Achievo Community
https://www.atk-framework.com/forum/

Certificate single sign-on
https://www.atk-framework.com/forum/viewtopic.php?f=12&t=9601
Page 1 of 1

Author:  primetomas [ Sat Jun 07, 2008 2:37 pm ]
Post subject:  Certificate single sign-on

Hi,
First of all, thanks for a great product.
We are currently using version 1.3.2, after recently upgrading from 0.8.

We are using client certificate authentication on our intraweb. We have patched Achievo rather simply to get single sign-on using certificate logon.
If apache2 is configured with:
SSLVerifyClient require
SSLOptions +StdEnvVars

The patch below uses the UID field from our certificates to log us in automatically. With some more cleaning up and perhaps a configuration option to turn it on I think it would be useful for Achievo/Atk.

In atk/security/class.atksecuritymanager.inc we have patched the method authenticate():

else // HTTP login
{
$auth_user = $_SERVER["PHP_AUTH_USER"];
$auth_pw = $_SERVER["PHP_AUTH_PW"];
}

// Begin Certificate patch
if (!empty($auth_user) && $auth_user!="administrator")
{
//HERE try do get user from SSL_CLIENT_S_DN
$auth_user = $_SERVER["SSL_CLIENT_S_DN"];
$auth_user = ereg_replace(".*/UID=","",$auth_user);
$auth_user = ereg_replace("\/.*","",$auth_user);
$auth_user = ereg_replace("^\ ","",$auth_user);
$auth_user = ereg_replace("\ $","",$auth_user);
$auth_pw = "abc123";
}
// End Certificate patch

The if statement makes it possible for us to still log out and log in as administrator if needed.

Oh, all users registered in achievo needs to be set the password to abc123, a not very nice feature of this patch. I'd rather have a random password and achievo not check it at all when using certificate logon.

Cheers,
Tomas

Author:  sphinix [ Mon Jun 23, 2014 8:17 am ]
Post subject:  Re: Certificate single sign-on

is it possible to have the certificate authentication AND then the normal username and Password Authentication.
I am working on a remittance system for a client. he wants to use the certificate to authenticate the Physical devices and then username and password for the individual staff who would use the device

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/