Single sign on questions

(28 posts) (3 voices)
  1. brad@foreverybody, Blocked

    I just got permission to purchase myDBR on the condition that I can get it to work with our active directory. I have already made the php classes to authenticate to the AD and i have no doubt that myDBR SSO will work fine for authenticating the users, however, i have a couple of questions.

    1. is there any way of assigning groups to the SSO users? this is imperative, and management probably won't go for it if we cant control groups based on AD groups.

    2. you documentation for SSO states that i need to pass back a hash:

    hash ... a verfication hash calcuated as sha1( user + name + token + secret )

    so i understand what the user, name, and token are. what in the world is the "secret"?

  2. brad@foreverybody, Blocked

    I answered question 2 by actually reading your example code :-). apparently the secret is set in the environment settings. I feel blind.

  3. myDBR Team, Key Master

    Brad,
    You can now define the SSO users to myDBR defined groups. We will be adding SSO group handling in next release, so that SSO defined groups will be automatically assigned to users and reports can be assigned to these groups.

    The 'secret' token is there to protect the SSO authentication.

    Just let us know if you need help with the AD integration.

    --
    myDBR Team

  4. brad@foreverybody, Blocked

    so you say that i can now apply the SSO users to myDBR groups? that would be fine. How do i go about having my SSO program tell my dbr to assign a user to a group? the documentation for SSO says nothing about groups. It isn't reasonable to have to go in and manually assign users to groups.

    Other than the group thing everything is fine and dandy. loving myDBR.

    EDIT:
    So when might the community expect the next release? my company is very eager to start using myDBR on a company wide scale, but we are held back until i can manage user groups through the SSO.

  5. myDBR Team, Key Master

    Glad you like myDBR.

    For now you have to do it manually or make the assignment directly into myDBR tables. As said, if you wish to do user's group assignment automatically through SSO, that will be included in the next release.

    Current estimate for next version is due late next week or early following week. This may still change but that's the current plan.

    --
    myDBR Team

  6. brad@foreverybody, Blocked

    OK,

    myDBR 1.7 is out and now supports assigning groups via SSO. Your documentation does not reflect this yet so my question is:

    do i just pass a group variable back in the URL like so: $url = $url . '?user=' . $user . '&name=' . $name . '&group=' . $group . '&hash=' . $hash;

    that would work fine for assigning to a single group, but what about assigning multiple groups?

  7. myDBR Team, Key Master

    Hi,
    The online doc was not yet updated. It is now. if you still see the old one, try to reload the page.

    Parameter defining the groups is '&groups' and you can pass multiple groups by separating the groups with '|'. Group parameter is optional. If you do not pass it, no changes to user's groups is made.

    --
    myDBR Team

  8. brad@foreverybody, Blocked

    awesome. i don't suppose there is a way to set the admin flag via SSO is there? obviously that is just a luxury :-)

  9. myDBR Team, Key Master

    No admin flag in SSO. You can set it manually though if you like. In most setups admin will not change so often. We could add the luxury to the UI though.

    --
    myDBR Team

  10. brad@foreverybody, Blocked

    Edit: i figured it out. I was calculating the hash AFTER url encoding the data >_<

  11. myDBR Team, Key Master

    Please compare the code to the sample code found at user/sso/sso_example.php.

    Looks like you encode the strings before the sha1. You might want to take a look at that in particular.
    --
    myDBR Team

  12. brad@foreverybody, Blocked

    A new issue with SSO has arisen. Everything is working great except when Active directory passwords expire/change.

    My plugin is authenticating them correctly, but after myplugin redirects them myDBR kicks them back to the login page. Its an endless cycle that is only broken by logging in as admin and deleting that SSO user and having them log in again.

    Any ideas for a fix or workaround?

  13. myDBR Team, Key Master

    Do you mean that the problem comes when user while logged in in myDBR has his/her password expiring in AD or does this happen even when the user logs in first time after the AD password has expired?

    myDBR authenticates through the SSO whenever the session expires in the browser (Authentication / security -section in Environment settings). myDBR has no knowledge of the AD password. It simply checks the SSO return URL's validity when determining the access right. If the return URL is invalid, the user is redirected to the SSO login. Looks like this is happening here. Could you elaborate a bit more on the login sequence when the loop happens.

    --
    myDBR Team

  14. brad@foreverybody, Blocked

    This issue on exists after a user has already logged in and myDBR creates the SSO user, then that users password gets changed in active directory so the next time they go to login to myDBR my plugin successfully authenticates them and tries to redirect back to myDBR, but myDBR just bounces them back to the login. If I go delete the SSO user from myDBR they are able to login again.

    Ill set up a test to capture everything myDBR sends to my plugin as well as what my plugin is sending back to try and figure out where this is getting tripped up.

    I don't see how this can be myDBRs fault I just thought i'd ask.

  15. brad@foreverybody, Blocked

    here is another issue that could be addressed by using POST insted of GET requests:

    when typing the url to myDBR in Internet explorer it seems to attempt to autocomplete the url to some previous login thus leading user to inundate me with calls about them not being able to login. myDBR just reports an invalid single sign on request. could you guys either have it redirect to the login or have the SSO send POST data to the plugin?

  16. myDBR Team, Key Master

    when typing the url to myDBR in Internet explorer it seems to attempt to autocomplete the url to some previous login thus leading user to inundate me with calls about them not being able to login.

    Users are using the direct link to your own authentication module instead letting myDBR generate a new token for the login? This will lead into invalid login attempt.

    could you guys either have it redirect to the login or have the SSO send POST data to the plugin?

    We'll see that instead of error message we would do a redirect again in cases where user is using invalid/old URL's. This should solve the situation.

    --
    myDBR Team

  17. brad@foreverybody, Blocked


    Users are using the direct link to your own authentication module instead letting myDBR generate a new token for the login? This will lead into invalid login attempt.

    sort of. after my plugin redirects them back to myDBR IE seems to store that redirect URL so that if that user then tries to go to back to myDBR by typing the url it autocompletes for them to the old redirect URL. I keep trying to train people to use bookmarks, but I cant make them :-)

    Yes. having myDBR redirect back to the login instead of saying invalid request will surely fix that issue. Thanks, you guys rock.

  18. brad@foreverybody, Blocked

    Time for me to be a thorn again :)

    3 minor things related to the Single sign on interface.

    1. is there anyway you guys could add email to the list of acceptable parameters to pass back?
    2. the only way for me to make an SSO user admin is to go into the database and use SQL the checkboxes are unclickable.

    any chance on these things being in the next release? :-)

    EDIT:

    3. this is not really an issue, but I think it would be beneficial to include a force SSL option in myDBR. I know that if i force people to mydbr using https then the url it sends to the SSO plugin will be an https url. I think it would be nice to have an option for mydbr to force everything over ssl. currently even if myDBR is accessed over ssl it is possible for the user to take the s out of https and access reports unencrypted. My company has set up myDBR to be accessible over the internet and encryption is a must. I am working around this issue in .htaccess, but would prefer if myDBR could be set to force encryption.

    Thanks guys :-)

  19. myDBR Team, Key Master

    1. is there anyway you guys could add email to the list of acceptable parameters to pass back?

    We'll see what can be done about this one.

    2. the only way for me to make an SSO user admin is to go into the database and use SQL the checkboxes are unclickable.

    Yes, there probably should be an UI for this one. Not sure this will make it to 1.8 though. Fortunately, admin users do not change that often.

    3. this is not really an issue, but I think it would be beneficial to include a force SSL option in myDBR.

    You will be better off doing this on the server side (server redirect / .htaccess). myDBR will work whichever you choose.

    --
    myDBR Team

  20. myDBR Team, Key Master

    A quick update for this for myDBR 1.8. Both email and admin info can optionally be set in SSO.

    --
    myDBR Team

  21. brad@foreverybody, Blocked

    cool. that all works for me. I lok forward to more happy reporting in 1.8

    thanks guys.

  22. ishmach, Member

    @Brad,
    Can you share your php classes with us for the purpose of authenticating against AD?

    Thanks.

  23. brad@foreverybody, Blocked

    sorry I can only provide you with some of the plugin code and some helpful tips. The framework my plugin is built on is proprietary to my company and protected by a non disclosure agreement.

    the framework has an ad_user class that makes use of the opensource adLDAP class.

    configure adldap to use your AD domain, controller, and some non privileged user that can browse the directory. If you will be using this to communicate across the internet I strongly advise you to set up your domain controller to support LDAPS (ldap over ssl). If you are using LDAPS you will need to set that up in the adldap file as well.

    so the user class I wrote essentially just authenticates them using adldap then maps their ID email, groups, etc to class properties. use the authenticate(user, password) method to verify the username/password then use the user_info(username) mehtod to lookup all the user details such as email address, username, etc. the user_info method returns an associative array with many useful elements most importantly the 'memberof' element which itself is an array of the groups the user belongs to.

    each group entry is the DN of the AD group so all I did was explode the comma separated values into an array and everything that had CN=Builtin I added the group name to the users groups and everything that was OU=Email Groups I threw into the users email groups (obviously optional). I ignore everything else.

    I combined that user class with an ACL class and a webpage class that verifies the user has permission based on the ACL, but you can get by just fine without those.

    simply set up a myDBR SSO plugin like in the documentation and create your ad_user object using a supplied username and password (presumably from an html form) then if the user is authenticated loop through the groups to build your mydbr groups. I use a switch statement to filter out only the AD groups I wish to use as well as to apply the mydbr admin flag to the admin groups.

    Everything should be pretty straight forward. I'll help you as much as I can without breaking my agreement. I am assuming you are a php programmer of course.

  24. myDBR Team, Key Master

    @Brad,
    Can you share your php classes with us for the purpose of authenticating against AD?

    FYI,
    AD authentication will be enabled as an direct authentication option in next version of the myDBR.

    --
    myDBR Team

  25. brad@foreverybody, Blocked

    Is there any benefit to using myDBRs soon to be built in AD authentication VS the SSO plugin method? I assume It means using the mydbr login screen instead of the plugin login screen, but currently my plugin will also authenticate the users for our entire intranet or if they are already logged in the are able to access mydbr without logging in again.

    Is login screen the only difference functionally?

  26. myDBR Team, Key Master

    AD and SSO authentication have the same functionality towards myDBR.

    The AD authentication simply authenticates the from using AD. It does not interact with other applications / services. It will be easy to take into use, simply save the AD info and define the AD groups and you are ready to go. All user info used in myDBR (logins, groups, user data etc) is defined in AD.

    SSO allows you to share a login with another application / service. This is useful in cases when you embed myDBR into another application/service, allowing user to re-use the authentication already done elsewhere. SSO takes bit more effort to take into use, since the simple plugin needs to be written for the external service.

    You can continue to use SSO with AD authentication and enjoy the single login to myDBR and intranet. We might add some new fields for the user (telephone number for SMS sending directly from myDBR), but these fields would be optional.

    --
    myDBR Team

  27. brad@foreverybody, Blocked

    Sounds like I'll continue to use my SSO plugin then. If you did add a telephone field I assume you will make that available to the SSO interface as well?

    When you say AD authentication is this specifically active directory or is it simply LDAP v3?

  28. myDBR Team, Key Master

    AD and SSO authentication have the same functionality towards myDBR. They will be kept in sync. Any parameters added will be optional to keep compatibility for the existing installations.

    myDBR's next version will be adding support specifically for Active Directory.

    --
    myDBR Team


Reply

You must log in to post.