Trusted Authentication
Table of contents
This feature is available in MIndTouch Jay Cooke 8.05.1 RC1 and all subsequent releases.
This spec aims to describe a method to allow MindTouch to automatically create and login users that have successfully authenticated via a module (mod_pam, mod_auth, mod_ldap, ntlm, sspi, etc), the web server itself, or a 3rd party application that is entrusted to automatically create MindTouch accounts (SSO).
Thanks to brackett for the idea!
Use cases
- MindTouch is setup within a company intranet on a network with LDAP. Users already log into their workstations with the directory and want to use MindTouch without having to type their credentials again. (NTLM)
- MindTouch is protected by .htaccess/.htpasswd where the user accounts are stored.
- Single sign on: Have the login process of a 3rd party web site automatically create accounts and log users into MindTouch
Not yet covered
- User has a cookie from another web application on a parent domain. Having this cookie implies a trusted user. (Or may require validation of the cookie first).
- OpenID: Possible with this mechanism but has not yet been implemented.
'Trusted' login scenarios
Single Sign On from another web app
The api method POST: users/authenticate will accept a username and an apikey. If the apikey is valid, the user is created if it does not already exist. An authtoken is returned for the user. Providing a valid apikey allows the user to be logged in even without a password. You'll need to add this MindTouch call to your existing web application to log the user in. Refer to code samples for examples of the code you'd need in your existing application to create users in MindTouch and return authtokens.
Login via Apache/IIS module
The module must set the standard CGI variable "REMOTE_USER". MindTouch's PHP code will perform the call to POST: users/authenticate with the apikey and username thus creating the user if it doesn't exist and logging in. This should work for Apache's .htaccess/.passwd as well as other Apache/IIS authentication modules.
Logging in as users from an external auth provider
You can use an Apache/IIS module to do authentication for you and still synchronize groups with an external auth provider. This may be useful for NTLM/SSPI/LDAP modules. Specify the id of your auth service provider in security/trusted-auth-provider-id to verify that the user is known and only then create it. Groups will be sync'd as normal. Since the password of the user isn't passed on to the api, the auth provider will be queried without credentials and the auth provider has to support this. Speicifically, calls to lookup a users and groups in the auth provider have to be possible without any credentials.
Trusted authentication with the LDAP service
If security/trusted-auth-provider-id is the LDAP service, you need to ensure it's capable of performing queries to /groups and users/{username} without credentials. Refer to the LDAP page for setting this up.
Note: The standard LDAP service (as of 8.05.1) doesn't allow these anonymous lookups yet -- you'll need to use the beta LDAP service.
Settings
- security/allow-trusted-auth: (Default: true). Set to false to disable trusted auth.
- security/trusted-auth-provider-id: Set to the numeric id of the auth provider under which users will be created and verified. This is useful when using a web server module to authenticate users but still allow associations with an external auth provider such as LDAP. Set to 1 to create local accounts and not tie users to an external auth provider.
- security/trusted-auth-cgi-variable-name: (default: REMOTE_USER) incoming CGI variable name
- security/trusted-auth-cgi-variable-pattern: (default: .*) regular expression used to match the appropriate information from the CGI variable. Useful for pulling out the username from full domain/user names.
Configuring automatic LDAP login with Apache Mods
This will allow your Windows users that are logged in to sign into MindTouch without ever typing their credentials.
You will need to set up MindTouch using the beta ldap service as mentioned on the beta ldap page. Make sure you follow the instructions about the bindingpw and bindingdn values, as these are required.
Instructions typed out here: How do I...Enable single sign on with Active Directory?
Configuring manual LDAP login with Apache mod_authnz_ldap
Although the same functionality is provided by using MindTouch's built in LDAP auth provider, this offers an alternative if you're having problems with it. Note that if you want group support then you'll still need the LDAP auth provider to work.
Set security/allow-trusted-auth to true.
Set security/trusted-auth-provider-id to the id of your LDAP auth service or 1 to create local accounts that will not have group syncing.
Install authnz_ldap_module for Apache2. Debian's package for this is libapache2-mod-authz-ldap.
Use this configure as an example your MindTouch's Apache setup file (/etc/apache2/sites-enabled/001-dekiwiki).
<Location />
AuthName AuthzLDAP
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldap://hostname:389/DC=sd,DC=mindtouch,DC=com?sAMAccountName
AuthLDAPBindDN "CN=maxm,CN=Users,DC=sd,DC=mindtouch,DC=com"
AuthLDAPBindPassword "password"
require valid-user
</Location>
Note that AuthLDAPBindDN and AuthLDAPBindPassword need to set to a known LDAP user's DN and passwod.
Restart Apache.
You should be prompted with a browser authentication dialog. Enter valid LDAP credentials. You should be logged in to MindTouch as your user.
FAQ
Q: Do Apache/IIS auth modules all set the REMOTE_USER cgi variable?
A: Maybe not but all the ones I've seen so far do. If you find one that doesn't, note it here.
Q: Is trusted authentication enabled by default? If no username comes out of one of the trusted cgi variables, the wiki functions as before.
A: This is enabled by default. Disable by setting 'security/allow-trusted-auth' to false
Q: Should these users be treated as local acccounts (no service_id in users table) or should they belong to a given service? Local accounts have the benefit of being able to set a password and thus will allow direct api authentication after a password is set.
A: Accounts created through trusted authentication belong to the auth provider described by security/trusted-auth-provider-id
Q: If a local user is created via this mechanism, can they login manually? Whats their password?
A: Yes if a password has been either manually set by the user in the user preferences.
ChangeLog
- March 06: Branched from 1.9.0a and applied the patch. Attached a compiled bin you can replace on your setup to try this out.
- May 12: Merged changes into trunk to be included in next release. LDAP changes merged into LDAP beta code. More info on the changes there. Removing attached mindtouch.deki.dll and mindtouch.deki.services.dll. Grab latest code from trunk to try it out.
- May 28: Code included in 8.05.1 (RC1). Tested external auth providers and refactored this document into a guide. Fixed front end bug that was not setting an authtoken and thus not allowing access to /@api/deki/* for users who got in via trusted auth. TODO: write up guide for configuring NTLM with Apache.
TODO:
- To use the same methodology for allowing cookie based SSO. Instead of relying on a CGI variable, trust is established by looking for the presence of a cookie.
Feedback
Does it work for you? Tell us about it
- Tag page
- What links here
| Images 0 | ||
|---|---|---|
| No images to display in the gallery. |
Copyright © 2011 MindTouch, Inc. Powered by
More info here:
http://forums.opengarden.org/showthread.php?t=726&page=2
I'm using this with Joomla, and it's working _great_!
@ricmik.myopenid.com, from a 60 second look at Plexcel, it seems like Deki already supports this functionality with the ldap external auth. If you're interested, please write up a spec (similar to this one) about what a plexcel extension/auth provider will allow you to do.
@ricmik.myopenid.com
I was so positively surprised that just by spending 60 seconds with the plexcel integration you could do something very quickly that I just delved right into it. I found this to take quite a bit longer than expected for me, but I might've been on the wrong track completely. So the end result is still there to achieve.
As far as I know now using the ldap external auth is not viable. It seems to me that because plexcel uses it's own apache mod and it doesen't require any htaccess file (directory protection) there is a need to write a specific service dll for it because there's a placxel API embedded in the mod with which to communicate with from the users session initiation. That dll would then extract all the required user information from plexcel's authentication result/output and fill in the auth data needed by dekiwiki. My only problem is that I cannot do this because I have no means to compile for deki. Documentation was never clear enough when reading all the LDAP SSO stuff so that it would clearly lead me to this conclusion but hey, it might be my bad. If I could do a php entry point instead of a dll I would certainly go ahead with trials. edited 08:14, 25 Aug 2008
$result = $wgDekiPlug->At('users', 'authenticate')->With('apikey','v6sMyQAHqpNiLuv0CpUpLpfXG83KeOHI')->With('authprovider', 1)->WithCredentials('admin', '')->Post();