Single Sign-On

From MapbenderWiki

Jump to: navigation, search

Contents

[edit]

English

There have been several attempts to start discuss about how to integrate Mapbender in a single sign-on architecture.

Now we want to discuss, how this solution could look like. All interested are invited to join this discussion. Let's discuss via Mailing List, IRC and document everything on this Wiki page.

  1. The target is that the user has to log in once on the computer and when the user starts Mapbender the user doesn't have to log in again in Mapbender but can go directely to the user interfaces.
  2. The second phase will be to include authorisation information either coming out of Mapbender or from the Single Sign-On service. Either way the information has to be intelligible to the other side.
[edit]

Initial ideas how this could look like

[edit]

1. New Configuration Setting

New paramter for the configuratio file mapbender.conf defines wether to user SINGLE_SIGN_ON or not

it could look like this
# --------------------------------------------
# Single Sign-On - default is false, possible options are LDAP, KERBEROS, APACHE_HTTP or something???
# --------------------------------------------
define("SINGLE_SIGN_ON", "true");
define("SINGLE_SIGN_ON_TYPE","LDAP");
  • depending on what you choose maybe other paramters have to be set....
  • It shoudl be possible to define any authorization service regardless of where it is located (see also HIT database authorization for FIONA)
[edit]

2. changes in login.php

  • when you choose true depending on the SINGLE_SIGN_ON_TYPE different functions have to be included


[edit]

3. user-management

  • some questions have to be discussed:
    • roles in Mapbender?
    • how to handle user in Mapbender with SINGLE_SIGN_ON architecture
  • one solution could be to go on in Mapbender like normal, but to force the authentication tool to insert the users in the Mapbender database.
    • Open issue: What happens if that user already exists
    • Open issue: When users are removed from the remote authorization database, how does Mapbender get to know?
Here the tables that have to be filled
  • create a user: mb_user (not all entries have to be filled: 
INSERT INTO mb_user (mb_user_id, mb_user_name, mb_user_password, mb_user_owner, mb_user_description, mb_user_login_count, mb_user_email, mb_user_phone, mb_user_department, mb_user_resolution, mb_user_organisation_name, mb_user_position_name, mb_user_phone1, mb_user_facsimile, mb_user_delivery_point, mb_user_city, mb_user_postal_code, mb_user_country, mb_user_online_resource) VALUES (1, 'root', '63a9f0ea7bb98050796b649e85481845', 1, 'root', 0, , , , 72, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
  • asign a user to a gui: gui_mb_user: 
INSERT INTO gui_mb_user (fkey_gui_id, fkey_mb_user_id, mb_user_type) VALUES ('admin1', 1, 'owner');
  • asign a user to a group: mb_user_mb_group: 
...
[edit]

Existing solutions

[edit]

Apache http - Authorization

  • authorization table is different to Mapbender user table
  • after Apache authorization, Mapbender login checks the variable $_SERVER['REDIRECT_REMOTE_USER'], if it is set the login.php starts with $name=$_SERVER['REDIRECT_REMOTE_USER'];
[edit]

Deutsch

kurzer Einstieg in die Thematik über wikipedia

http://de.wikipedia.org/wiki/Single-Sign-On

Es hat verschiedene Versuche gegeben, die Diskussion über die Integration von Mapbender in einer Sigle-Sign-On-Architektur zu starten.

Jetzt wollen wir diskutieren, wie die Lösung aussehen kann. Alle Interessierten sind dazu eingeladen, sich an der Diskussion zu beteiligen. Lasst uns mittels Mailing List, IRC diskutieren und alles auf dieser Wikiseite dokumentieren.

Retrieved from "http://www.mapbender.org/Single_Sign-On"
Personal tools