Comments on: Putting Token Login to work

By: pasamio

pasamio — Sat, 17 Dec 2011 04:21:37 +0000

You could use the library to build a component similar to the one that I released to batch provision tokens. There isn’t a way in the provided applications as it really isn’t designed to be created manually but via a scripted process (e.g. when you mail something or by providing a link in the site).

By: Michael

Michael — Fri, 16 Dec 2011 09:14:50 +0000

Hi,

sorry to bring this up after a while. But is there a way in batch creating tokens? With a few hundred logins you cannot create the token manually.

Thanks

By: pasamio

pasamio — Fri, 15 May 2009 14:06:56 +0000

The only items that matter are the modules, the System – Single Sign On and any component that hooks into the SSO system (tokenlogin in part, com_sso and any other component that hooks in such as the component written in this tutorial).

It seems a bit strange, I’m not quite sure what the answer is without digging around and having a look through things. I think I need to clone myself :S

By: yellen

yellen — Fri, 15 May 2009 13:58:42 +0000

I didn’t mention it in my previous message, but Firefox gives the same results.

From what you just said, it could occur because of some duplicate SSO system? Maybe this is the problem. What I am trying to do is have the HTTP authtentication enabled with group mapping. There are no non-AD users. I’ve enabled the following Authentication Plugins and Modules:
>>> Plugins
- Authentication – Joomla
- Authentication – LDAP
- Authentication – Advanced LDAP
- SSO – HTTP
- System – JAuthTools Synchronization Plugin
- System – Single Sign On
- User – Joomla!
- User Source – LDAP
- User Source – Session
>>> Modules
None

Are there some Plugins that need to be diabled?

By: pasamio

pasamio — Thu, 14 May 2009 12:23:13 +0000

To be honest, I can’t say I do understand it, it sounds rather weird. What happens if you use Firefox? There is also some funkiness that might occur if you have more than one SSO system operating, so if you have the plugin and the module running at the same time these can conflict with each other and cause awkward behaviour. The same goes for any component that uses SSO to log the user in itself, this can conflict with the rest of the system and cause weirdness.

By: yellen

yellen — Thu, 14 May 2009 09:28:03 +0000

Hi again,
I havent been able to use this, but I would like to point out something weird. First I would like to point out that the test are runned without this component, only your published component were used.

Okay here we go.

To test the HTTP single sign on, I use a vhost on apache. the intranet without kerberos auth is on tech.ieccdl.lan:80 and with kerberos auth is on tech.ieccdl.lan:84

I add tech.ieccdl.lan to intranet sites on IE.

I go to tech.ieccdl.lan and I am logged out. This is normal.

I go to tech.ieccdl.lan:84 and I am logged on. This is normal, Kerberos is working.

I click the menu and I am logged out. This is the known issue.

I reload the page and I am logged on again. This is normal, Kerberos is working.

If I now type in IE7 tech.ieccdl.lan, I remain logged on. Why? beats me… If I click on menu I am still logged on… I can browse the whole site and remain logged on… WHY?!!

I’ve tried the SSO on port 80 and I still get disconnected when browsing the site.

Do you understand this?

By: pasamio

pasamio — Mon, 27 Apr 2009 12:18:29 +0000

I got your email, apologies for not getting back earlier but the email was from a .lan address. I’ve sent you a copy using the email’s you’ve provided to this site for your comments so you should get it. I was also a bit behind as well since I couldn’t immediately find the file.

By: yellen

yellen — Thu, 23 Apr 2009 08:49:16 +0000

Hi again,
I would be really like to try it out

BTW I’ve sent you an email so you can have my email address

By: pasamio

pasamio — Mon, 20 Apr 2009 14:36:19 +0000

Yeah, that’s not an uncommon fix as IE won’t forward credentials over the internet for security reasons. The other alternative is if you have a proxy and your site doesn’t go through a proxy it should work fine because IE automatically defines it as “local intranet”. Vista also introduces other interesting issues as well that broke stuff particularly with Sharepoint but if you explicitly put it things should be fine.

It looks fine, certainly nothing wrong with that configuration. So transitioning between links on the site after the initial hit causes the user to lose their identity? Seems very strange. Can you email me with pasamio at gmail.com and I’ll find the source of the article and send it to you for testing.

By: yellen

yellen — Mon, 20 Apr 2009 11:44:59 +0000

I configured the Kerberos auth in the virtual host config file like so (I didnt you an .htaccess file):

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Kerberos
AuthName “Enter your Login”
Require valid-user
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms MYREALM.LAN
Krb5KeyTab /etc/apache2/keytab/kerbjoomla-http.keytab

BTW I had to add the site to IE Local Intranet to have it working without the password.

By: pasamio

pasamio — Sat, 18 Apr 2009 00:42:53 +0000

What Apache auth handler are you using to get Kerberos to work?

I haven’t thought of putting it into a release but if there is sufficient demand I could probably do a few extra things and release it out.

By: yellen

yellen — Fri, 17 Apr 2009 14:13:25 +0000

I am experiencing this same issue. I am using Apache on a ubuntu box, kerberos is working because the ssochecker get the username from the AD. My users get authenticated and as soon as they click around the joomla site, they get disconnected.

Are there any hopes that you will release this component?

By: pasamio

pasamio — Wed, 25 Mar 2009 12:55:44 +0000

The issue in this case was that there was a server that authenticated the user and in that instance acted as a proxy for the user passing along the authenticated username via a server variable. So the first request to Joomla! is through the authentication server proxy and then the next request comes from the actual client. This causes issues because Joomla! creates the session for the proxy server and ties it to that instead of the actual client so when the client connects again to Joomla!, a new session is created with their true IP address not that of the authentication server which means that the user isn’t logged in. In this case it was a bit of a hack to get this to work properly but its an interesting application of technology to solve a problem.

By: Ole

Ole — Wed, 25 Mar 2009 09:28:14 +0000

Hello Sam

Thanks for the explanation. I have installed JAuthTools 1.5.4 Core, I’m able to generate a token and login.

However, I don’t understand how you proxy a username to Joomla? Is it possible you can explain it with a little more details?

Best Regards
Ole