HTTP Auth SSO Configuration

This page describes an example Single Sign On configuration using the HTTP Auth Apache feature.

1 Setup HTTP_AUTH

The HTTP Auth Feature allows the login of users that don’t have a specific user account within Gentics CMS. Special variables will be read from the HTTP Headers that allow the login of new users that are not yet registered.

1.1 Debugging using the Apache env module

You can utilize the env apache module to test and debug your configuration. Additional HTTP headers will be provided to PHP once you have configured the module as destribed below.

/Node/etc/httpd.custom.conf

<IfModule mod_env.c>
  SetEnv LOGIN "user"
  SetEnv PW "pass"
  SetEnv FIRST "Max"
  SetEnv LAST "Mustermann"
  SetEnv MAIL "max@mustermann.org"
  SetEnv GROUP 4
</IfModule>

Setting the variable GROUP to value 1 is considered a potential security risk because it would all users unlimited access to the system.

These variables can be set within the httpd.custom.conf file with normally is located at /Node/etc/httpd.custom.conf It should be possible to login with the given credentials after the apache configuration has been reloaded. Login with no username and no password should also be possible.

1.2 Gentics CMS Configuration

Add the HTTP Auth configuration to your node.conf file:

node.conf

// Allow http_auth login
$FEATURE["http_auth_login"] = true;

// Apache single sign on settings
$HTTP_AUTH_LOGIN["login"] = 'LOGIN';
$HTTP_AUTH_LOGIN["pw"] = 'PW';
$HTTP_AUTH_LOGIN["firstname"] = 'FIRST';
$HTTP_AUTH_LOGIN["lastname"] = 'LAST';
$HTTP_AUTH_LOGIN["email"] = 'MAIL';

// The header __'GROUP'__ may contain one or more Gentics CMS group ids.
// The user will be assigned to the given ids.
$HTTP_AUTH_LOGIN["group"] = 'GROUP';

1.3 Group Mapping

The group header information can also contain a list of group keywords that will be resolved by using a predefined group mapping.

node.conf

$HTTP_AUTH_LOGIN["splitter"] = ",";
$HTTP_AUTH_LOGIN["group"] = 'GROUP';
$HTTP_AUTH_LOGIN["group-mapping"] = array (
  "dev" => array(7,8), // Group A, B
  "editor" => 9,       // Group C
  "chief-editor" => 10 // Group D
);

Example Request:


 GET /index.html HTTP/1.1
 Host: www.example.com
 GROUP: dev,editor
 .
 .
 .

The given group header value would add the user to groups 7,8,9 but not 10. Mappings to Gentics CMS User Groups that are non existing will be ignored.

2 LDAP with HTTP_AUTH

A LDAP server can provide additional user information. The HTTP_AUTH information will be combined with the LDAP information on a way that LDAP provides the user credentials and the apache HTTP_AUTH configuration provides additional user infromation.

2.1 Custom HTTP CAS Auth Handler

A custom handler can be implemented within the /Node/etc/custom_cas_post_login_handler.php file. This file will be included and executed after the phpCAS::isAuthenticated() has been executed within the mysession_caslogin function. This allows the modification of user attributes and groups during the cas login process.