Single Sign-On (SSO) / Pass through authentication with EE
Development and Programming
Our organization is using Microsoft Active Directory, SSO and Kerberos (apache mod_auth_kerb) to try and automatically login into Expression Engine in a Windows environment. Does anyone have any experience or code doing this? We have the SSO part working and now I’m trying to get EE to use that information to login the user. The PHP variable $_SERVER[‘REMOTE_USER’] is set and passed when the user is logged into their computer.
What I would like is for the EE to log the person in when that variable is detected or when logging into EE check for that variable. The best I have been able to figure out is to hook into the sessions_end hook. I have it mostly working but I thought it might be cleaner to use the sessions_start hook. Or some other hook that only triggers during the authentication process… but I have found no such hook.
Any other thoughts?
Here is my code. It is a method (same name as the hook) in my extension triggered the sessions_end hook. If the user isn’t found they will be prompted to login via the normal login form.
function sessions_end($user_session) {
if ((! $user_session->session_exists) && ($user_session->validation == 'c')) {
if ((! empty($_SERVER['REMOTE_USER'])) && (! empty($_SERVER['AUTH_TYPE'])) && ($_SERVER['AUTH_TYPE'] == 'Negotiate')) {
if (! empty($username = explode("@", $_SERVER['REMOTE_USER'], 2))) {
$member = ee()->db->get_where('members', array('username' => $username[0]));
if ($member->num_rows() == 1) {
$member_row = $member->row();
$user_session->create_new_session($member_row->member_id);
$user_session->fetch_session_data();
$user_session->fetch_member_data();
$user_session->userdata = array_merge($user_session->userdata, $user_session->sdata);
}
$member->free_result();
}
}
}
}Are there any flaws or better ways to approach this?
The main flaw I found is logout no longer works because the sessions_end will immediately log the user back in.