docker: add an example on how to configure SSO

This is not really tested. The initial plan was to provide a demo with
Authelia, but the hard requirement on TLS makes it a bit difficult to
provide something that works out-of-the-box.

See also #1969, which is using a proxy instead.

docker/docker-compose-local.yml

@@ -33,6 +33,31 @@
 #     labels:
 #       - traefik.http.middlewares.auth.basicauth.users=akvorado:$$2y$$05$$Ud.JjfZWtKlSOoXKkv48leXze3u4cSNC5G4lG9nkfv5OFOkVcgRrm
 
+# To enable integration with an SSO and protect the console, use something like this:
+
+# services:
+#   akvorado-console:
+#     labels:
+#       # Override authentication middleware
+#       - traefik.http.routers.akvorado-console.middlewares=sso
+#       - traefik.http.middlewares.sso.forwardauth.address=http://sso.example.com/api/authz/forward-auth
+#       - traefik.http.middlewares.sso.forwardauth.trustForwardHeader=true
+#       - traefik.http.middlewares.sso.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email
+
+# It should also be possible to configure the middleware globally:
+
+# services:
+#   traefik:
+#     environment:
+#       TRAEFIK_ENTRYPOINTS_private_HTTP_MIDDLEWARES: compress@docker,sso@docker
+#     labels:
+#       - traefik.http.middlewares.sso.forwardauth.address=http://sso.example.com/api/authz/forward-auth
+#       - traefik.http.middlewares.sso.forwardauth.trustForwardHeader=true
+#       - traefik.http.middlewares.sso.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email
+#   akvorado-console:
+#     labels:
+#       - traefik.http.routers.akvorado-console.middlewares=
+
 # If you don't want to expose Kafka-UI and Traefik on the public endpoints, uncomment this block.
 
 # services: