add sso guide (uncomplete)

docs/divers/devops/index.md

@@ -1,5 +1,4 @@
 # Guides Devops
 
 - [Déployer un site web avec Hugo](hugo.md)
-- [Déployer une documentation avec Mkdocs](mkdocs.md)
-- [Keycloak as SSO for Nextcloud](keycloak-nextcloud.md)
+- [Keycloak as SSO for Nextcloud](sso/index.md)

docs/divers/devops/keycloak-nextcloud.md

@@ -1,207 +0,0 @@
-# Keycloak as SSO in Nextcloud
-
-## Keycloak configuration
-
-### Create a client
-
-We need first to create a client in keycloak, to connect to Nextcloud.
-
-Name `Client id` as you wish.
-
-![create a client](img/keycloak-nextcloud/keycloak_create-client.png)
-
-Use the following settings:
-
-![settings for client](img/keycloak-nextcloud/keycloak_client-settings.png)
-
-and
-
-![Configure ID Token Signature Algo as RS256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png)
-
-### Map groups in client
-
-#### Create a new role in client
-
-In **Roles** tab, we create a role admin that we will map to Nextcloud.
-
-![create role](img/keycloak-nextcloud/keycloak_client-newrole.png)
-
-Create here all the groups you'll need in Nextcloud
-
-**You will also have to create them in Nextcloud! **
-
-#### Configure mapper for roles
-
-This will allow us to map roles from client to nextcloud's groups.
-
-![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png)
-
-Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`.
-
-#### Map roles for user
-
-Go to an admin user you created (or create an user) and map admin role we created.
-
-Go to the **Role Mappings** tab, then select the client you created in the **Client Roles** 
-selection box, then click on **Add Selected** in the bottom-left to promote a role from available 
-to assigned roles.
-
-![map roles for user](img/keycloak-nextcloud/keycloak_user-rolemapping.png)
-
-#### Check if mapping has been catched by client
-
-Go back to client part and evaluate client scope for the admin user you just configured. 
-
-Go to your client, tab **Client Scopes**, select your user and clic on **Evaluate**.
-
-Check the **Generated Access Token** tab to see if the user get admin role.
-
-![evaluate client scope](img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png)
-
-### Map quota
-
-We have the ability to define storage quota for each user we create.
-
-#### Configure mapper for quota
-
-![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png)
-
-#### Configure quota for user
-
-![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png)
-
-### Get informations
-
-We need client secret and realm endpoints to configure nextcloud.
-
-#### Get Client Secret
-
-Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
-
-![get client secret](img/keycloak-nextcloud/keycloak_client-getcredentials.png)
-
-#### See Endpoints
-
-You will also need endpoints urls to adapt Nextcloud Social Login plugin configuration.
-
-Go in **Realm Settings** -> **General**, clic on `OpenID EndpointConfiguration`.
-
-![Ask for conf page](img/keycloak-nextcloud/keycloak_realm-accessconf.png)
-
-You will be redirected to the API endpoint, showing you endpoits url and other infos:
-
-![json endpoint data](img/keycloak-nextcloud/keycloak_realm-json.png)
-
-
-#### Install the plugin
-
-**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore.
-
-#### Configure Nextcloud
-
-Configuration of the plugin can only be made by modifying `config.php`.
-
-```
-$CONFIG = array (
-    'allow_user_to_change_display_name' => false,
-    'lost_password_link' => 'disabled',
-
-    // URL of provider. All other URLs are auto-discovered from .well-known
-    'oidc_login_provider_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM',
-
-    // Client ID and secret registered with the provider
-    'oidc_login_client_id' => 'nextcloud.domain.ext', // Client ID, Step 1
-    'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials
-
-    // Automatically redirect the login page to the provider
-    'oidc_login_auto_redirect' => false,
-
-    // Redirect to this page after logging out the user
-    'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F', 
-
-    // Quota to assign if no quota is specified in the OIDC response (bytes)
-    'oidc_login_default_quota' => '1000000000',
-
-    // Login button text
-    'oidc_login_button_text' => 'OpenID',
-
-    // Attribute map for OIDC response. Available keys are:
-    //   i)   id:       Unique identifier for username
-    //   ii)  name:     Full name
-    //   iii) mail:     Email address
-    //   iv)  quota:    Nextcloud storage quota
-    //   v)   home:     Home directory location. A symlink or external storage to this location is used
-    //   vi)  ldap_uid: LDAP uid to search for when running in proxy mode
-    //   vii) groups:   Array or space separated string of NC groups for the user
-    //
-    // The attributes in the OIDC response are flattened by adding the nested
-    // array key as the prefix and an underscore. Thus,
-    //
-    //     $profile = [
-    //         'id' => 1234,
-    //         'attributes' => [
-    //             'uid' => 'myuid'
-    //         ]
-    //     ];
-    //
-    // would become,
-    //
-    //     $profile = [
-    //         'id' => 1234,
-    //         'attributes_uid' => 'myuid'
-    //     ]
-    //
-    'oidc_login_attributes' => array (
-        'id' => 'preffered_username',
-        'name' => 'name',
-        'mail' => 'email',
-        'quota' => 'ownCloudQuota',
-        'home' => 'homeDirectory',
-        'ldap_uid' => 'uid',
-        'groups' => 'ownCloudGroups',
-    ),
-
-    // Default group to add users to (optional, defaults to nothing)
-    'oidc_login_default_group' => 'oidc',
-
-    // Use external storage instead of a symlink to the home directory
-    // Requires the files_external app to be enabled
-    'oidc_login_use_external_storage' => false,
-
-    // Set OpenID Connect scope
-    'oidc_login_scope' => 'openid profile',
-
-    // Run in LDAP proxy mode
-    // In this mode, instead of creating users of its own, OIDC login
-    // will get the existing user from an LDAP database and only
-    // perform authentication with OIDC. All user data will be derived
-    // from the LDAP database instead of the OIDC user response
-    //
-    // The `id` attribute in `oidc_login_attributes` must return the
-    // "Internal Username" (see expert settings in LDAP integration)
-    'oidc_login_proxy_ldap' => false,
-
-    // Disable creation of new users from OIDC login
-    'oidc_login_disable_registration' => false,
-
-    // Fallback to direct login if login from OIDC fails
-    // Note that no error message will be displayed if enabled
-    'oidc_login_redir_fallback' => true,
-
-    // Use an alternative login page
-    // This page will be php-included instead of a redirect if specified
-    // In the example below, the PHP file `login.php` in `assets`
-    // in nextcloud base directory will be included
-    // Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
-    // Note: you may want to try setting `oidc_login_logout_url` to your
-    // base URL if you face issues regarding re-login after logout
-  //  'oidc_login_alt_login_page' => 'assets/login.php',
-    
-    // For development, you may disable TLS verification. Default value is `true`
-    // which should be kept in production
-    'oidc_login_tls_verify' => true,
-    
-    // If you are behind a proxy
-    'overwriteprotocol' => 'https',
-);
-```

docs/divers/devops/sso/index.md

@@ -0,0 +1,79 @@
+# Introduction
+
+This guide will cover the configuration of Keycloak as SSO for different services, like Nextcloud or Mattermost.
+
+The list of users users and groups is mapped with a LDAP server.
+
+We assume you already have a reachable LDAP server. 
+
+```mermaid
+graph LR;
+    A(LDAP server)<-->B(Keycloak SSO);
+    B(Keycloak SSO)<-->A(LDAP server);
+    B(Keycloak SSO)<-->C(Nextcloud);
+    B(Keycloak SSO)<-->D(Mattermost);
+    B(Keycloak SSO)<-->E(Wordpress);
+```
+
+The sequences happens this way, using Nextcloud as an example.
+
+First, Nextcloud redirects login request to Keycloak, and keycloak checks 
+in his internal database if user exists and is connected to this client.
+
+```mermaid
+sequenceDiagram;
+    participant L as LDAP;
+    participant N as Nextcloud;
+    participant K  as Keycloak;
+    participant U as User;
+    activate U;
+    U->>N: Login;
+    Note over U,N: User asks for Nextcloud <br/> login page url;
+    activate N;
+    N->>K: Redirect Login Page;
+    Note over N,K: Nextcloud redirects to <br/> Keycloak login page;
+    activate K;
+    K->>U: Serve Login Page;
+    U->>K: Enter credentials;
+    Note over K,U: User enters credentials <br/> in Keycloak login page;
+    loop Internal; 
+        Note left of K: Check internal Db <br/> if user exists <br/> and is linked <br/> to this client;
+    end;
+    deactivate K;
+    deactivate N;
+```
+
+If user exists in Keycloak database, keycloak updates Ldap data and let 
+Ldap Server in charge for password authentication.
+
+```mermaid
+sequenceDiagram;
+    participant L as LDAP;
+    participant N as Nextcloud;
+    participant K  as Keycloak;
+    participant U as User;
+    activate U;
+    activate K;
+    activate N;
+    K->>L: Final Auth;
+    Note over K,L: Keycloak delegates password <br/> authentication to Ldap Server
+    activate L;
+    alt auth succed;
+        L->>K: success;
+        Note over L,K: Ldap tells Keycloak that auth succeeded;
+        K->>L: update;
+        Note over L,K: Keycloak updates groups and user atribute in Ldap;
+        deactivate L;
+        K->>N: user creation;
+        Note over N,K: Keycloak creates user <br/> in Nextcloud if not exists;
+        K->>N: authentication;
+        Note over K,N: Keycloak authenticates <br/> User in Nextcloud;
+        N->>U: access;
+        Note over N,U: Nextcloud is accessible by User
+    else auth failed;
+        K->>U: Back to login page;
+    end;
+    deactivate K;
+    deactivate N;
+```
+

docs/divers/devops/sso/sso-keycloak.md

@@ -0,0 +1,121 @@
+# Keycloak configuration
+
+## Customize theme
+
+### Duplicate existing theme
+
+Duplicate keycloak theme and rename it to `my-theme`.
+
+Put the folder `my-theme` inside `themes` folder. I you are using Docker, you could simply bind a local folder to `/opt/jboss/keycloak/themes`.
+
+### Change logos
+
+Copy your logo `my-brand-logo.png` and your background `my-brand-bg.png` to the following destinations:  
+  - `my-theme/welcome/resources/`  
+  - `my-theme/login/resources/img/`  
+  - `my-theme/admin/resources/img/`  
+  - `my-theme/account/resources/img/`  
+
+Put also a new `favicon.ico` in `my-teme/welcome/resources/`
+
+Now modify html and css calls to catch your logo name:
+```
+find my-theme/ -type f -exec sed -i 's/keycloak-logo-text.png/my-brand-logo.png/g' {} +
+find my-theme/ -type f -exec sed -i 's/keyclok-logo.png/my-brand-logo.png/g' {} +
+find my-theme/ -type f -exec sed -i 's,/logo.png,/my-brand-logo.png,g' {} +
+find my-theme/ -type f -exec sed -i 's,/bg.png,/my-theme-bg.png,g' {} +
+find my-theme/ -type f -exec sed -i 's/keycloak-bg.png/my-theme-bg.png/g' {} +
+```
+
+If your logo doesn't appear totally in login page, you can change `width` and `height`
+in `div.kc-logo-text` (file `my-theme/login/resources/css/login.css`).
+
+If your logo is distorted in nav bar, you can change `background-size` 
+in `.navbar-pf .navbar-brand` (file `admin/resources/css/styles.css` ). 
+
+From that last `.navbar-pf .navbar-brand` bloc copy the values `height`, 
+`width` and `background-size` and report them to `.navbar-title` 
+in `account/resources/css/account.css`.
+
+### Add terms and conditions
+
+#### Enable in Keycloak
+
+In Keycloak console admin, go to `Authentication > Required Actions` and enable `Terms and conditions`:
+
+![A screenshot of the Required Actions tab in Authentication, with Terms and conditions enabled](img/sso-keycloak-enable-terms.png)
+
+#### Modify message template
+
+If you want to modify actual page title (`Terms and Conditions`), you can modify the following:  
+- `termsTitle`   
+- `termsTitleHtml`  
+- `termsText`  
+- `termsPlainText`
+
+in `${KEYCLOAK_THEMES}/base/login/messages/messages_fr.properties`.
+
+#### Modify 'execute actions' email
+
+This email is sent when administrator triggers it, asking for acoount / password / policy update from the user. 
+
+You can use that trigger at registration, asking for Password Update, so user can access password reset form.  
+Go in in `Ùsers --> Credentials --> Credential reset `: 
+
+![Screenshot showing page for user password reset email sending](img/sso-keycloak-askpwdreset.png)
+
+This email is generated using template at `${KEYCLOAK_THEMES}/base/email/html/password-reset.ftl`.
+
+The message content is in :  
+- `executeActionsBodyHtmlSubject`  
+- `executeActionsBodyHtmlBody`  
+- `executeActionsBodyHtmlBodyHtml`
+  
+in `${KEYCLOAK_THEMES}/base/email/messages/messages_fr.properties` 
+and `${KEYCLOAK_THEMES}/base/email/text/password-reset.ftl`
+
+Copy those three files in your own theme directory and custom it as you want.
+
+#### Modify after execution message
+
+When user executes the actions asked by mail, he ends on a simple page without no link nor redirection.
+
+You may want to add some links in template taken from `base/login/info.ftl`:
+
+```
+<#import "template.ftl" as layout>
+<@layout.registrationLayout displayMessage=false; section>
+    <#if section = "header">
+        <#if messageHeader??>
+        ${messageHeader}
+        <#else>
+        ${message.summary}
+        </#if>
+    <#elseif section = "form">
+      <div id="kc-info-message">
+        <p class="instruction">${message.summary}<#if requiredActions??><#list requiredActions>: <b><#items as reqActionItem>${msg("requiredAction.${reqActionItem}")}<#sep>, </#items></b></#list><#else></#if></$
+        <#if skipLink??>
+                <p><a href="https://id.pnpro.paris/account">Cliquez ici pour gérer votre compte <strong>Keycloak Skiplink</strong></a></p>
+                <p><a href="https://nextcloud.pnpro.paris">Cliquez ici pour accéder à <strong>Nextcloud</strong></a></p>
+                <p><a href="https://chat.pnpro.paris">Cliquez ici pour accéder à <strong>Mattermost</strong></a></p>
+        <#else>
+            <#if pageRedirectUri?has_content>
+                <p><a href="${pageRedirectUri}">${kcSanitize(msg("backToApplication"))?no_esc}</a></p>
+            <#elseif actionUri?has_content>
+                <p><a href="${actionUri}">${kcSanitize(msg("proceedWithAction"))?no_esc}</a></p>
+            <#elseif (client.baseUrl)?has_content>
+                <p><a href="${client.baseUrl}">${kcSanitize(msg("backToApplication"))?no_esc}</a></p>
+            </#if>
+         </#if>
+       </div>
+    </#if>
+</@layout.registrationLayout>
+```
+
+#### Define available languages
+
+For each sub-theme you need to define which locales are implemented (translated), 
+with a comma-separated list of supported locales in `${KEYCLOAK_THEMES}/${SUBTHEME}/theme.properties` like this:
+```
+locales=fr,en
+```

docs/divers/devops/sso/sso-ldap.md

@@ -0,0 +1,96 @@
+# Configure OpenLDAP
+
+We will just need a very basic configuration of Ldap, as Keycloak will 
+populate it.
+
+You can use docker-compose to mount an OpenLdap server basically populated at startup.
+
+## Install OpenLdap with docker-compose
+
+Here's the necessary `docker-compose.yml` file, deploying OpenLdap server along phpldapmyadmin web interface:
+
+```
+version: '3'
+services:
+  openldap:
+      image: osixia/openldap
+      volumes:
+        - ./admin.ldif:/container/service/slapd/assets/config/bootstrap/ldif/admin.ldif
+      #args: [ "--copy-service" ]
+      command: "/bin/sh -c '/container/tool/run --copy-service --loglevel debug'"
+      env_file:
+        - .env
+      tty: true
+      stdin_open: true
+      # For replication to work correctly, domainname and hostname must be
+      # set correctly so that "hostname"."domainname" equates to the
+      # fully-qualified domain name for the host.
+      domainname: "pnpro.paris"
+      hostname: "ldap"
+  phpldapadmin:
+      image: osixia/phpldapadmin
+      ports:
+        - 127.0.0.1:8092:80
+      depends_on:
+        - openldap
+      environment:
+        PHPLDAPADMIN_LDAP_HOSTS: "openldap"
+        PHPLDAPADMIN_HTTPS: "false"
+```
+
+You will need to create a `.env` file with following elements (replace the variables):
+```
+LDAP_ORGANIZATION=${ORGANIZATION}
+LDAP_DOMAIN=domain.org
+LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}
+LDAP_CONFIG_PASSWORD=${LDAP_CONFIG_PASSWORD}  
+```
+
+## Add a custom `.ldif` file
+
+We can use the following `admin.ldif` file, considering that root cn already exists:
+
+```
+dn: cn=admin, dc=domain, dc=org
+changetype: modify
+replace: o
+o: Complete Organization Name
+
+dn: ou=people, dc=domain, dc=org
+changetype: add
+objectClass: organizationalUnit
+ou: people
+
+dn: uid=superadmin, ou=people, dc=domain, dc=org
+changetype: add
+objectClass: inetOrgPerson
+uid: superadmin
+cn: Super
+sn: Admin
+mail: contact@domain.org
+employeeNumber: 1
+
+dn: ou=groups, dc=domain, dc=org
+changetype: add
+objectClass: organizationalUnit
+ou: groups
+
+
+dn: cn=admin, ou=groups, dc=domain, dc=org
+changetype: add
+objectClass: groupofNames
+cn: admin
+ou: Admin Group
+member: uid=superadmin, ou=people, dc=domain, dc=org
+
+```
+
+The file, binded to `/container/service/slapd/assets/config/bootstrap/ldif/admin.ldif`
+will be used when running server within docker-compose via command `/container/tool/run --copy-service`. 
+
+## Deploy the stack
+
+Run `docker-compose up -d` to deploy the server.
+
+Access phpmyadmin at `http://127.0.0.1:8092` and connect with user 
+`cn=admin, dn=domain, dn=org` and password set in `env`.

docs/divers/devops/sso/sso-nextcloud.md

@@ -0,0 +1,213 @@
+# Keycloak as SSO in Nextcloud
+
+## Keycloak configuration
+
+### Create a client
+
+We need first to create a client in keycloak, to connect to Nextcloud.
+
+Name `Client id` as you wish.
+
+![create a client](img/keycloak-nextcloud/keycloak_create-client.png)
+
+Use the following settings:
+
+![settings for client](img/keycloak-nextcloud/keycloak_client-settings.png)
+
+and
+
+![Configure ID Token Signature Algo as RS256](img/keycloak-nextcloud/keycloak_client-openidfineconfig.png)
+
+### Map groups in client
+
+Since user management is reserved to Keycloak, we need to configure a mapper 
+will reflect user/group configuration in Nextcloud.
+
+In fact, we won't 
+
+#### Create a new role in client
+
+In **Roles** tab, we create a role admin that we will map to Nextcloud.
+
+![create role](img/keycloak-nextcloud/keycloak_client-newrole.png)
+
+Create here all the groups you'll need in Nextcloud
+
+**You will also have to create them in Nextcloud! **
+
+#### Configure mapper for roles
+
+This will allow us to map roles from client to nextcloud's groups.
+
+![Mapper for groups](img/keycloak-nextcloud/keycloak_client-openidmapperroles.png)
+
+Choose the **Name** you want, but **Token Claim Name** must be `ownCloudGroups`.
+
+#### Map roles for user
+
+Go to an admin user you created (or create an user) and map admin role we created.
+
+Go to the **Role Mappings** tab, then select the client you created in the **Client Roles** 
+selection box, then click on **Add Selected** in the bottom-left to promote a role from available 
+to assigned roles.
+
+![map roles for user](img/keycloak-nextcloud/keycloak_user-rolemapping.png)
+
+#### Check if mapping has been catched by client
+
+Go back to client part and evaluate client scope for the admin user you just configured. 
+
+Go to your client, tab **Client Scopes**, select your user and clic on **Evaluate**.
+
+Check the **Generated Access Token** tab to see if the user get admin role.
+
+![evaluate client scope](img/keycloak-nextcloud/keycloak_client-evaluaterolemapping.png)
+
+### Map quota
+
+We have the ability to define storage quota for each user we create.
+
+#### Configure mapper for quota
+
+![Mapper for quota](img/keycloak-nextcloud/keycloak_client-openidmapperquota.png)
+
+#### Configure quota for user
+
+![Quota attribute for user](img/keycloak-nextcloud/keycloak_user-openidattributequota.png)
+
+### Get informations
+
+We need client secret and realm endpoints to configure nextcloud.
+
+#### Get Client Secret
+
+Go in **Client** -> **Credentials**, to get client secret that we will need to configure nextcloud plugin.
+
+![get client secret](img/keycloak-nextcloud/keycloak_client-getcredentials.png)
+
+#### See Endpoints
+
+You will also need endpoints urls to adapt Nextcloud Social Login plugin configuration.
+
+Go in **Realm Settings** -> **General**, clic on `OpenID EndpointConfiguration`.
+
+![Ask for conf page](img/keycloak-nextcloud/keycloak_realm-accessconf.png)
+
+You will be redirected to the API endpoint, showing you endpoits url and other infos:
+
+![json endpoint data](img/keycloak-nextcloud/keycloak_realm-json.png)
+
+
+#### Install the plugin
+
+**OpenID Connect Login** is a plugin made by pulsejet that can be found in Nextcloud AppStore.
+
+#### Configure Nextcloud
+
+Configuration of the plugin can only be made by modifying `config.php`.
+
+??? note "Unroll to see `config.php` useful settings:"
+    ```
+    $CONFIG = array (
+        'allow_user_to_change_display_name' => false,
+        'lost_password_link' => 'disabled',
+
+        // URL of provider. All other URLs are auto-discovered from .well-known
+        'oidc_login_provider_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM',
+
+        // Client ID and secret registered with the provider
+        'oidc_login_client_id' => 'nextcloud.domain.ext', // Client ID, Step 1
+        'oidc_login_client_secret' => 'secret', // Client Secret: Got to Clients -> Client -> Credentials
+
+        // Automatically redirect the login page to the provider
+        'oidc_login_auto_redirect' => false,
+
+        // Redirect to this page after logging out the user
+        'oidc_login_logout_url' => 'https://keycloak.domain.ext/auth/realms/YOUR-REALM/protocol/openid-connect/logout?&redirect_uri=http%3A%2F%2Fnextcloud.domain.ext%2F', 
+
+        // Quota to assign if no quota is specified in the OIDC response (bytes)
+        'oidc_login_default_quota' => '1000000000',
+
+        // Login button text
+        'oidc_login_button_text' => 'OpenID',
+
+        // Attribute map for OIDC response. Available keys are:
+        //   i)   id:       Unique identifier for username
+        //   ii)  name:     Full name
+        //   iii) mail:     Email address
+        //   iv)  quota:    Nextcloud storage quota
+        //   v)   home:     Home directory location. A symlink or external storage to this location is used
+        //   vi)  ldap_uid: LDAP uid to search for when running in proxy mode
+        //   vii) groups:   Array or space separated string of NC groups for the user
+        //
+        // The attributes in the OIDC response are flattened by adding the nested
+        // array key as the prefix and an underscore. Thus,
+        //
+        //     $profile = [
+        //         'id' => 1234,
+        //         'attributes' => [
+        //             'uid' => 'myuid'
+        //         ]
+        //     ];
+        //
+        // would become,
+        //
+        //     $profile = [
+        //         'id' => 1234,
+        //         'attributes_uid' => 'myuid'
+        //     ]
+        //
+        'oidc_login_attributes' => array (
+            'id' => 'preffered_username',
+            'name' => 'name',
+            'mail' => 'email',
+            'quota' => 'ownCloudQuota',
+            'home' => 'homeDirectory',
+            'ldap_uid' => 'uid',
+            'groups' => 'ownCloudGroups',
+        ),
+
+        // Default group to add users to (optional, defaults to nothing)
+        'oidc_login_default_group' => 'oidc',
+
+        // Use external storage instead of a symlink to the home directory
+        // Requires the files_external app to be enabled
+        'oidc_login_use_external_storage' => false,
+
+        // Set OpenID Connect scope
+        'oidc_login_scope' => 'openid profile',
+
+        // Run in LDAP proxy mode
+        // In this mode, instead of creating users of its own, OIDC login
+        // will get the existing user from an LDAP database and only
+        // perform authentication with OIDC. All user data will be derived
+        // from the LDAP database instead of the OIDC user response
+        //
+        // The `id` attribute in `oidc_login_attributes` must return the
+        // "Internal Username" (see expert settings in LDAP integration)
+        'oidc_login_proxy_ldap' => false,
+
+        // Disable creation of new users from OIDC login
+        'oidc_login_disable_registration' => false,
+
+        // Fallback to direct login if login from OIDC fails
+        // Note that no error message will be displayed if enabled
+        'oidc_login_redir_fallback' => true,
+
+        // Use an alternative login page
+        // This page will be php-included instead of a redirect if specified
+        // In the example below, the PHP file `login.php` in `assets`
+        // in nextcloud base directory will be included
+        // Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
+        // Note: you may want to try setting `oidc_login_logout_url` to your
+        // base URL if you face issues regarding re-login after logout
+        //  'oidc_login_alt_login_page' => 'assets/login.php',
+        
+        // For development, you may disable TLS verification. Default value is `true`
+        // which should be kept in production
+        'oidc_login_tls_verify' => true,
+        
+        // If you are behind a proxy
+        'overwriteprotocol' => 'https',
+    );
+    ```

docs/divers/index.md

@@ -5,7 +5,7 @@ Dans cette rubrique vous trouverez différentes astuces, mémos, snippets, tips,
 Toutes les astuces sont regroupées par catégories:
 
 - [les mémos pour bien utiliser les commandes linux](cmd/index.md)
-- [les tutos d'administration système](adminsys/index.md)
-- [les guides complets pour déployer des services réseau](guides/index.md)
+- [les tutos d'administration du Poste de travail](admin/index.md)
+- [les tutos d'administration Serveur](server/index.md)
 - [les guides DevOps](devops/index.md)
 - [les guides internes](internal/index.md)

docs/divers/internal/index.md

@@ -1,5 +1,6 @@
-# Introduction
+# Astuces du Garage
 
 Cette rubrique regroupe des astuces internes au Garage
 
 - [Imprimantes](install-printers.md)
+- [Contribuer à la doc avec mkdocs](mkdocs.md)

docs/divers/server/index.md

@@ -1,4 +1,4 @@
-# Guides d'Administration Système
+# Administration Serveur
 
 - [Installer un serveur PXE](install_pxe.md)
 - [Installer Wordpress avec Docker-Compose](wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md)

docs/index.md

@@ -7,8 +7,8 @@ La documentation est divisée en deux parties:
 - [les cours](cours) 
 - [les autres ressources](divers)
     - [les mémos pour bien utiliser les commandes linux](divers/cmd/index.md)
-    - [les tutos d'administration système](divers/adminsys/index.md)
-    - [les guides complets pour déployer des services réseau](divers/guides/index.md)
+    - [les tutos d'administration système](divers/admin/index.md)
+    - [les guides complets pour déployer des services réseau](divers/server/index.md)
     - [les guides DevOps](divers/devops/index.md)
     - [les guides internes](divers/internal/index.md) 
 

mkdocs.yml

@@ -5,9 +5,11 @@ theme:
     name: material
     custom_dir: overrides
     features:
+        - navigation.instant
+        - navigation.expand
         - tabs
 plugins:
-    - markdownmermaid
+    #- markdownmermaid
     - search:
         min_search_length: 2
     - git-authors  
@@ -15,7 +17,11 @@ plugins:
 markdown_extensions:
     - admonition
     - pymdownx.details
-    - pymdownx.superfences
+    - pymdownx.superfences:
+        custom_fences:
+          - name: mermaid
+            class: mermaid
+            format: !!python/name:pymdownx.superfences.fence_div_format
     - pymdownx.highlight:
         use_pygments: false
         linenums_style: pymdownx.inline
@@ -28,9 +34,10 @@ markdown_extensions:
 extra_javascript:
     - https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js
     - javascripts/config.js
-    - https://unpkg.com/mermaid@7.1.2/dist/mermaid.min.js
+    - https://unpkg.com/mermaid@8.8.2/dist/mermaid.min.js
 extra_css:
     - https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/default.min.css
+    - https://unpkg.com/mermaid@8.8.2/dist/mermaid.css
 nav:
     - Accueil: index.md
     - Cours: 
@@ -51,28 +58,34 @@ nav:
             - cours/python/os-script.md
     - Divers:  
         - divers/index.md 
-        - "Commandes Linux":  
-            - "Index": divers/cmd/index.md 
+        - "Linux":  
+            - divers/cmd/index.md 
             - divers/cmd/backup.md 
             - divers/cmd/screen.md 
             - divers/cmd/nmcli.md 
             - divers/cmd/mount.md
         - "Admin Sys": 
-            - Index: divers/adminsys/index.md 
-            - "Installer Adobe pdf reader": divers/adminsys/acroread-debian.md
-            - "Configurer Gnome AppFolders": divers/adminsys/gnome-appfolders.md
-            - "Réinitialiser un mot de passe Windows": divers/adminsys/reset-winpasswd.md
-        - "Déploiement de Serveurs": 
-            - "Index": divers/guides/index.md 
-            - divers/guides/install_pxe.md 
-            - "Nextcloud": divers/guides/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md 
-            - "Wordpress": divers/guides/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md 
-            - "SSH - SAMBA": divers/guides/serveur_debian_smb_ssh.md 
+            - divers/admin/index.md 
+            - "Installer Adobe pdf reader": divers/admin/acroread-debian.md
+            - "Configurer Gnome AppFolders": divers/admin/gnome-appfolders.md
+            - "Réinitialiser un mot de passe Windows": divers/admin/reset-winpasswd.md
+        - "Servers": 
+            - divers/server/index.md 
+            - divers/server/install_pxe.md 
+            - "Nextcloud": divers/server/nextcloud_docker-compose_on_debian-10_with_nginx_reverse-proxy.md 
+            - "Wordpress": divers/server/wordpress_docker-compose_on_debian-10_with_nginx_reverse-proxy.md 
+            - "SSH - SAMBA": divers/server/serveur_debian_smb_ssh.md 
         - "DevOps":
-            - "Index": divers/devops/index.md
+            - divers/devops/index.md
             - "Hugo": divers/devops/hugo.md
-            - "MkDocs": divers/devops/mkdocs.md
-            - "Keycloak Nextcloud": divers/devops/keycloak-nextcloud.md
+            - "Keycloak SSO": 
+                - divers/devops/sso/index.md
+                - divers/devops/sso/sso-ldap.md
+                - divers/devops/sso/sso-keycloak.md
+                - divers/devops/sso/sso-nextcloud.md
+                - divers/devops/sso/sso-mattermost.md
+                - divers/devops/sso/sso-wordpress.md
         - "Interne":
             - "Index": divers/internal/index.md
             - "Imprimantes": divers/internal/install-printers.md
+            - "MkDocs": divers/internal/mkdocs.md