Goal

Fully integrates GLPI with SSO softwares.

SSO softwares can provide :
  • authentication services
  • user attributes as HTTP Headers by reading LDAP directory

Proposed Implementation

  • Add map linking user field and _SERVER fields
  • All alternate auth system can use this map : getFromAlternate in user class processing rules (need to adapt prepareInputDataForProcess)
  • Just add map action in getAlternateAuthSystemsUserLogin of identification class
  • Create as LDAP system templates for standard systems
  • reuse CAS config for login system ? or use alternate login page if needed
  • add alternate logout page as CAS one
  • group sync : how to know if a group is imported from a ldap process ? add dynamic field in user_group ?

Schema with LemonLDAP::NG

Image(LemonLDAPNG-EN.png)
  • user wants to use GLPI. He connects on the GLPI's url
  • LemonLDAP protects GLPI's web directory : user is first prompt for user and password (if he's not already know as authenticated user within LemonLDAP)
  • LemonLDAP authenticate, if needed, the user through the LDAP directory
  • LemonLDAP gets user information and store them in the HTTP headers
  • LemonLDAP redirects user to GLPI
  • GLPI looks for HTTP_AUTH_USER (or other variable, defined in GLPI's configuration) and then consider the user as already authenticated, and log it in the application

Integration

GLPI 0.71 can use external authentication in a native way :it has been sucessfully tested with LemonLDAP::NG and Active Directory.

In some cases, GLPI can not (for security reasons) connect to the LDAP directory in order to get user attributes, but needs to use information provided by the SSO server. Theses informations are sent through HTTP headers (and could be read using the $_SERVER variable).

MoYo : which informations are present in HTTP headers. Are they standard ? Always the same ?

Walid : you tell LemonLDAP which informations to send. You choose their name too. LemonLDAP will prefix it with HTTP_ .
For example if you want to send mail attribute from LDAP :
  • in LemonLDAP add attribute to retrive : give it a name (for example mail) and the ldap attribute (mail)
  • tell LemonLDAP to send the attribute to the applications : give the name of the HTTP attribute to be send, an give the name of the attribute LemonLDAP retrieved from LDAP (in our case "mail")
  • LemonLDAP send the attribute in the headers by adding HTTP_, the mail attribute will then be accessible in php within the $_SERVERHTTP_MAIL variable
    The informations are always sent to GLPI. It's always the same informations (except, of course, if you modify LemonLDAP's configuration).
    Each LemonLDAP's installation could send http parameters with different names.

TODO

There're several ways to do it :
  • process everything into the core
  • use a plugin to get informations and process the affectation rules
  • use a plugin to get informations and lets core process the affectation rules

It's also necessary to be able to enter a custom logout page (for LemonLDAP::NG, logout url is http://<glpi>/logout)
--> in fact to be discussed. Should we, in case of automatic login, display a disconnect link ?
--> LemonLDAP, in his case, can intercept logout request from the application and destroy application & sso session

What I propose

  • rename syncLdapGroups in syncGroups because this mnew mechanism may use this function.
  • Introduce a new hook : external_auth when processing an external authentication method without LDAP directory (in login.php)
  • Create a plugin to map HTTP headers with GLPI user's fields (may be added later in the core if the need is real)
  • Modifiy User class to separate getting attributes from ldap and processing affectation rules.

What I did to test it

  • Added a hook in the login page (external_auth) ->
   --- login.php   (révision 6676)
  +++ login.php   (copie de travail)
  @@ -94,6 +94,13 @@

  +               //Call external authentication via plugins
  +               $params[[user]]=$identificat->user->fields;
  +               $params[[http_headers]]=$_SERVER; 
  +
  +               $tmp = doHookFunction("external_auth",$params);
  +               $identificat->user->fields = $tmp;
  +
                // Reset to secure it
                $identificat->user->fields['name']=$user;
                $identificat->user->fields[[last_login"] = $_SESSION["glpi_currenttime]];

LemonLDAPNG-EN.png - LemonLDAP Integration with GLPI (57.9 KB) walid, 04/03/2008 11:12 AM