simpleSAMLphp based SSO achieved and working
Søren Grønning Iversen
I direct this post to you, since you've kindly answered my questions
along the way, as well as stating your interest in a working SAML2.0 SSO
solution for RS.
Well, I just managed getting simpleSAMLphp to function as a SAML2.0
Service Provider for Resourcespace by editing the 'login.php' page only.
I have yet to convert my changes into a working plugin for RS, but it
seems managable with only minor changes to the current 'login.php'.
My idea for now, concerning the plugin integration with 'login.php', is
to add a variable check that defaults to 'false' in case simpleSAMLphp
is not present, which in case of 'true' would fire an externalauth hook,
supplying it with a dummy username and password which would be set to
the username and password of the SAML2.0 identity logged in through an IdP!
Now, Tom, do you think this would work?
Best regards,
S�ren G.
Tom Gleason
Like I said, I don't really have any experience with SSO, so it's very difficult to say. It sounds like you've got it working similar to how the LDAP plugin works.
One thing I'd be interested in is whether/how it would work with rss2 or api plugins.
Tom
Søren G.
--
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.
--
Tom Gleason, PHP Developer
ResourceSpace Support Services
https://www.buildadam.com
Exploring ResourceSpace at:
http://resourcespace.blogspot.com
Søren Grønning Iversen
I haven't been looking into that yet, since I've done my integration as a part of a broader work to establish web SSO at my workplace, involving among others RS.
I therefore haven't been able to get familiar this side of RS.
But yes, it does basically do the work of the LDAP plugin, but personally I'd love for the whole SQL user auth to be bypassed, thus relying on external auth against e.g. LDAP via SAML2.0.
-Søren
Teddy Aprilianto
I'm also working to make SSO run well in RS .
The idea is if we can pass a variable that contain username into login.php, we can run login process without asking username and password .
In other file let say index.php I include another file let say sso.php . This file creates a variable that contain username . The question is how we pass this variable into login.php ?
Use session or global variable seems not working ..
Please advice ..
Thanks
Teddy
Søren Grønning Iversen
what I do is to introduce simpleSAMLphp as a SAML2.0 Service Provider,
installed on the same site as RS, and then completely bypass the
login.php page on RS by replacing this page with a simple page
consisting of 3 lines of PHP code:
<?php
require_once "simplesamlphp/lib/_autoload.php";
$auth = new SimpleSAML_Auth_Simple('Resourcespace');
$auth -> requireAuth(array('ReturnTo' =>
'https://server.example.com/setcookies.php', 'KeepPost' => FALSE,));
?>
...which sends the user back to RS and a page that sets the user's
cookies and adds the user to the SQL backend (if not already added) with
the same $ref as the user's LDAP uidNumber, before loading the RS frontpage.
This page effectively functions as the regular login.php + some of the
ldapauth plugin functionalities.
The code for setcookies.php is as follows:
<?php
require_once "simplesamlphp/lib/_autoload.php";
include "include/db.php";
include "include/general.php";
include "include/resource_functions.php";
include "include/collections_functions.php";
global $auth;
global $username;
global $password;
global $password_hash;
global $usergroup;
$auth = new SimpleSAML_Auth_Simple('Resourcespace');
/*
* Check for initial authentication, then login user and set session
and language cookies
*/
if ($auth->isAuthenticated()) {
/*
* Get SAML2.0 attributes from response.
*/
$attributes = $auth -> getAttributes();
$username = $attributes['uid'][0];
$password = $attributes['userPassword'][0];
$password_hash = md5("RS".$username . $password);
$ref = $attributes['uidNumber'][0];
$usergroup = $attributes['rsUserGroup'][0];
$fullname = $attributes['cn'][0];
$email = $attributes['mail'][0];
$session_hash = md5($password_hash . $username . $password .
date("Y-m-d"));
$ip = get_ip();
$comments = "Auto created SAML2 authenticated user from
server.example.com";
/*
* Check if user already exists in SQL backend.
* If user exists, login. If not, authenticate with simpleSAMLphp
SP as configured earlier.
*/
$user_exists=sql_query('SELECT ref FROM user WHERE
username="'.$username.'"');
if (count($user_exists)>=1) {
sql_query('UPDATE user SET password="'.$password_hash.'" WHERE
username="'.$username.'"');
}
/*
* Initialize SQL user fields from SAML-response.
*/
else {
/*
* Create user in SQL backend.
*/
sql_query("INSERT INTO user (ref, username, password, fullname,
email, usergroup, comments) VALUES ('$ref' , '$username' ,
'$password_hash' , '$fullname' , '$email' , '$usergroup' , '$comments')");
}
$session_hash = md5($password_hash . $username . $password .
date("Y-m-d"));
$valid=sql_query("SELECT ref FROM user WHERE username='$username'
AND password='$password_hash'");
if (count($valid)>=1) {
# Account expiry
$expires=sql_value("SELECT account_expires VALUE FROM user
WHERE username='$username' AND password='$password'","");
if ($expires!="" && $expires!="0000-00-00 00:00:00" &&
strtotime($expires)<=time()) {
$valid=0;$error=$lang["accountexpired"];
}
else {
$expires=0;
if (getval("remember","")!="") {
$expires=time()+(3600*24*100);
} # remember login for 100 days
# Store language cookie
if ($global_cookies) {
setcookie("language","en",time()+(3600*24*1000),"/");
}
else {
setcookie("language","en",time()+(3600*24*1000));
setcookie("language","en",time()+(3600*24*1000),$baseurl_short . "pages/");
}
$language_selection="en";
# Update the user record. Set the password hash again in
case a plain text password was provided.
sql_query("UPDATE user SET
password='$password_hash',session='$session_hash',last_active=now(),login_tries=0,lang='$language_selection'
WHERE username='$username' AND (password='$password_hash')");
# Blank the IP address lockout counter for this IP
sql_query("DELETE FROM ip_lockout WHERE ip='" .
escape_check($ip) . "'");
# Set the session cookie.
if ($global_cookies){
$cookie_path="/";
setcookie("user","",1);
}
else {
$cookie_path="";
setcookie("user","",1,"/");
}
setcookie("user",$username . "|" .
$session_hash,$expires,$cookie_path);
setcookie("email",$email,$expires,$cookie_path);
# Set default resource types
#setcookie("restypes",$default_res_types);
# If the redirect URL is the collection frame, do not
redirect to this as this will cause
# the collection frame to appear full screen.
#if (strpos($url,"pages/collections.php")!==false) {
# $url="index.php";
#}
}
}
?>
<script type="text/javascript">
top.location.href="https://server.example.com";
</script>
<?php
}
?>
Please pardon if my PHP skills aren't all too obvious ;)
As mentioned in an earlier reply to Tom (among others), I haven't made
this into an RS plugin, but I guess it'd be possible :)
-At the same time, I ONLY use SAML2.0 as authentication method, so I've
never worried about externalauth or ldapauth alongside SAML2.0,
basically beacuse simpleSAMLphp offers all of this already (and it works
beutifully!) ...
I hope it makes just little sense to you, otherwise feel free to ask!
Best regards,
S�ren G.
> --
> You received this message because you are subscribed to the Google
> Groups "ResourceSpace" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/resourcespace/-/wbEhVPm4mPUJ.
Dan Huby
enough to be included in the base code in my view.
Dan
Søren Grønning Iversen
flawlessly with our setup (around 650 users), but a plugin would be a
much more clean implementation in respects to RS plus the
maintainability would be greater.
There are a few things that need to be taken into consideration, though.
E.g. the missing password when logging in to RS through simpleSAMLphp,
since it doesn't ever send a password as such, which is why simply md5
encode the string already contained (in my case) in the LDAP attribute
'uidNumber' and save this along with the user information. Since
passwords would then be possible to reset in the LDAP, there's no need
for such a function in RS, which is why I turned it off.
It'll probably be nice to set cookie lifetime to a fixed number of hours
when using simpleSAMLphp, since cookies with a longer lifetime than the
SAML2.0 token at times require users to reauthenticate with
simpleSAMLphp before being able to even logout, since the $auth ->
requireAuth() function halts any activity until it itself is able to get
a positive answer from $auth -> isAuthenticated() ...
Those details shouldn't be too hard to overcome with default settings
for a plugin, overriding certain standard RS settings, but are worth
taking into consideration :)
I'm not sure when I'll have the time to look into this, but at the
moment I'm finishing off my own RS implementation, looking into merging
my patches with the latest revision from SVN and after that I'll
probably be able to take it for a spin :)
Cheers,
S�ren G.
On 15/11/11 00.12, Dan Huby wrote:
> Looks great S�ren... a plugin version (as for LDAP) would be useful
Dan Huby
On Nov 15, 7:54 am, Søren Grønning Iversen <s.groen...@gmail.com>
wrote:
> moment I'm finishing off my own RS implementation, looking into merging
> my patches with the latest revision from SVN and after that I'll
> probably be able to take it for a spin :)
Would be happy to help with code review - and also adding it to the
base.
Dan
David Dwiggins
local users and network users useful, particularly because we
occasionally need to temporarily grant resourcespace access to people
who are not on the radar in terms of our overall corporate network
(interns, etc.) So I think it would be nice if the final
implementation could retain the ability to have local users alongside
the SAML-authenticated users. (This is how the current LDAPauth setup
works, when it works.)
-David
> --
> You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
Søren Grønning Iversen
The SAML workflow is either 'SP first' or 'IdP first', meaning that users will either hit the service provider's web app and be checked for a valid SAML response and if this doesn't exist, the user will be redirected to the IdP for authentication and thereafter directed back to the SP web app. IdP first obviously does this in reverse; Users will be asked for credentials at the IdP before being offered [a set of] links leading to one or more SPs.
A 'local user' fallback like e.g. with ldapauth doesn't really make much sense, since the way SAML works, users will be directed to the IdP no matter what.
OTOH what might be of use in such a situation would be to setup an IdP first scenario and add a link at the IdP to allow users to authenticate directly with RS' SQL backend. That way it will not matter if users are logged in one way or the other since cookies are set no matter what.
-Søren
mrpatulski
Not sure if this is still an active thread but if so, I have two questions regarding SSO--my server team uses a version of SSO called OpenAM:
How did this resolve for account authentication?
Also, how do you handle exceptions for public collections, resources, and individual files that you want to pass beyond your environment?
Thanks,
Matthew Patulski
Søren Grønning Iversen
I used simpleSAMLphp for my setup, since it's easily integratable with a
PHP application like RS. However, this only accounts for the choice of
service provider (SP), whereas the identity provider (IdP) could be any
SAML2.0 compliant solution, including but not limited to: Microsoft
ADFS, OpenAM (Sun OpenSSO), simpleSAMLphp, Shibboleth, CAS etc.
What I did was to adopt the same approach as the various LDAP solutions
available, namely allowing RS to import non existing users into its
userbase, however, the authentication is done centrally at the IdP
instead of at RS, which means that all of our applications implemented
in this fashion make use of the same bits and users only see one
specific login prompt at the IdP.
To solve the issues that might occur when users are not yet added to RS
(e.g. problems would arise when trying to share a collection with a
non-existant RS user), I'd keep the userbase itself synchronized with
the LDAP backend powering my IdP, thus allowing any RS function to work
properly, but still moving the authentication to my IdP where I want it ;)
If I understand you correctly, you ask what to do with 3rd party users
accessing certain materials or resources within RS. My take on this
would be to setup some sort of 3rd party authentication mechanism
(Facebook, OAuth or OpenID) on your IdP along with a set of user groups
on RS (one if sufficient) and then map these login to the desired user
groups. This makes sense anyways, since RS places ordinary users within
a standard user group, in terms of which it would be trivial to finter
incoming users by login method or other custom metadata from your SSO
environment, thus allowing you to assign different group memberships for
different users!
It would be easy to setup the simpleSAMLphp SP to allow login from
different IdPs and then pointing your 3rd party visitors to this instead
of your primary IdP.
I hope this helps in any way.
Best regards,
S�ren Gr�nning
> You received this message because you are subscribed to the Google
> Groups "ResourceSpace" group.
> an email to resourcespac...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
mrpatulski
I have a few questions that would be better via direct mail as I would like to include my SSO team. May I contact you?
Matthew Patulski
Søren Grønning Iversen
Best regards,
S�ren
Pujan Pandya
- resource space
- Hosting server windows server 2008
- IIS 7
- php 5.3
- LDAP server
- mysql database
On Wednesday, May 8, 2013 12:51:37 AM UTC+10, Søren Grønning wrote:
Of course! Feel free to mail me directly.
Best regards,
S�ren
David Mac (new)
On Tuesday, 7 May 2013 15:51:37 UTC+1, Søren Grønning wrote:
Of course! Feel free to mail me directly.
Best regards,
S�ren
Søren Grønning Iversen
I sent you a private mail on this matter :)
Cheers,
Søren
--
ResourceSpace: Open Source Digital Asset Management
http://www.resourcespace.org
---
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to resourcespac...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
