Certificate single sign-on
Author |
Message |
primetomas
|
Posted: Sat Jun 07, 2008 2:37 pm |
|
Joined: Sat Jun 07, 2008 2:29 pm Posts: 1
|
Hi,
First of all, thanks for a great product.
We are currently using version 1.3.2, after recently upgrading from 0.8.
We are using client certificate authentication on our intraweb. We have patched Achievo rather simply to get single sign-on using certificate logon.
If apache2 is configured with:
SSLVerifyClient require
SSLOptions +StdEnvVars
The patch below uses the UID field from our certificates to log us in automatically. With some more cleaning up and perhaps a configuration option to turn it on I think it would be useful for Achievo/Atk.
In atk/security/class.atksecuritymanager.inc we have patched the method authenticate():
else // HTTP login
{
$auth_user = $_SERVER["PHP_AUTH_USER"];
$auth_pw = $_SERVER["PHP_AUTH_PW"];
}
// Begin Certificate patch
if (!empty($auth_user) && $auth_user!="administrator")
{
//HERE try do get user from SSL_CLIENT_S_DN
$auth_user = $_SERVER["SSL_CLIENT_S_DN"];
$auth_user = ereg_replace(".*/UID=","",$auth_user);
$auth_user = ereg_replace("\/.*","",$auth_user);
$auth_user = ereg_replace("^\ ","",$auth_user);
$auth_user = ereg_replace("\ $","",$auth_user);
$auth_pw = "abc123";
}
// End Certificate patch
The if statement makes it possible for us to still log out and log in as administrator if needed.
Oh, all users registered in achievo needs to be set the password to abc123, a not very nice feature of this patch. I'd rather have a random password and achievo not check it at all when using certificate logon.
Cheers,
Tomas
|
|
Top |
|
Re: Certificate single sign-on