Single sign-on

Active Directory single sign-on is currently possible, but could be enhanced.

A good way to solve this, the approach taken by Moodle (which seemed to have the most advanced solution when the HOWTO above was written), is that you configure which IP range(s) are prompted for SSO. Then, someone who connects to the site and needs to authenticate is compared against the SSO IP list.  Those who match are redirected to a page which is configured (either in Apache .htaccess or in IIS) which allows authentication.  Those who do not, are directed to a manual log-in page as usual.

• Moodle doc on NTLM authentication
• Moodle forum post discussing how the design was discussed - use testing/testing as login.

MaxM 12 Sep 2008: If you're talking about NTLM or other apache/iis modules then it's not up to Deki how or who gets auth'd. Deki front end simply looks for the presence of a REMOTE_USER cgi variable set by the auth module. Refer to the config options for your auth module for more details but it may support only authenticating certain ip ranges or hosts while allowing others to pass through unauthenticated. Let me know if I'm completely misunderstanding your suggestion :)

crb 13 September 2008 A little :) What I would like to be able to do is only ask the Apache/IIS auth modules to auth one page. No other pages (for someone who is logged in already) are configured to challenge the user's browser for authentication.  This would fix problems people are having with randomly being prompted for credentials when doing things like opening the link dialog.  Deki needs only small extension: the login page would redirect people in the IP ranges in the one page that is configured to prompt for SSO.

maphew 24 September 2008: Our wiki users can be signed in to the Active Directory from any computer in our organisation, but not every user will be a wiki user. Thus there are people in the valid ip range but are not of the "in" group. I want to politely to turn these aside. There's no point in even presenting a login form to those not of the appropriate groups.

Also, there are those who are of the right group but have not yet made the browser-side configuration to allow the NTLM challenge/response to happen silently in the background. I want to show these users a custom login screen (not the default browser popup dialog wich is terse and in your face) that also has instructions for how to configure the browser to enable silent login.