Enterprise Auth
Enterprise Auth provides LDAP, SAML 2.0, OAuth 2.0/OIDC, and TOTP MFA enterprise-grade authentication integration.
1. Enable
[proxy]
addons = ["enterprise-auth"]
Database requirements: automatically creates the enterprise_auth_settings table. Supports SQLite / MySQL / PostgreSQL.
2. LDAP Authentication
2.1 Configuration
config/enterprise_auth.toml:
[ldap]
enabled = true
url = "ldap://ad.example.com:389"
bind_dn = "CN=svcrustpbx,OU=ServiceAccounts,DC=example,DC=com"
bind_password = "ldap-password"
base_dn = "OU=Users,DC=example,DC=com"
user_filter = "(sAMAccountName={username})"
use_tls = true
2.2 Authentication Flow
User login
│
▼
LDAP Bind (using bind_dn/password)
│
▼
Search (base_dn + user_filter)
│
├── User found → Bind to verify password
│ ├── Success → Login OK
│ └── Failure → Wrong password
└── Not found → User does not exist
2.3 Test Connection
POST /api/enterprise-auth/ldap/test
Verify that LDAP connection and authentication are working correctly.
3. SAML 2.0 SSO
3.1 Configuration
Console → Enterprise Auth → SAML:
| Field | Description | Example |
|---|---|---|
| IdP Metadata URL | IdP metadata URL | https://idp.example.com/metadata |
| Entity ID | SP entity ID | https://rustpbx.example.com |
| ACS URL | Assertion Consumer Service URL | https://rustpbx.example.com/api/enterprise-auth/saml/callback |
3.2 SP Metadata
The system auto-generates SP Metadata XML:
GET /api/enterprise-auth/saml/metadata
Provide this URL to your IdP administrator for registration.
3.3 JIT User Creation
Local user accounts are automatically created on SAML login (JIT Provisioning).
4. OAuth 2.0 / OIDC
4.1 Supported Providers
| Provider | Description |
|---|---|
| Google Workspace | Google OAuth |
| Microsoft 365 / Azure AD | Microsoft OAuth |
| Okta | Okta OIDC |
| Custom OIDC | Any OIDC-compatible provider |
4.2 Configuration
Console → Enterprise Auth → OAuth:
| Field | Description |
|---|---|
| Provider | Select provider type |
| Client ID | OAuth Client ID |
| Client Secret | OAuth Client Secret |
| Authorization URL | Authorization endpoint |
| Token URL | Token endpoint |
| Userinfo URL | User info endpoint |
| Scopes | OAuth Scopes |
4.3 OAuth Flow
User clicks "Sign in with Google"
│
▼
GET /api/enterprise-auth/oauth/login
│
▼
Redirect to Google authorization page
│
▼
User authorizes, callback received
GET /api/enterprise-auth/oauth/callback?code=xxx
│
▼
Exchange token → Get user info → JIT create/login
5. TOTP MFA
5.1 Enable MFA
Console → Enterprise Auth → MFA Settings:
- Generate TOTP Secret
- Display QR Code (scan with Google Authenticator / Microsoft Authenticator)
- Enter verification code to confirm binding
5.2 MFA Flow
User login (password verified)
│
▼
Check if MFA is bound
│
├── Bound → Require TOTP verification code
│ ├── Correct → Login successful
│ └── Incorrect → Denied
└── Not bound → Login successful directly
5.3 Management
- Enable/disable MFA:
POST /api/enterprise-auth/mfa/enable//disable - Reset MFA: administrators can reset a user’s MFA binding
6. CSRF Protection
OAuth and SAML flows use server-side CSRF token storage to prevent cross-site request forgery.
7. API
| Operation | Endpoint |
|---|---|
| Settings page | GET /console/enterprise-auth/settings |
| LDAP test | POST /api/enterprise-auth/ldap/test |
| SAML Metadata | GET /api/enterprise-auth/saml/metadata |
| SAML callback | POST /api/enterprise-auth/saml/callback |
| OAuth login | GET /api/enterprise-auth/oauth/login |
| OAuth callback | GET /api/enterprise-auth/oauth/callback |
| MFA setup | GET /console/enterprise-auth/mfa/setup |
| MFA disable | POST /api/enterprise-auth/mfa/disable |