[ESCALATED] Web-based authentication (SSO)

Discuss and get help installing, using and configuring SiT!

[ESCALATED] Web-based authentication (SSO)

Postby kalyah » Fri Mar 12, 2010 4:49 pm

Hello,

I want to know if we can use the Single Sign-on (SSO) mode to authenticate clients ?
If not, will this feature be available in a coming version ?

Regards
kalyah
Newbie
Newbie
 
Posts: 5
Joined: Fri Mar 12, 2010 2:12 pm

Re: Web-based authentication (SSO)

Postby ivanlucas » Mon Mar 15, 2010 10:15 am

Hi Kaylah,

SiT! doesn't directly support SSO but it can be used with Reverse-proxy type single-sign-on. SiT! also supports LDAP authentication and can be used with eDirectory, openLDAP or Microsoft AD.

I don't know much about single sign on software myself, but if you have any specific questions about it maybe I can try to help.

Cheers,

Ivan
Ivan Lucas, Project Lead, Support Incident Tracker (SiT!) GPL. ......... Chat live on irc, #sit on freenode.
Help free software: Make a donation to the SiT! project or Join the Free Software Foundation as an Associate Member.
User avatar
ivanlucas
SiT! Developer
SiT! Developer
 
Posts: 994
Joined: Sun Feb 01, 2009 9:49 pm
Location: Derbyshire, UK

Re: [ESCALATED] Web-based authentication (SSO)

Postby paulvh » Fri Jan 13, 2012 3:59 pm

I have made some modifications to our version of SiT! to Allo SSO with NTLM credentials to a Windows 2008 R2 Active Directory LDAP

Linux Config:
http://bloke.org/linux/ntlm-authenticat ... che-linux/

Apache httpd.conf setting in the Directory entry for SiT!
<Files ntlm.php>
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Files>


several files changed:
index.php
lib/configvars.inc.php
lib/defaults.inc.php

added:
ntlm.php
netlib.php

Once I have cleaned up the files I will make DIFs and post them here.
paulvh
Newbie
Newbie
 
Posts: 5
Joined: Fri Jan 13, 2012 4:04 am

Re: [ESCALATED] Web-based authentication (SSO)

Postby Tomse » Sun Jan 15, 2012 8:01 pm

this is pretty great... I'm going to test it when you cleaned up the code.... cheers mate :-)
If you have a problem, give us enough info of what you have done, what is configured in relation to your question.
Enable debugging and post it's censored but relevant info. Don't forget to write which version of SiT you're running.
User avatar
Tomse
SiT! Developer
SiT! Developer
 
Posts: 1137
Joined: Fri Feb 20, 2009 10:51 am
Location: Somewhere near Copenhagen Denmark

Re: [ESCALATED] Web-based authentication (SSO)

Postby paulvh » Mon Jan 16, 2012 4:39 pm

Here are the files
Attachments
sitntlm.tgz
(5.65 KiB) Downloaded 601 times
paulvh
Newbie
Newbie
 
Posts: 5
Joined: Fri Jan 13, 2012 4:04 am

Re: [ESCALATED] Web-based authentication (SSO)

Postby paulvh » Wed Jan 18, 2012 12:21 pm

Made a few more changes so here are the updated files.
Attachments
sitntlm.tgz
(7.08 KiB) Downloaded 127 times
paulvh
Newbie
Newbie
 
Posts: 5
Joined: Fri Jan 13, 2012 4:04 am

Re: [ESCALATED] Web-based authentication (SSO)

Postby paulvh » Wed Jan 18, 2012 5:53 pm

Found a problem with the ntlm.php file so here is an updated one
Attachments
ntlm.zip
(2.76 KiB) Downloaded 125 times
paulvh
Newbie
Newbie
 
Posts: 5
Joined: Fri Jan 13, 2012 4:04 am

Re: [ESCALATED] Web-based authentication (SSO)

Postby Tomse » Fri Mar 23, 2012 10:40 am

Hi Paulvh

I've tried setting up the NTLM auth.

but can't get it to corporate.

1.
I'm presented with the Basic auth screen when opening SiT! with IE9, entering correct username and password redirects me to sit/index.php?id=3 (invalid username/password)

using the same credentials again on the login screen of SiT! I get my access.
so I can see LDAP and NTLM auth both work, but somehow the auth going through from the ntlm to sit doesn't seem to work properly.

After the NTLM auth with the std IE9 username/password block, logging in as a user, and get he username/password error, I cannot login to SiT! as admin, (first NTLM auth as user and then SiT auth as admin) won't log me on.

I've used the 2 last attachments you posted, (with the ntlm.php as the last one copied).


2.
I've tried changing the allowed IP addresses from one subnet to another. lets call them 192.168.0.0/24 and 192.168.1.0/24 and the server is 192.168.0.10, and client is 192.168.0.100
allowing 192.168.0.0/24 gives the username/password error mentioned above.

allowing 192.168.1.0/24 doesn't open up for NTLM auth, thus working as NTLM isn't installed.
I looked in the code and it should give an error message when doing this.



in the apache webserver I used the <Files ntlm.php> as you described, but I'm not using
Code: Select all
<Directory />
Options FollowSymLinks Multiviews Indexes
AllowOverride All
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>


as described in the guide that you linked.


though Im running on FreeBSD, I don't think thats an issue.

and unfortunately I don't see anything useful in the logs.
I'll see if I can add some debugging functions to the ntlm.php file to see whats going on.
I'll post again shortly
If you have a problem, give us enough info of what you have done, what is configured in relation to your question.
Enable debugging and post it's censored but relevant info. Don't forget to write which version of SiT you're running.
User avatar
Tomse
SiT! Developer
SiT! Developer
 
Posts: 1137
Joined: Fri Feb 20, 2009 10:51 am
Location: Somewhere near Copenhagen Denmark

Re: [ESCALATED] Web-based authentication (SSO)

Postby Tomse » Fri Mar 23, 2012 11:05 am

After doing some debugging, it looks like the NTLM is weird here...

$_SERVER['REMOTE_USER'] = DOMAIN+username

where you expect it to be DOMAIN\\username

fixing that makes it work.. awesome job there

I wonder how many different types there are ?
If you have a problem, give us enough info of what you have done, what is configured in relation to your question.
Enable debugging and post it's censored but relevant info. Don't forget to write which version of SiT you're running.
User avatar
Tomse
SiT! Developer
SiT! Developer
 
Posts: 1137
Joined: Fri Feb 20, 2009 10:51 am
Location: Somewhere near Copenhagen Denmark

Re: [ESCALATED] Web-based authentication (SSO)

Postby Tomse » Tue Apr 17, 2012 10:55 am

Hello Paulvh

I've done some testing...
and this is embarrasing :oops: :oops:
NTLM doesn't seem to work properly on IE9 on win7 (integrated logon is active in settings)
but Firefox with it's ntlm setting enabled runs perfectly.

anyway..
There's an issue at hand where a disabled SiT user (deactivated by the way that it's been removed from the AD group), so in SiT it's disabled. but the user (or rather admin) can still logon using NTLM.

I'll provide more feedback the more I get to test it.
If you have a problem, give us enough info of what you have done, what is configured in relation to your question.
Enable debugging and post it's censored but relevant info. Don't forget to write which version of SiT you're running.
User avatar
Tomse
SiT! Developer
SiT! Developer
 
Posts: 1137
Joined: Fri Feb 20, 2009 10:51 am
Location: Somewhere near Copenhagen Denmark

Next

Return to Installing, Configuring and Using SiT!

Who is online

Users browsing this forum: No registered users and 1 guest

cron