This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit ezplatform.com

eZ Community » Forums » Developer » Make eZ Publish sso provider.
expandshrink

Make eZ Publish sso provider.

Make eZ Publish sso provider.

Wednesday 06 November 2013 10:47:16 am - 13 replies

Hi all,

I am trying to implement a SSO solution in which eZ would be the provider.

EZ my site already contains all user accounts.

I work on a elgg site that needs to use eZ accounts.

Users must be able to navigate between the two site seamlessly.

Both sites are on the same dedicated server.

 

How can I achieve this effect simply?

Modified on Wednesday 06 November 2013 11:21:32 am by Rémy PHP

Wednesday 06 November 2013 2:18:30 pm

I began to explore track based on simpleSAMLphp.

Is not simple.

I explore the shared session. (for the two sites are on the same server.)

 

[Session]

# ez site is : www.project.mysociete.fr
# elgg site is : elgg.project.mysociete.fr
CookieDomain=.project.mysociete.fr

 

And in elgg settings :

ini_set( "session.cookie_domain", ".project.mysociete.fr" );

 

But to no avail.

Both sites do not share the session.

Modified on Wednesday 06 November 2013 2:19:11 pm by Rémy PHP

Wednesday 06 November 2013 5:38:27 pm

I would start the other way round (single-login before single-signon):

- check which sso protocols are supported by elgg (saml in this case?)

- install the sso "central auth" system

- write the plugin that allows your sso system to use ezpublish as authentication backend

- check that you can log in to the "central auth" system using eZ credentials

- only then start looking at the sso part, in elgg and in eZ as well

Modified on Wednesday 06 November 2013 5:49:24 pm by Gaetano Giunta

Wednesday 06 November 2013 6:11:13 pm

I found an elgg mod name "saml_login" base on external installation off "simpleSAMLphp" : http://community.elgg.org/plugins/838203/1.3/saml-authentication-based-on-simplesamlphp

So I think SAML SSO protocol can be supported.

 I found 2 eZ extensions : 

  1.  feide : http://projects.ez.no/feide
    base on an embed simplesaml
  2. nxc_sso : https://github.com/nxc/nxc_sso
    Which is realy simple but, I think, design for SSO between eZ sites only.

 

Now, How can I install the sso "central auth" system

Thursday 07 November 2013 10:43:06 am

I have a little progress.

 

I did an independent installation of simpleSAMLphp

I created a module : 

 simpleSAMLphp/modules/ezpublish

In which I defined a supplier. (SP)

simpleSAMLphp/modules/ezpublish/lib/Auth/Source/Client.php

 class sspmod_ezpublish_Auth_Source_Client sspmod_core_Auth_UserPassBase {
    protected function login($username, $password) {
        if ($username !== 'theusername' || $password !== 'thepassword') {throw new SimpleSAML_Error_Error('WRONGUSERPASS');}
        return array( 
          'uid' => array('theusername'),
          'displayName' => array('Some Random User'),
          'eduPersonAffiliation' => array('member', 'employee'),         
       );    
   } 
}

I added my SP in the list of authentication sources.

authsources.php

 $config = array('ezpublish-Client-SP' => array('ezpublish:Client'));

And in matadata/saml20-idp-hosted.php

 $metadata['__DYNAMIC:1__'] = array( /**/ 'auth' => 'ezpublish-Client-SP', /**/ );

I tested authentication directly into my simpleSAMLphp installation.

 http://simplesamlphp.client.societe.fr/simplesaml

It's OK.

 

I still have several problems:

 [Step 1] How to check the login / password?

  •  Move simpleSAMLphp in eZ Publish.
  •  Call a web service
  • Call a script

[Step 2] How to make eZ publish uses simpleSAMLphp to connect?

Modified on Thursday 07 November 2013 10:47:36 am by Rémy PHP

Friday 08 November 2013 3:57:48 am

step1: it depends a little bit I guess on where you want to host the saml-server and ez.

- move simplesamlinto ez: possible, but it might be a bit complex (you'd need the simplesaml views in ezpublish not to trigger sso, that might get tricky)

- connect directly to the ez db: easy to code, fast in execution. Downside: you will have to replicate ez logic for creating the encrypted password version. And if your ez inis do change, your saml code will have to be updated as well

- connect to a webservice in ez: quite easy to do, using rest api or ezjscore or ggwebservices. maybe you will even find an existing one you can reuse. Just make sure you secure it so that only the saml server can access it

Friday 08 November 2013 12:01:43 pm

bouble post

Modified on Friday 08 November 2013 12:08:57 pm by Rémy PHP

Friday 08 November 2013 12:02:38 pm

In fact, I think the WS is the right solution.

But as my sites are on the same server I use, for the moment, a CLI script.

Here is my login function of class sspmod_ezpublish_Auth_Source_Client in my ezpublish module for simpleSAMLphp

 protected function login($username, $password) { 
   $cd = '/var/www/html/sites/client/ez'; // path of ez site 
   $command = "php extension/client/bin/php/login.php --login=$username --password=$password"; 
   exec($cd); 
   $last_line =  exec($command, $output, $return_var);
   if ($last_line == 'USER_UNKNOWN') { 
        throw new SimpleSAML_Error_Error('WRONGUSERPASS'); 
   }
   $r = unserialize($last_line); 
   return array( 'uid' => array($r['login']), 'name' => array($r['name']), 'displayName' => array($r['name']), 'email' => array($r['email']), 'groups' => array($r['groups']), 'roles' => array($r['roles']), ); 
 }

And here is the eZ Script extension/client/bin/php/login.php

require 'autoload.php';
$cli = eZCLI::instance();
$script = eZScript::instance( array( 'description' => ( ''),'use-session' => false,'use-modules' => true,'use-extensions' => true ) );
$script->startup();
$options = $script->getOptions('[login:][password:]', null, array('login' => '','password' => '',));
$script->initialize();
$login = $options['login'];
$password = $options['password'];
$r = getSAMLuserData($login, $password);
if ( $r ) {    
      $cli->output(serialize($r));
} else {    $cli->output('USER_UNKNOWN');}
$script->shutdown();
 
function getSAMLuserData($login, $password){    
    $eZUser = eZUser::loginUser($login, $password);    
    if( ! $eZUser) {return null;}
    return = array(        'name' => $eZUser->contentObject()->Name,        'email' => $eZUser->Email,        'login' => $eZUser->Login,    );
} 

[Step 1] OK happy.gif Emoticon

[Step 2] Make eZ use simpleSAMLphp for authentication. 

[Step 3] Make eZ use existing simpleSAMLphp session (SSO) 

I think the sso_handler is for that : http://www.lolart.net/blog/ez-publish/utilisation-d-un-sso-dans-ez-publish

Maybe I can display the simpleSAMLphp login form instead of the eZ one. And combine step 2 and 3 ...

Modified on Friday 08 November 2013 12:08:35 pm by Rémy PHP

Friday 08 November 2013 12:12:21 pm

Dont want to turn you down when you've come so far, but just remember that any user who can run PS on your server will be able to sniff out everybody's passwords if you use such a simple script happy.gif Emoticon

A slightly better way is to have the ez script get the password via reading stdin (see f.e. http://superuser.com/questions/221955/monitor-interprocess-pipe-traffic or http://stackoverflow.com/questions/249703/how-can-a-process-intercept-stdout-and-stderr-of-another-process-on-linux for a basic introduction of sniffing data passed via pipe between 2 programs - you need at least gdb or strace to do that)

Modified on Friday 08 November 2013 12:21:22 pm by Gaetano Giunta

Tuesday 12 November 2013 11:35:30 am

Ok for the security problem.

I will deal with later.

 

thank you happy.gif Emoticon

Wednesday 13 November 2013 6:25:41 pm

I advance.

I'm stuck on the back of identification to elgg.

I created a discution on the mailing list simpleSAMLphp. it seems to me to be a better place to solve my current problem.

https://groups.google.com/forum/#!topic/simplesamlphp/8_2X8dD4paY

 

But I would probably here to finish my configuration eZ Publish happy.gif Emoticon

Thursday 14 November 2013 4:37:37 pm

I'm stuck on the part simpleSAMLphp -> elgg.

 

I take this opportunity to improve the identification of eZ Publish users in simpleSAMPphp.

And my same time, I made my first steps with the REST API.

Note: I'm using version 'ezpublish-2012.6'. Is this API V1?

 

eZ Publish

I followed these instructions:

 http://doc.ez.no/eZ-Publish/Technical-manual/4.5/Features/Rest-API/Installation

======== rest_provider.php

 class MyClientRestProvider implements ezpRestProviderInterface {
    public function getRoutes() {
        return array(
             'login' => new ezpRestVersionedRoute( new ezcMvcRailsRoute( '/login', 'MyClientRestController', 'login' ), 1 ),
        );
    }}

======== rest_controller.php

 class MyClientRestController extends ezcMvcController{
    public function doLogin()   {
        $res = new ezcMvcResult();
        $login = $_REQUEST['login'];
        $password = $_REQUEST['password'];
        $r = $this->getSAMLuserData($login, $password);
        $res->variables['result'] = $r;
        return $res;
}}

Testing : 

http://www.MyClient.srv-devez01.MyCompagny.fr/api/MyClient/v1/login?login=jhon&password=bar

 {"result":{"name":"Jhon doo","email":"j.d@test","login":"jhon","groups":["G1","G2"]}}

 

Another problem.For it 'works' it took me off the safety ...

======== rest.ini.append.php

 [Authentication]
RequireAuthentication=desabled

 

 

I do not know if it's more secure ...

 

 

simpleSAMLphp 

Therefore. My simpleSAMLphp Module my function 'login' becomes:

     protected function login($username, $password)     {
        $domaine = 'http://www.MyClient.srv-devez01.MyCompagny.fr';
        $uri = '/api/MyClient/v1/login';
        $postfields = 'login='.urlencode($username).'&password='.urlencode($password);
        $ch = curl_init();
        curl_setopt($ch,CURLOPT_POST, true);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER , true);
        curl_setopt($ch,CURLOPT_URL, $domaine.$uri);
        curl_setopt($ch,CURLOPT_POSTFIELDS, $postfields);
        $result = curl_exec($ch);
        curl_close($ch);
        var_dump($result);  // The result is not consistent with what I expected.
         throw new SimpleSAML_Error_Error('WRONGUSERPASS');
    }

 

I get the following message

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

 

 

How is it possible that, when I call my WS directly with my browser I get a correct answer. 

Then CURL call not working?

Modified on Thursday 14 November 2013 5:03:31 pm by Rémy PHP

Sunday 17 November 2013 1:09:55 pm

1. try to disable the rest-layer cache in rest.ini.append.php (yes, you are using rest v1 infrastructure, btw) - CacheSettings/ApplicationCache

2. clear all caches

3. in simpleSAML.php, use curl_setopt() to have curl dump the whole http communication (payload of request and response)

4. about security:

- yes, you need to disable REST call security for all rest calls for your code to work, which is bad as it makes it easy to call other sinsitive RESTv1 functions, UNLESS

- you create a "fixed" user account on eZ, you set up ezrestv1 to use basic auth, and alter simpleSAMLphp to always use basic auth with that user credentials, keeping in the body the credentials of the user you wan t to login with

- for extra security, enable SSL-only for restv1, alter your simpleSAMLphp to use https. (might want to skip ssl cretificate checking if you do not have a proper one). It will make login calls just a bit slower though

- for extra security, in doLogin() do not use $_REQUEST but $_POST, to avoid clients passing passwords in the url (you can do this after you finished debugging and testing)

Modified on Sunday 17 November 2013 1:11:34 pm by Gaetano Giunta

Monday 02 December 2013 11:48:45 am

Sorry for my slow reactivity happy.gif Emoticon

 So I created a new user in eZ will be used to secure WS calls. : ws_login_sso.

 In simpleSAMLphp I add the identification parameters: CURLOPT_HTTPAUTH and CURLOPT_USERPWD

protected function login($username, $password) {
 $domaine = 'http://www.florian.MyClient.srv-devez01.MyCompany.fr'; 
 $uri = '/api/MyClient/v1/login';
 $postfields = 'login='.urlencode($username).'&password='.urlencode($password);
 $ez_ws_login = 'ws_login_sso';
 $ez_ws_password = 'xxxxxxxxxxxxxxxxxx';
 $ch = curl_init();
 curl_setopt($ch,CURLOPT_POST, true);
 curl_setopt($ch,CURLOPT_RETURNTRANSFER , true);
 curl_setopt($ch,CURLOPT_URL, $domaine.$uri);
 curl_setopt($ch,CURLOPT_POSTFIELDS, $postfields);
 curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
 curl_setopt($ch, CURLOPT_USERPWD, "$ez_ws_login:$ez_ws_password");
 $result = curl_exec($ch); var_dump($result);
 curl_close($ch);
 //  ...
}

FYI I met some problems in my work environment.

My site development was already protected by a basic authentication. I must disabled it.

But more strange:

Index_rest.php the file was a symbolic link.

[Mon Dec 02 10:47:39 2013] [error] [client 172.17.2.20] Symbolic link not allowed or link target not accessible: /var/www/html/sites/MyClient

 

I still have an extra layer of security to implement https etc. But for now my site is dev ..

 

Thank you very much for your help happy.gif Emoticon

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from