I have been researching this issue for a while and didn't get an answer for it. We have successfully implemented simplesaml with open directory (for authentication credentials), Moodle and Google. right now we are stuck in adding Joomla to this single sign on process. I have used: https://github.com/OpenConextApps/OpenConextApps-Joomla to add the login menu item to authenticate to the simplesaml page and it works but after entering the credentials in the simplesaml login page we are being redirected to the Joomla login page. We are using the Joomla access levels to protect the resources after the login.
Thanks for the help.
Take a look in this SAML plugin for Joomla:
https://onelogin.zendesk.com/entries/20066026-Configuring-SAML-for-Joomla
This plugin not use simplesamlphp, instead use onelogin php saml toolkit.
Related to your problem, could be a session conflict issue. Try to configure simplesamlphp SP to use memcache as session storage (so never gonna conflicts with joomla session storage).
https://simplesamlphp.org/docs/stable/simplesamlphp-maintenance#section_2
Your extension is probably not implementing/preserving the Joomla return parameter during the SSO login flow.
If you can go for a paid extension, take a look at:
https://creativeprogramming.it/it/apps/joomla-extensions/samlogin
it solves your issues as it cares a seamless integration of simpleSAMLphp with any aspect of Joomla (including ACLs rules and a clean handing of the login return URL):
PS. I'm the developer.
Related
I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?
I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.
I am using joomla 3.0 and i want to when user open joomla 3.0 site then first open only login page then after login he can access website.
Thanks For Advance
You can put the site in offline mode.
So the site will display the login page.
Remember to grant permissions to the users to access the offline site!
If you want to "protect" the whole site with login the best option is to turn the site off and then the user will need to login after opening the intranet page. Its probably the cleanest way how to to it without modules/plugins.
As we are doing it in my company (we are also running intranet on Joomla!) is, that all the articles are set to registred and the landing page of intranet just contain warm welcome and login form.
One thing to mention: Forcing this login for viewing some article/other content is not secure at all, mostly the local instalation will run on database with root access without pass (default setting) and with unecrypted database easily accessible. This is something to consider. If you are running this intranet in small company with loyal employees or without sensitive information you should be fine if not you should put more stress on the security issues.
The situation is quite complicated and why do I need it - do not ask - boss want!
So, immediately after the default authorization i need to run the custom module, which will have an additional test for authorization in another database and depending on its result i need to decide authorize user or not.
Are there any suggestions except for source corrections?
If you are using Joomla's built-in 'Login Menu', you can set 'Login Redirect' parameter to another page and if you are using Joomla's native login module, you can set redirect parameter to any page of your site that you want.
In your case I would recommend to create a simple component (not a module) that authorizes your user for second time, and redirects them again to any other page that you want (if second login was successful) or kick the user (if second login was unsuccessful). If you do that, you'll be able to create a menu for your component and redirect your login panel (either it's a menu or a simple login module) to your component's menu.
Creating components for Joomla is not a big deal if you have a little of knowledge in php programming and there are some tools that may speed up creating your component, like this one: http://www.notwebdesign.com/joomla-component-creator/
Why not make an authentication plugin and use that rather than the core joomla one?
This is for 1.5 but the principles are the same now.
http://docs.joomla.org/Creating_an_Authentication_Plugin_for_Joomla_1.5
Are the Joomla login credentials for a user the same as the other system that you are using? If so, then you can create a plugin that passes those credentials to your other system on a successful Joomla login event.
If not, then it gets a little tricky. Either your users will have to provide both sets of credentials, once for Joomla that then redirects to your other system for the second login, or you will have to extend your user accounts so you can associate the second set of credentials to a user. You can then use a plugin to pass the related credentials to your secondary system after a successful Joomla login event.
Is it possible to implement single signon for Joomla 1.5 backend and frontend. I find it kind of redundant that when the admin for instance is logged in at the backend and needs to do some user function on the frontend has to login again. Is there a way of implementing a single signon?
Joomla! is implemented as two separate applications the front-end initiated from /index.php and the back-end administration from /administrator/index.php as such they have separate user sessions and states.
The separation is a standard security approach, while you could write your own mod_login to do this I wouldn't advise it unless you're very clear on what you're doing.
Having said that, there are 255 Joomla! extensions in the Access & Security ——> Site Access section dealing with logins. Have you tried looking there?
This joomla extension can do that.
http://www.everlive.net/joomla-extensions/15-joomla-admin-from-frontend.html
Just login to frontend as an admin user. You will be logged-in automatically to backend. Further it gives you useful direct links for various backend operations like article add, edit, publish, unpublish etc. Same kind of links are available for modules and menu items.
I have a website already running made with CakePHP, which has its own login system using the Auth component.
Now I'm going to create another website using moodle, hosted in the same server. Is there any way to share the user session between those 2 websites?
For example, if a user logs into the moodle website and clicks a link to a page of the other website, he is not asked to log in again, since the system recognises that he is already logged in.
I guess that one thing to do would be to tell moodle (somehow) to use same table of users in the database that the CakePHP website is already using. And then tell the CakePHP website to accept the sessions created in that other website. Something like this right?
But I don't know how to do those things or if they even possible, any advice on how to approach this would be very helpful.
Single sign-on (SSO) is not currently a trivial thing to do in Moodle.
Some other approaches you may consider are:
Use external authentication in Moodle and configure it to use Cake's database. Does not provide SSO but tells Moodle to use Cake's user accounts.
Configure both Moodle and Cake to use a common authentication system like LDAP, POP3 or CAS. Depending of your choice it is possible that you may achieve SSO.
More information about Moodle authentication plug-ins in this page:
http://docs.moodle.org/dev/Authentication_plugins