I'm trying to build a service proviuder (SP) site for a client using a SAML2.0 based user ID system.
I've been able to install simpleSAMLphp on my server and have tested it with an open IdP authentication network - all is working fine if I just create php files which demand authentication against this IdP. Simple adding this to any page makes it work.
require_once('../simplesamlphp/lib/_autoload.php');
$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->requireAuth();
$attributes = $auth->getAttributes();
Within CMSMS however, if I add the above as a user defined smarty tag (the usual way of including php) I get a "state lost" error. I've tried adding it to the page meta data (via the content interface) as well as simply in the body of the page or at the head of the template.
I always get:
State information lost
State information lost, and no way to restart the request
Does anyone have any ideas what could be going wrong? I've tried the usual fixes for this error messages (adjusting the domain the cookies are assigned to in php.ini etc). No joy.
This seems like conflicting session management between simpleSAMLphp and CMSMS.
A simple way around this is to install memcached, and use the memcache session handler instead of the php session handler in simplesamlphp.
http://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_2_1
similar session conflict is also with eZ publish (4.x) and Symfony2 (2.3+). SQL session storage solves that problem
Related
So, my next project. We have a custom made portal with an own user database. We wanted to use a Wiki, so I installed MediaWiki on a separate sub-domain. Having multiple accounts is so 1990, therefor integration was wished. That was not as easy as I hoped.
Therefore, my solution was: Single Sign On.
IDP
Step 1, installed SimpleSAMLphp as an IDP on the sub-domain sso.myportal.nu
Created my own Module which looks up users in my database. Logging in to the SimpleSAMLphp admin portal, to test/verify if it works, looks great (screenshot attached).
SP
Step2, installed SimpleSAMLphp as an SP on the sub-domain wiki.myportal.nu
Hooked the SP up to my IDP. Logging in to the SimpleSAMLphp admin portal, to test/verify if it works, looks great. I get authenticated through the IDP in my user database (screenshot attached).
MediaWiki
Then installed two plugins into MediaWiki;
https://www.mediawiki.org/wiki/Extension:PluggableAuth
https://www.mediawiki.org/wiki/Extension:SimpleSAMLphp
That should enable SSO.
When clicking on the Login link in MediaWiki, I get redirected to the logon page of SimpleSAMLphp on sso.myportal.nu – so far so good.
But, contrary to my expectations.. Logging in, does not work. It seems that I get redirected between sso.myportal.nu and wiki.myportal.nu
I've enabled DEBUG mode, the only Warnings I see seem to be this:
Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.
I have the config files and log files from both the SimpleSAMLphp installations attached below (a bit too much text to copy/paste here).
config and log files
After a day and a half looking through Google, I’m kind of stuck. Anyone here any ideas?
Well, after two very long nights, the solution has been found.
First of all, if the "Test configured authentication sources" option on the "Authentication"-tab of your SimpleSAMLphp works... That is no guarantee that it will actually work.
In my case, the IDP and SP were on the same server. Different sub-domains. I had every setting in the config.php adjusted, so there were no settings the same for the IDP and SP (cookie names, passwords, etc, etc).
The "Test configured authentication sources" option on the "Authentication"-tab of my SimpleSAMLphp worked! But MediaWiki still did not.
Apparently, this can also be caused by a mismatch of some settings in the config.php compared to php.ini
I found a link to this page in an old Google Forum, where they mentioned the solution. I could not believe it worked, but was desperate, so tried it.
The storage engine should be something else then the default.
In my case I connected SimpleSAMLphp to a MySQL database (can be sqlite, or anything else, as well).
'store.type' => 'sql',
'store.sql.dsn' => 'mysql:host=localhost;dbname=simplesamlStuff',
'store.sql.username' => 'simplesamlUser',
'store.sql.password' => '1234567980',
'store.sql.prefix' => 'sso_',
Both the IDP and the SP can use the same database, as long as the prefix is different. It will create the tables it needs automatically, it just needs to know where to connect to which database with which credentials.
The reason I'm not deleting my question, but answering myself... Is that I hope someone will find this post and find it helpful. Without spending so much time on this like myself.
i would like to redirect to a page outside from the typo3. is this possible because i don´t find a input form to do that?
I have an external PHP application. This application may only be called after a successful login. Is it possible to bind the login data from felogin to a session that I can use in my PHP application? I need the login information in my PHP application. I would like to use the felogin logout mechanism in my external PHP application. Is that possible?
Regards
MS-Tech
Not by default.
The easiest way I can think of, if the external PHP application runs on the same domain, is to alter the PHP application to read the TYPO3 frontend user cookie (fe_typo_user) and get session (fe_sessions table) and frontend user (fe_users table) data from the database.
The cleanest way I can think of is to rewrite the external PHP application as a TYPO3 extension, but I'm assuming this would be too much work.
As for the log out, you can link to the TYPO3 login page and add ?logintype=logout to the URL.
I am working on a PHP website which is using the php_svn module to retrieve data from our SVN repositories.
For this I have set internally a hardcoded user/pwd so I can connect (dirty way...)
Now I would like to connect using my current LDAP user. Means that once I try to connect to SVN, then PHP should be able to retrieve my current windows session (the client side that executes IE,etc..) and pass it to SVN so it will still recognise me without prompting user/pwd...
Not sure if this is possible but would be brilliant to achieve it :)
Has someone achieved something similar? In the php_svn site not much information is available for this specific point...
http://php.net/manual/en/book.svn.php
Thanks in advance!
It seems like you're trying to get a web request to be session based. Web requests are stateless (meaning each request starts over from a blank slate). If you want to maintain credentials between requests, you'll need to use some kind of session handler. PHP has a built in one. http://php.net/manual/en/book.session.php
You won't be able to directly access the 'windows session' however. The information has to make its way from the windows session, into the browser, which isn't really possible without some kind of browser plugin... the more realistic way to do this is: have the user log in to the website, submit their credentials, then store them in a PHP session, to be re-used by PHP on every subsequent page load.
I am tasked with writing a relatively small and simple PHP web app which will use a small database. Authentication for this will be through randomly generated hex keys in the query string which are generated by an administration page and emailed to desired users.
This is all fine so far, but here's the catch:
For various political reasons, we are forced to make this app a Moodle module. I can use the Moodle database in MySQL, but I will be working with my own tables which do not interact with Moodle, and Moodle will not interact with my tables. I must also to use the Moodle database abstraction rather than direct PHP->MySQL access.
I do not want my users to know they are operating within Moodle. They shouldn't need to log in to Moodle to access my web app, and they probably won't have access to Moodle anyway. Those users who do have access to Moodle shouldn't see this web app in their list of Moodle functions.
I've thrown together a few small PHP pages, included some Moodle libs, and placed the code in the moodle/mods directory. Accessing the PHP pages on the server with the URLs directly result in a Moodle error, since I'm not accessing the module through proper channels. I get the "Incorrect access detected" error.
Is what I'm tasked to do even possible? If so, how is the best way to accomplish it? Do I need to write an authentication module and then an activity module? Is there any way to bypass all of Moodle's authentication and simply use the database abstraction without editing the core Moodle configuration files? (I know it's possible by modifying the Moodle code, but that is sadly not an option).
I have plenty of PHP experience, but I only have about 4 hours of Moodle experience and I'm getting nowhere fast.
It sounds to me that you might be trying to access the script while coming in from a host other than what poodle has specified in its config file. You could try dumping you http_host and noodles wwwroot to see if the line up. I'm less familiar with 2 than 1.9 but you might be able to define abort_after_config then include config then change the cfg wwwroot then define abort_after_config_cancel then include setup. Otherwise you could spoof the host otherwise you can delete the check in Tue lib/setup.pup file
Not sure quite what you are trying to achieve here but any of the following may work.
(1) If you have a stand-alone platform you want delivered within an LMS framework then you might offer a counter proposal of developing it in your preferred environment but wrapping it in LTI. Moodle can then deliver it via the External Tool plugin and you can get two-way communications between the two for authentication and tracking.
(2) Doing it in Moodle
Create an authentication with a login_hook and make sure this is is moved to the top of the authentication plugins list so that it is checked first before the others. Use the hook to process the hex key (as GET or POST parameter) or take you to an alternate process and return true (or create session). You could also use the 'alternative login page' in the authentication settings alongside this plugin hook. This should take of authentication.
If enrolment is not an issue then create your plugin as a local plugin (not mod) and use the above hook to redirect to this page after login. This gives you a bit more flexibility in the libraries you use and you can still use front-page enrolments if necessary as a workaround. If you really need enrolments, course roles, and gradebook then use a mod to leverage these. There is a single activity course format in the latest Moodle that gives you a format to run just your bespoke activity on its own.
Finally develop your own layout type in the theme for the local plugin if using that or for the course and incourse layouts if using courses so that you can control what of the standard Moodle navigation and structure you want.
If the plugin is sharing a Moodle already being used for other activities then you'll need to be sensitive to this. If you're just running your own thing then it will be much easier.
(3) Use Web Services to get what you want from Moodle in your own App.
I have written a utility that requires an installation key for uninstallation to ensure that only authorized users are uninstalling. After logging in to our website, the user will be presented with a uninstallation key, but then I would like to also launch the uninstallation wizard on the clients computer. I know this is possible, as I've done it before... just don't remember the code, nor did I save it.
Thanks in advance for any input.
PHP runs on the server-side and has no control over the client whatsoever. Neither can you use JavaScript to launch applications due to security reasons.
The only way you could do this is by using an ActiveX control or some kind of custom browser plugin. Or, if your uninstall wizard has registered some protocol handler on the client (say myuninstall://) then you could use JavaScript to redirect the user to a URL of this protocol, which will in turn then launch your program.
Assuming Windows, you could tell your installer to register a custom URL protocol with a custom scheme for uninstallation. Then your php app could present a link using the custom URL scheme (uninstall-my-product://12345678-ABCD).
Users without your uninstaller would see an "i don't know what to do with this protocol" message. Users who had installed your product would launch the uninstall program.
You could accomplish a similar function by delivering a file type which was registered to open the uninstall program.
If you're using a commercial installation program, then in both cases it would probably be easier to write a little launcher application to run the uninstaller, rather than modifying the uninstaller itself.