins:
  directory: ./plugins/

providers:
  # Authentication against an Atlassian Crowd directory server
  # Supports: Users, Groups
  crowd:
    url: "https://crowd.example.com/crowd/"
    app_name: ""
    app_pass: ""

  # Authentication through OAuth2 workflow with Google Account
  # Supports: Users
  google_oauth:
    client_id: ""
    client_secret: ""
    redirect_url: "https://login.luifer.io/login"

    # Optional, defaults to no limitations
    require_domain: "example.com"
    # Optional, defaults to "user-id"
    user_id_method: "full-email"

  # Authentication against (Open)LDAP server
  # Supports: Users, Groups
  ldap:
    enable_basic_auth: false
    manager_dn: "cn=admin,dc=example,dc=com"
    manager_password: ""
    root_dn: "dc=example,dc=com"
    server: "ldap://ldap.example.com"
    # Optional, defaults to root_dn
    user_search_base: ou=users,dc=example,dc=com
    # Optional, defaults to '(uid={0})'
    user_search_filter: ""
    # Optional, defaults to root_dn
    group_search_base: "ou=groups,dc=example,dc=com"
    # Optional, defaults to '(|(member={0})(uniqueMember={0}))'
    group_membership_filter: ""
    # Replace DN as the username with another attribute
    # Optional, defaults to "dn"
    username_attribute: "uid"
    # Configure TLS parameters for LDAPs connections
    # Optional, defaults to null
    tls_config:
      # Set the hostname for certificate validation
      # Optional, defaults to host from the connection URI
      validate_hostname: ldap.example.com
      # Disable certificate validation
      # Optional, defaults to false
      allow_insecure: false

  # Authentication through OAuth2 workflow with OpenID Connect provider
  # Supports: Users
  oidc:
    client_id: ""
    client_secret: ""
    # Optional, defaults to "OpenID Connect"
    issuer_name: ""
    issuer_url: ""
    redirect_url: "https://login.luifer.io/login"

    # Optional, defaults to no limitations
    require_domain: "example.com"
    # Optional, defaults to "subject"
    user_id_method: "full-email"


  # Authentication against embedded user database
  # Supports: Users, Groups, MFA
  simple:
    enable_basic_auth: false

    # Unique username mapped to bcrypt hashed password
    users:
      luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"

    # Groupname to users mapping
    groups:
      admins: ["luzifer"]

    # MFA configs: Username to configs mapping
    mfa:
      luzifer:
        - provider: duo

        - provider: totp
          attributes:
            secret: MZXW6YTBOIFA  # required
            period: 30            # optional, defaults to 30 (Google Authenticator)
            skew: 1               # optional, defaults to 1 (Google Authenticator)
            digits: 8             # optional, defaults to 6 (Google Authenticator)
            algorithm: sha1       # optional (sha1, sha256, sha512), defaults to sha1 (Google Authenticator)

        - provider: yubikey
          attributes:
            device: ccccccfcvuul

  # Authentication against embedded token directory
  # Supports: Users, Groups
  token:
    # Mapping of unique token names to the token
    tokens:
      tokenname: "MYTOKEN"

    # Groupname to token mapping
    groups:
      mytokengroup: ["tokenname"]

  # Authentication against Yubikey cloud validation servers
  # Supports: Users, Groups
  yubikey:
    # Get your client / secret from https://upgrade.yubico.com/getapikey/
    client_id: "12345"
    secret_key: "foobar"

    # First 12 characters of the OTP string mapped to the username
    devices:
      ccccccfcvuul: "luzifer"

    # Groupname to users mapping
    groups:
      admins: ["luzifer"]

...