 |
|
You are here: Foswiki>Extensions/Testing Web>SsoLoginContrib (19 Aug 2015, GeorgeClark)Edit Attach
This is an experimental version of SsoLoginContrib.
To configure your Foswiki to install from this repository, modify the {ExtensionsRepositories} setting in your lib/LocalSite.cfg like this:
$Foswiki::cfg{ExtensionsRepositories} = 'Foswiki.org=(http://foswiki.org/Extensions/,http://foswiki.org/pub/Extensions/);Local=(http://foswiki.org/Extensions/Testing/,http://foswiki.org/pub/Extensions/Testing/)';
Read more about configuring Extension repositories
SSO Login Contrib Package
Currently not functional This extension
currently loops in the
Generic SSO (Single Sign-on) module for Foswiki
Foswiki::LoginManager::SsoLogin::new() routine.
With Foswiki, the user identity is not established during module
initialization. It probably should be done in the getUser() routine. This
needs more work.
Introduction
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems. The SsoLoginContrib is a login manager for Foswiki that handles cookie based SSO authentication. This requires a SSO authentication service on the same domain.Detailed Documentation
- A user logs in to the example.com domain; a domain-level cookie named
x-example-authtokenis set; the value of the cookie is an auth token, such asauth:1234-5678-9abcd. - The user visits twiki.example.com; because the
x-example-authtokencookie is a domain level cookie, the browser will send that cookie to all requests on that site. - The SsoLoginContrib looks for the presence of
x-example-authtokenand, if present, will pass its value to an SSO API on example.com for verification. - The actual SSO API is something like
https://example.com/api/auth/<authtoken>, where<authtoken>is replaced by the cookie value. - Some SSO APIs require to pass an API key in the HTTP header as part of that API call; such as:
x-example-key: abcd-ef01-2345-6789 - The SSO API call returns either:
- A 403 error code, which means it's either a bad/expired auth token or the API key is not valid/present/has-been-denied-access
- A 200 code with JSON in the response body
- The JSON response depends on the SSO API, and may look something like the following:
{"type":"named", "displayName":"Jimmy Neutron", "loginName":"jimmy@example.com"} - The SsoLoginContrib uses the login name found in the JSON response to set the authenticated user in Foswiki. Foswiki has three representations for authenticated users:
- USERNAME (login name), example
jimmy@example.com, you are guest - Canonical User ID, example
jimmy_40example_2ecom, this is built from the login name - WIKINAMENAME, example
JimmyexamplecomorJimmyNeutron, you are WikiGuest
- USERNAME (login name), example
- If the user is not logged in, Foswiki will show a "login" link that points to the SSO service to login, else a "logout" link is shown that points to the SSO service to log out.
- Users do not need to register in Foswiki, but they can if they want to have their own Foswiki profile page, or if their WikiName needs to be added to FoswikiGroups.
- Unregistered users will have a "WikiName" built by stripping out non-ASCII characters from the login name. For example,
jimmy@example.combecomesJimmyexamplecom, and user signatures point toMain.Jimmyexamplecom. - Registered users will have profile page with their WikiName as the page name, such as
JimmyNeutron. The mapping from login name to WikiName is done in the FoswikiUsers page - fix entries there in case login names change.
- Unregistered users will have a "WikiName" built by stripping out non-ASCII characters from the login name. For example,
Configuration
Run the configure script and set the following settings. Alternatively, edit thelib/LocalSite.cfg configure file directly. Settings:
# ---+ Security setup section
# ---++ Authentication
# enable SSO login:
$Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::SsoLogin';
# remove the "@" character from the login name filter in case users login with an e-mail address:
$Foswiki::cfg{LoginNameFilterIn} = '^[^\\s\\*?~^\\$%`"\'&;|<>\\x00-\\x1f]+$';
# ---++ Registration
# allow login name, and don't ask for password in registration page:
$Foswiki::cfg{Register}{AllowLoginName} = 1;
# ---++ Passwords
# no password manager:
$Foswiki::cfg{PasswordManager} = 'none';
# ---+ Extensions section
# name of auth token cookie:
$Foswiki::cfg{SsoLoginContrib}{AuthTokenName} = 'x-authtoken-cookie-name';
# URL of SSO API to verify an auth token; %AUTHTOKEN% is set to the cookie value of the auth token
$Foswiki::cfg{SsoLoginContrib}{VerifyAuthTokenUrl} = 'https://example.com/api/auth/%AUTHTOKEN%';
# Some SSO APIs require to pass a key in the header of the http request; use comma-space delimited list:
$Foswiki::cfg{SsoLoginContrib}{VerifyAuthTokenHeader} = 'x-sso-api-key, API key value';
# regular expression to extract the login name from the JSON response:
$Foswiki::cfg{SsoLoginContrib}{VerifyResponseLoginRE} = '"loginName":"([^"]*)';
# login URL; %ORIGURL% is set to the original URL where the user is sent after login:
$Foswiki::cfg{SsoLoginContrib}{LoginUrl} = 'https://example.com/login?redirect=%ORIGURL%';
# logout URL; %ORIGURL% is set to the original URL where the user is sent after logout:
$Foswiki::cfg{SsoLoginContrib}{LogoutUrl} = 'https://example.com/logout?redirect=%ORIGURL%';
Installation Instructions
Note: You do not need to install anything on the browser to use this contrib package. The following instructions are for the administrator who installs the package on the server where Foswiki is running.- For an automated installation, run the configure script and follow "Find More Extensions" in the in the Extensions section.
- Or, follow these manual installation steps:
- Download the ZIP file from the Plugins home (see below).
- Unzip
SsoLoginContrib.zipin your twiki installation directory. Content:File: Description: data/Foswiki/SsoLoginContrib.txtDocumentation topic lib/Foswiki/Contrib/SsoLoginContrib.pmContrib Perl module lib/Foswiki/Contrib/SsoLoginContrib/Config.specConfigure spec file lib/Foswiki/LoginManager/SsoLogin.pmSSO Perl module - Set the ownership of the extracted directories and files to the webserver user.
- Contrib module configuration:
- Run the configure script and set the
{SsoLoginContrib}{...)settings in the Extensions section as described above.
- Run the configure script and set the
Contrib Info
This contrib is sponsored by: Short description:- Set SHORTDESCRIPTION = Generic SSO (Single Sign-on) module for Foswiki
| Dependencies: | CPAN:LWP in case SSL is used to verify the auth token |
| Change History: | |
| 2013-09-26: | TWikibug:Item7353: Prepare for TWiki-6.0 release |
| 2012-06-28: | TWikibug:Item6895: Initial version |
| Feedback: | http://TWiki.org/cgi-bin/view/Plugins/SsoLoginContribDev |
| Appraisal: | http://TWiki.org/cgi-bin/view/Plugins/SsoLoginContribAppraisal |
PackageForm edit
| Author | TWiki:Main.PeterThoeny |
| Version | 2013-09-26 |
| Release | 2015-08-18 |
| Copyright | © 2012 Wave Systems Corp. © 2012-2013 TWiki:TWiki.TWikiContributor |
| License | GPL (GNU General Public License) |
| Home | http://TWiki.org/cgi-bin/view/Plugins/SsoLoginContrib |
| Support | http://foswiki.org/Support/SsoLoginContrib |
| Repository | https://github.com/foswiki/SsoLoginContrib |
| ExtensionType | ContribPackage |
| DemoUrl | http:// |
| SupportUrl | SsoLoginContrib |
| I | Attachment | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 md5 |
SsoLoginContrib.md5 | manage | 168 bytes | 19 Aug 2015 - 02:16 | GeorgeClark | |
| sha1 |
SsoLoginContrib.sha1 | manage | 192 bytes | 19 Aug 2015 - 02:16 | GeorgeClark | |
 tgz |
SsoLoginContrib.tgz | manage | 77 K | 19 Aug 2015 - 02:15 | GeorgeClark | |
| zip |
SsoLoginContrib.zip | manage | 81 K | 19 Aug 2015 - 02:15 | GeorgeClark | |
| EXT |
SsoLoginContrib_installer | manage | 4 K | 19 Aug 2015 - 02:15 | GeorgeClark |
Edit | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 19 Aug 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy