All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
  Print view

Certificate single sign-on
Author Message
PostPosted: Sat Jun 07, 2008 2:37 pm 
Offline

Joined: Sat Jun 07, 2008 2:29 pm
Posts: 1
Hi,
First of all, thanks for a great product.
We are currently using version 1.3.2, after recently upgrading from 0.8.

We are using client certificate authentication on our intraweb. We have patched Achievo rather simply to get single sign-on using certificate logon.
If apache2 is configured with:
SSLVerifyClient require
SSLOptions +StdEnvVars

The patch below uses the UID field from our certificates to log us in automatically. With some more cleaning up and perhaps a configuration option to turn it on I think it would be useful for Achievo/Atk.

In atk/security/class.atksecuritymanager.inc we have patched the method authenticate():

else // HTTP login
{
$auth_user = $_SERVER["PHP_AUTH_USER"];
$auth_pw = $_SERVER["PHP_AUTH_PW"];
}

// Begin Certificate patch
if (!empty($auth_user) && $auth_user!="administrator")
{
//HERE try do get user from SSL_CLIENT_S_DN
$auth_user = $_SERVER["SSL_CLIENT_S_DN"];
$auth_user = ereg_replace(".*/UID=","",$auth_user);
$auth_user = ereg_replace("\/.*","",$auth_user);
$auth_user = ereg_replace("^\ ","",$auth_user);
$auth_user = ereg_replace("\ $","",$auth_user);
$auth_pw = "abc123";
}
// End Certificate patch

The if statement makes it possible for us to still log out and log in as administrator if needed.

Oh, all users registered in achievo needs to be set the password to abc123, a not very nice feature of this patch. I'd rather have a random password and achievo not check it at all when using certificate logon.

Cheers,
Tomas


Top
 Profile  
 

Re: Certificate single sign-on
PostPosted: Mon Jun 23, 2014 8:17 am 
Regular
Offline

Joined: Wed Aug 01, 2007 9:09 am
Posts: 121
is it possible to have the certificate authentication AND then the normal username and Password Authentication.
I am working on a remittance system for a client. he wants to use the certificate to authenticate the Physical devices and then username and password for the individual staff who would use the device


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group