Open Source | Technology | Web

Single Sign-On in eZ Publish

This is an example of how to create and use the Single Sign-On feature in eZ Publish.

Scenario

We have multiple web sites based on eZ Publish that share a common database of users. This can be a single database or synced/imported users in several databases.

Our goal is to provide the ability for users to log in once and gain access to all domains/sites without being prompted to log in again at each of them.

To do this we want to process any authentications only on a primary server. Other projects or sites will use this primary site to authenticate users.

We will name the primary site as primary.com (which will handle user authentication) and the other sites as secondary1.com and secondary2.com. The secondary sites will request single sign on features from the primary site. Users will be able to move between all three sites after logging into any one of them.

The Challenge

For security reasons it is generally not advisable to share sessions between different domains. In much the same way you would not want Google to have your Yahoo login, we generally don’t want to the log-in credentials at siteA.com to be shared with the siteB.com and siteC.com.

Solution

The solution is for the primary site to provide a token to the secondary site that allows the user access without the secondary site requiring an independent log-in.

This article explains how to create SSO handlers in eZ Publish.

First, we need to create a properly named class and initialize ini settings for it.

Preparation

1. Create an extension where our code will be placed. For example extention/nxc_sso
2. SSO Handler class will be named as eZNXCSSOHandler, and stored into extension/nxc_sso/login_handler/eZNXCSSOHandler.php
3. Initialize settings
extension/nxc_sso/settings/site.ini.append.php:

Source code    
  1. [UserSettings]
  2. ExtensionDirectory[]=nxc_sso
  3. SingleSignOnHandlerArray[]=NXC

eZNXCSSOHandler::handleSSOLogin() will be called in case current user is requested in eZ Publish but is not logged in. So it should be the main access point to our SSO feature.

This extension can be stored in primary and secondary sites to share the same functionality.

We use One Time Password (OTP) tokens to log into secondary sites without prompting the user for a password if they are already logged in to primary site.

The flow will work like this:

1. User visits primary.com site and logs in.
2. Later the user visits secondary1.com.
3. Instead of logging into secondary site the user simply clicks a link to http://primary.com/sso/login
4. The primary site creates OTP and sends it back to secondary1.com
5. The secondary site handles this token and as a result the user is automatically logged in.

Authentication tokens

One time password tokens must point to a user that is already logged in. We need to share information about this token between all relevant sites or projects. This means primary.com, secondary1.com and secondary2.com must all know which user belongs to the OTP token.

This implementation example uses nxcCache handler and does not create any additional database tables. Basically the primary and secondary sites can be hosted on different servers while sharing access to a common or shared filesystem to get information about the OTP token.

It is more secure solution than using session id as a token.

Module/View

If the user visits a secondary site first a different workflow is required. As defined in OTP flow we named the eZ Publish module/view as ‘primary.com/sso/login’.

Its implementation is available at:
https://github.com/nxc/nxc_sso/blob/master/modules/sso/login.php

Simplified logic how this module should work:

1. A user visits secondary1.com or secondary2.com, and wants to log in.
2. Clicks link to primary.com/sso/login
3. sso/login checks if current user is logged in. If not, redirects to primary.com/user/login page
4. If already logged in, creates OTP auth token and sends it back like secondary1.com?auth_token=TOKEN

SSO Handler

This last step is to handle auth tokens on secondary sites.

This implementation is available at https://github.com/nxc/nxc_sso/blob/master/login_handler/eZNXCSSOHandler.php

The workflow here is:
1. eZNXCSSOHandler::handleSSOLogin() checks if there is auth_token get variable, if no, nothing to do.
2. If yes, fetch user by this token
3. Log this user in and remove the token.

This method simplifies user password management by minimizing the number the passwords that users need to manage, and minimizes the number of password recovery issues that have to be addressed by the support team.

Links

http://en.wikipedia.org/wiki/Single_sign-on
http://en.wikipedia.org/wiki/One-time_password
http://share.ez.no/learn/ez-publish/using-a-sso-in-ez-publish
https://github.com/nxc/nxc_sso – Actual eZ Publish extension to handle Single Sign-On

Print this post

0 Responses to "Single Sign-On in eZ Publish"

Post a Comment:

Get latest news