New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin to provide Login via Central Authentication Service (CAS) #598
Comments
Probably depends on #551 to be fixed to implement CAS logout. |
Note: phpCAS depends on the PEAR DB package and there’s no indication if the developers will migrate to PEAR MDB2. |
Hi, I just finished writing a CAS plugin using phpCAS. Is there interest in this work? I will be able to release this shortly. |
avel, I'm sure there is interest. Maybe post your plugin here, with a README and explaining the differences with this plugin. Thanks! PS: does it work with the current trunk too? we made some changes in the Login plugin, and I'm not sure if this breaks other Login plugins or not? |
I'm not sure if it works with latest trunk, will need to test; it was developed on piwik 0.5.5. I will post the plugin here in a couple of days. First I need to do some cleanups, make some things configurable and document the behavior I've chosen. Regards, |
Attaching a "0.1" working package. From the README: User Provisioning RationaleCASLogin currently authenticates users against the CAS service, but then To make this work, first you need to make sure that the user that logs in The superuser login value in piwik itself should also correspond to a proper So a way to make this work in new piwik installations is:
A further authorization and auto-provisioning mechanism can be written based Installation
Option "protocol" is one of CAS_VERSION_1_0, CAS_VERSION_2_0 or SAML_VERSION_1_1 . Further Customization, HackingIf you want to grab some additional attributes, e.g. SAML, from your login If you want a user to be added automatically to the piwik users database, edit TODO
|
Attachment: |
Perhaps a piwik developer could put this ticket in milestone "Third party piwik plugins" and rename it to "Login via CAS" so that it can get more exposure and feedback. |
I am attaching a new version 0.2. Known IssueWhen one tries to add a user in piwik tables in order to authorize them, one has to enter dummy data in "password" field (which is not used) and has to fill in an e-mail address too. It's a minor inconvenience for the superuser who authorizes other users manually in piwik administration interface. Changelog0.2: Fixes and slight improvements
Additional OptionsBy default, only the user defined in piwik configuration (config/config.ini.php) in the [superuser] section is regarded as a superuser / root administrator. However, with the CAS Login scheme, you might need to add additional accounts as superusers, each one of them logging in as normal with their own password. If you'd like to do that, add these accounts in section [caslogin] as follows:
Note for this ticket: why am I not allowing a simple username/password login against the piwik database, like the Login plugin does? Because that would require including an extra username/password form in the login page. Just for that one superuser. That's why I include only the link to CAS login and just authorize a superuser later in piwik. Feedback is welcome. |
Attachment: |
I am attaching CASLogin 0.3, for anyone who might be interested. It has been at use at our environment for some weeks now, without any apparent issues. Your feedback is still welcome. Changelog0.3:
|
Attachment: |
I am attaching CASLogin 0.4. There is a security update of the bundled phpCAS library, which is now version 1.1.2, and the plugin was briefly tested and confirmed to work with piwik 0.8. |
Attachment: |
Note about the security fixes of phpCAS 1.1.2: According to the Changelog:
If you are using CASLogin in a production environment, you are urged to either upgrade the plugin or upgrade the bundled phpCAS library. |
Version 0.5, attached below, fixes a compatibility issue with Piwik 0.8. |
Attachment: |
I'll attempt to update this plugin later today. (I won't be able to test it though.) The following security issues are addressed in phpcas 1.1.3:
Piwik 1.1 may have also introduced some compatibility issues as there are references to new view properties in the Login module's templates (eg enableFramedlogins). |
|
Attachment: |
Attachment: |
The version 0.6.2 display now the good version in thepiwik plugin interface. |
Maybe I'm missing something, but it appears that with the CAS plugin active, the "archive.sh" and other API based command line tools fail. Is there a way to flag the system so API calls and other administrative tasks do not have to authenticate with CAS? Or maybe even a special array of usernames that can bypass CAS? Kind of like the way Unix allows you to step through various authentication methods until one works before rejecting a login? |
Hello, i started using this plugin. It is really cool and works.
Thanks alot in advance, yato |
To reply to eashman, since I haven't had time to update the plugin: Yes, archive.sh cannot run. CASLogin needs to be fixed. However, what I have done in my installations as a temporary workaround is: copy the whole directory tree of piwik to another location; change that directory's configuration to not use CASLogin plugin; point cron's archive.sh to that directory. It's beyond ugly but it works. There are also further bugs and logic errors that need to be fixed. I haven't checked ow's changes yet to confirm that they fix them. I might be able to pick it up again in the near future (2 or 3 months' time). |
Hello
The bug i had was a configuration of the CASserver. We changed the encoding to utf8 on the server side (was i8... before). yato |
hello Backtrace --> |
Attachment: |
After upgrading to Piwik 1.6 I received a lot of missing variable errors. See this thread http://forum.piwik.org/read.php?2,83925. |
tkuipers, thanks for fixing the bug! |
Hi, I just wanted to know if the 0.6.3 version of this plugin still works with piwik 1.9.x releases ? (could try on a test server, but if anyone already knows the answer...) Thanks for the good work anyway, it is a really useful plugin in a CAS environment ;-) |
Hi ycezard, Replying to ycezard:
I've just upgraded my development Piwik instance to 1.9.1 and the CAS plugin version 0.6.3 appears to be working.
I don't actively maintain this plugin, I'm not the original author, but luckily I was able to get it working with recent versions of Piwik. I'm not PHP developer and I'm unable to address the issues you have with command line authentication. BTW, using the Piwik API is also problematic when using the CAS plugin. There was a feature request to make CAS / LDAP Authentication a native feature of Piwik: http://forum.piwik.org/read.php?3,78340 Anyone interested in implementing this? |
Thanks for the fast answer, I can confirm that the CASLOgin plugin 0.6.3 works fine in piwik 1.9.1. |
Replying to rbalfanz:
Hello, I've just installed Piwik 1.10, and the CASLogin on a new CentOS server. I've disabled the Login plugins and configured the CASLogin as my others piwik servers. But when I'm going on my piwik page, I've got a blank empty page. No link "connection" which send me to the CAS like my others servers. I don't understand why... Nothing in error log of apache. Another thing: If I manualy go to my CAS server login page, and log me, then if I return to my piwik page, I'm logged... If anyone have an idea? I hope you understand my english, because I'm french and I don't speak english very well... Thanks! |
Replying to sgrunt:
I have the exact same symptoms with Piwik 1.10.1. No errors in logs, just a blank page. Turning on error logging in .htaccess for php provides no additional information. I have had random success with logging into CAS separately then going to piwik, but it's not consistent behavior. |
Replying to racooper:
Hi, I haven't got (get?) any answer to this trouble over the Internet. So I've looked over the plugins code and make a little change. In the file Auth.php, line 66, I've commented "$action = Piwik::getAction();" and put "$action = "redirectToCAS";" at the place. This for automaticaly redirect to the CAS login page. I hope you'll understand my english :S and this tip will help anyone. Tell me if you find a better solution. Best Regards, Sgrunt |
Hi, I also experienced issues logging after upgrading to 1.10.1. I'm also using the CAS plugin. I managed to login with CAS to 1.10.1 after disabling the "MobileMessaging" plugin. What worked for me is described here: http://forum.piwik.org/read.php?2,99650,page=2#msg-100619 This is my list of plugins:
|
Hello, at the moment we're using Piwik 1.9.2 with the CASLogin Plugin, because we have a Songle-Sign-On in our company. After I put the Do-Not-Track iFrame on the webpage, I realized an issue. The checkbox wont show until I am logged in the SSO. If I'm not logged in and i copy the iFrame URL ito my browser, it redirects me to the Piwik login screen. Anyone has the same issue or maybe a solution for this issue, I would apprechiate it very much. Thanks in advance. Greetings |
Note: a feature request was created in: #3923: Add a feature to auto-archiving that makes it compatible with CAS plugin |
With Piwik 1.11.1 it seems to work perfectly. Our CAS server has no own subdomain, it is reachable with a path www.ourdomain.com/cas/
I've inserted the fourth parameter "/cas". After the lines above I have inserted
because the validate URL differs (!) from the CAS-Login-URL, because of a reverse proxy environment. Can someone transfer these two parameters to the config/config.ini.php?
|
Has anyone gotten CASLogin to work with database sessions (i.e. session_save_handler=dbtable)? In my case, login by CAS works when sessions are stored in files and database sessions work without CASLogin enabled but I'm not seeing sessions get created once CASLogin and database sessions are enabled together. I also notice the phpCAS version bundled with this plugin is very old and contains multiple security vulnerabilities. The newest phpCAS appears compatible so it might be worthwhile to bundle a newer version for visitors using the CASLogin plugin without updating phpCAS. I haven't tested extensively so I won't presume to attach it myself. |
Along with the Piwik 2.0 release and new design for Piwik, we have also launched the official Plugins Marketplace to let any developer share their work to the thousands of Piwik users worldwide. Maybe you'd like to publish your plugin there? In any case, keep up the good work and we hope you enjoy Piwik 2! --> See also example of the Ldap plugin #734 published on the Marketplace at: http://plugins.piwik.org/LoginLdap |
Attachment: Version compatible with Piwik 2.1 |
Hi, I'm attaching a Piwik 2.1 compatible version. Changelog0.7
|
Attachment: Bugfix. |
0.7.1
|
Single sign-on authentication would be useful when incorporating Piwik into existing environments already using CAS.
Keywords: third-party-plugin
The text was updated successfully, but these errors were encountered: