SSO Integration

Hello,

I patched our Projeqtor instance to integrate with our CASv2 SSO system. This is a fast patch (<1 hour to developp).
To do this, I:

• configured Apache module mod_auth_cas
• patched user retrieving process to read login from HTTP headers
• patched login proces to redirect to SSO's signout page

As login is read from HTTP header, others SSO (and web servers) can be used: Shibboleth SAML2, openid, and even PLAIN HTTP..

Here is my proof-of-concept code (lookup at bottom to view diffs), working for ~ 1 year in our instance:
git.univ-toulouse.fr/uftmip-pub/projeqto....0.7...6.0.7-patched

Todo:
handle case when logged user is not present in database (actually raw http response)
rename global parameter (CAS => SSO), because solution is generic and not CAS-specific
improve cookie management in finishSession (if necessary).

Regards,
Louis Chanouha
University of Toulouse (FR)

Bonjour,
Have you got any news on this integration ?

The request is always in development

Hello,

Thank you Chanoua for the patch, it works very well. As a matter of fact I use it with Apache mod_auth_kerb and MIT Kerberos + Firefox on the Windows clients.

I just had to make some little changes to allow connections without an authenticated user as well, I mean if the user is not provided via the environment variable then we (optionally, when $paramCASOnly=false) fall back to the logon page behavior. See attachment.

I noticed that requiring to negotiate a Kerberos authentication for each HTTP request, even for images, js files, etc, is slowing down the display of pages. In fact only the view/main.php page needs to receive the authenticated user id, so this must be configured in apache.

One question: what is the aim of the change in the Audit.php file?

Thanks,
Pierre

Hello,

Note: this is my second submission about this topic... but I don't know where the first fall into. So let's try again.

Thank you Chanouha for the patch. I use it as well but with the following configuration:
- MIT-Kerberos clients and Firefox (with few changes in the configuration)
- Apache with mod_auth_kerb that negotiate the authentication and returns an env. variable to Projeqtor
- Projeqtor v6.4.4 (now)

The patch is slightly different for v6.4.4. I also changed it to allow an optional fallback to the usual logon page when there is no apache authenticated user provided (variable not set or empty).

I also noticed it is not necessary to negotiate an authentication for all the files of Projeqtor like images for example: this slows down the access. In fact only the view/main.php needs to identify and authenticate the user. Am I correct? It works but is it dangerous to do so?

Here attached is my diff file for v6.4.4

Thank you and kind regards,
Pierre