How to populate the REMOTE_USER in Apache Server from Active Directory (SSO related)

8
votes

I'm building an Intranet site for our company using Joomla 3.3.3.

I have configured a VM to run using Ubuntu 14.04 with a standard LAMP stack. I have also installed Joomla which I was able to get working with our company Active Directory (users are able to log into the site from any machine on our network and Joomla recognizes them).

I am now trying to implement SSO so that our employees won't need to sign into the site if they're logged into their workstations, and through my troubleshooting, I've narrowed it down to the 'REMOTE_USER' variable not being populated by the APACHE server (The variable doesn't even appear on my phpinfo() page)

I think I'm pretty knowledgeable working within Joomla and PHP, but my Apache server and Ubuntu skills are pretty weak.

Do my users need to authenticate within the Apache server? I really just need the Windows machine to pass the Remote_User token to Joomla, but I'm at a loss as to how to do this within Ubuntu.

1
phpapachejoomlasingle-sign-on
httpd.apache.org/docs/2.2/howto/auth.htmlcmorrissey
Internet Explorer integrates well with AD for obvious reasons. It thus might be worth finding out how that does it - I suspect it detects the Windows user on the machine it is running on, and passes something to a white-listed set of sites via an injected HTTP header.halfer
Is this article any good? I presume you have to use IE, not sure what other browsers would do here, since it is not a standards-based behaviour.halfer
halfer - My users should be able to use any browser, not just IE. @cmorrissey - That seems like a good start, but does Apache actually have to re-authenticate the user? The key thing for me is that my users have already authenticated on their device (mostly windows machines, but some iPads as well), and they shouldn't have to authenticate again. Is there a way for Apache to simply grab the remote_user and pass that information to my application without running an additional authentication?James Griggs
I think you have a problem on your apache mods and so that parameter is not being pass to php by apache. Can you link your apache configurations? Thanksjoao

1 Answers

0
votes

The first step to this involves a change through group policy to add your Joomla site to the Intranet security group in internet explorer. Google Chrome and Firefox respect the IE security group settings.

Once you have done this whenever your user browses your site from a domain authenticated computer the browser will automatically send a user header with the already authenticated username, this can be accessed in PHP using the $_SERVER['PHP_AUTH_USER'] superglobal.