[TYPO3-english] ​typo3 - saml 2.0 - cas-server - ldap - active directory

[patrick at bierans.de]

 Hay Kay, thanks for reply. (sorry for the phonetic joke ;) )

I want to avoid typo3 talking LDAP to the AD so eu_ldap does not really
fit. But at least it is server side. :)

If I would use it: If the user authed with eu_ldap successful - is there a
way other typo3 sites of my thrust can sso based on the session from the
first typo3 site? Have you done that? I tried to enable the sso feature
there but documentation and searchengines where not really helpful. There
must be sone kind of central server holding the tickets or a fingerprint. I
will continue in this direction for now.

But @all: feel free to answer to my first post. I am far from "solved" ;)

TIA,
Patrick


Kay Strobach <typo3 at kay-strobach.de> hat am 24. Januar 2012 um 20:25
geschrieben:

> PS: I have sso adapters for:
>
>  - TYPO3 FE / BE
>  - tine20.org
>  - mediawiki
>  - mantisbt
>  - knowledgetree
>  - phplist
>  - ...
>
> regards
> Kay
>
> Am 24.01.2012 20:07, schrieb Kay Strobach:
> > Hi,
> >
> > please take a look on eu_ldap and single-signon.com these extensions
> > should to the trick. - It's not exactly how you specified it, but it's
> > perfectly working for me in similar environments.
> >
> > Regards
> > Kay
> >
> >
> >
> > Am 24.01.2012 20:02, schrieb patrick at bierans.de:
> >>
> >> Hello list!
> >>
> >> If my english sounds weird: It's not my native tongue - bear with me
> >> please.
> >>
> >> This one is an advanced setup question. I hope some real hackers are
> >> reading
> >> this. :) If you do not understand the basics of my question please
don't
> >> ask
> >> me to explain it. No offence, I'm just short on time. But feel free to
read
> >> on
> >> and follow this topic and learn on your own. ;)
> >>
> >> I've spent a lot of time reading tons of stuff about software and
protocols
> >> (boss alread got picky a week ago ^^) but even my hottest candidates
for
> >> now
> >> (simpleSAMLphp and ig_ldap_sso_auth) are not really convincing me yet.
> >>
> >> So I want to ask you!
> >>
> >> In short:
> >>
> >> Multiple typo3 should auth against active directory.
> >> To support SSO I want a CAS-server (with tickets) in between.
> >> The communication should be server side for better protection.
> >> Groups in active directory define access rights in typo3.
> >> Security and stability must be extreme high. No DOS.
> >> How?
> >>
> >> In long:
> >>
> >> I want multiple typo3 installations running latest 4.6 to talk in shib
1.3
> >> or saml 2.0 with a php based cas-server which then talks ldap to an
active
> >> directory on latest windows server 2008 which holds account details
and
> >> group
> >> assignments reflecting the roles/rights the user will have inside
typo3.
> >> So typo3 will assign AD-groups to typo3-usergroups. This has to work
for
> >> frontend-users and backend-users.
> >>
> >> I have two more mirrors of the AD to be added to the CAS-server and I
want
> >> to add another CAS-server so I have enough redundancy to eliminate
some
> >> single-point-of-failures. DDOS-resistant typo3 sites - haha - that's
of
> >> lower
> >> importance for now.
> >>
> >> The communication typo3 <-> cas-server should run server side on local
> >> ip range which would require CURL or something alike. All servers are
in
> >> the
> >> same rack. So some header redirects send to the browser are to be
avoided.
> >>
> >> The communication cas-server <-> ldap should use local range ips too.
So
> >> that
> >> the really important systems are not accessible from the "evil"
outside.
> >>
> >> The servers run the latest php5 with Suhosin and the latest debian
squeeze.
> >> All servers are VMs running on bold hardware under Xen. Webservers are
> >> latest
> >> apache2 behind an nginx; sometimes supported by lighttpd for static
files.
> >> All servers are in the same room or have local ip tunnels in between.
> >>
> >> Ah! And I almost forgot: I have an OTRS to be connected to the
CAS-server
> >> too. For now I ignore that and hope to get that solved later.
> >>
> >> Has anybody done that already for real?
> >> Which typo3 plugin can do that with multiple CAS-servers - and server
side?
> >> Which CAS-server software would you use - and can it access multiple
ADs?
> >>
> >> Give me hard questions or good answers!
> >> I have to kick it hard. So kick me. ;)
> >>
> >> Let's have some fun!
> >> Patrick
> >>
> >> PS: You know somebody who can take this?
> >> Please forward it to him as a challenge! ;)
> >
> >
>
>
> --
> http://www.kay-strobach.de - Open Source Rocks
>
> TYPO3 .... inspiring people to share!
> Get involved: http://typo3.org
>
> Answere was usefull: https://flattr.com/profile/kaystrobach
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english