[TYPO3-english] typo3 - saml 2.0 - cas-server - ldap - active directory
Kay Strobach
typo3 at kay-strobach.de
Wed Jan 25 14:16:50 CET 2012
Hi Patrick,
yes, you have one central TYPO3 which authenticates the users via a
source you may choose (ldap, custom service, ...) this instance is able
to create sso links to any other http(s) based software.
You need an sso_adapter for every target of the sso adapter.
Perhaps you may take a look here:
http://www.kay-strobach.de/projekte/typo3-praesentationen/sso-mit-typo3/
Regards
Kay
Am 25.01.2012 09:51, schrieb patrick at bierans.de:
> Hay Kay, thanks for reply. (sorry for the phonetic joke ;) )
>
> I want to avoid typo3 talking LDAP to the AD so eu_ldap does not really
> fit. But at least it is server side. :)
>
> If I would use it: If the user authed with eu_ldap successful - is there a
> way other typo3 sites of my thrust can sso based on the session from the
> first typo3 site? Have you done that? I tried to enable the sso feature
> there but documentation and searchengines where not really helpful. There
> must be sone kind of central server holding the tickets or a fingerprint. I
> will continue in this direction for now.
>
> But @all: feel free to answer to my first post. I am far from "solved" ;)
>
> TIA,
> Patrick
>
>
> Kay Strobach <typo3 at kay-strobach.de> hat am 24. Januar 2012 um 20:25
> geschrieben:
>
>> PS: I have sso adapters for:
>>
>> - TYPO3 FE / BE
>> - tine20.org
>> - mediawiki
>> - mantisbt
>> - knowledgetree
>> - phplist
>> - ...
>>
>> regards
>> Kay
>>
>> Am 24.01.2012 20:07, schrieb Kay Strobach:
>>> Hi,
>>>
>>> please take a look on eu_ldap and single-signon.com these extensions
>>> should to the trick. - It's not exactly how you specified it, but it's
>>> perfectly working for me in similar environments.
>>>
>>> Regards
>>> Kay
>>>
>>>
>>>
>>> Am 24.01.2012 20:02, schrieb patrick at bierans.de:
>>>>
>>>> Hello list!
>>>>
>>>> If my english sounds weird: It's not my native tongue - bear with me
>>>> please.
>>>>
>>>> This one is an advanced setup question. I hope some real hackers are
>>>> reading
>>>> this. :) If you do not understand the basics of my question please
> don't
>>>> ask
>>>> me to explain it. No offence, I'm just short on time. But feel free to
> read
>>>> on
>>>> and follow this topic and learn on your own. ;)
>>>>
>>>> I've spent a lot of time reading tons of stuff about software and
> protocols
>>>> (boss alread got picky a week ago ^^) but even my hottest candidates
> for
>>>> now
>>>> (simpleSAMLphp and ig_ldap_sso_auth) are not really convincing me yet.
>>>>
>>>> So I want to ask you!
>>>>
>>>> In short:
>>>>
>>>> Multiple typo3 should auth against active directory.
>>>> To support SSO I want a CAS-server (with tickets) in between.
>>>> The communication should be server side for better protection.
>>>> Groups in active directory define access rights in typo3.
>>>> Security and stability must be extreme high. No DOS.
>>>> How?
>>>>
>>>> In long:
>>>>
>>>> I want multiple typo3 installations running latest 4.6 to talk in shib
> 1.3
>>>> or saml 2.0 with a php based cas-server which then talks ldap to an
> active
>>>> directory on latest windows server 2008 which holds account details
> and
>>>> group
>>>> assignments reflecting the roles/rights the user will have inside
> typo3.
>>>> So typo3 will assign AD-groups to typo3-usergroups. This has to work
> for
>>>> frontend-users and backend-users.
>>>>
>>>> I have two more mirrors of the AD to be added to the CAS-server and I
> want
>>>> to add another CAS-server so I have enough redundancy to eliminate
> some
>>>> single-point-of-failures. DDOS-resistant typo3 sites - haha - that's
> of
>>>> lower
>>>> importance for now.
>>>>
>>>> The communication typo3 <-> cas-server should run server side on local
>>>> ip range which would require CURL or something alike. All servers are
> in
>>>> the
>>>> same rack. So some header redirects send to the browser are to be
> avoided.
>>>>
>>>> The communication cas-server <-> ldap should use local range ips too.
> So
>>>> that
>>>> the really important systems are not accessible from the "evil"
> outside.
>>>>
>>>> The servers run the latest php5 with Suhosin and the latest debian
> squeeze.
>>>> All servers are VMs running on bold hardware under Xen. Webservers are
>>>> latest
>>>> apache2 behind an nginx; sometimes supported by lighttpd for static
> files.
>>>> All servers are in the same room or have local ip tunnels in between.
>>>>
>>>> Ah! And I almost forgot: I have an OTRS to be connected to the
> CAS-server
>>>> too. For now I ignore that and hope to get that solved later.
>>>>
>>>> Has anybody done that already for real?
>>>> Which typo3 plugin can do that with multiple CAS-servers - and server
> side?
>>>> Which CAS-server software would you use - and can it access multiple
> ADs?
>>>>
>>>> Give me hard questions or good answers!
>>>> I have to kick it hard. So kick me. ;)
>>>>
>>>> Let's have some fun!
>>>> Patrick
>>>>
>>>> PS: You know somebody who can take this?
>>>> Please forward it to him as a challenge! ;)
>>>
>>>
>>
>>
>> --
>> http://www.kay-strobach.de - Open Source Rocks
>>
>> TYPO3 .... inspiring people to share!
>> Get involved: http://typo3.org
>>
>> Answere was usefull: https://flattr.com/profile/kaystrobach
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
--
http://www.kay-strobach.de - Open Source Rocks
TYPO3 .... inspiring people to share!
Get involved: http://typo3.org
Answere was usefull: https://flattr.com/profile/kaystrobach
More information about the TYPO3-english
mailing list