Task #1095
Updated by Alena Peterová over 6 years ago
We need to support SSO to IdM - especially Windows authentication. There should be an option to enable SSO only for common users and require password from admins. Design: * Apache (mod_kerb) will take care of Kerberos authentication. Apache sets the header "REMOTE_USER" with the value "uid@domain" in case of successful authentication. * IdM will read the user's login from the header REMOTE_USER (uid). If such user exists, he/she will be automatically authenticated to IdM. ** = new IdmAuthenticationFilter, which processes the header REMOTE_USER (https://wiki.czechidm.com/tutorial/dev/add_authentication_method#create_a_new_authentication_filter_for_sso). It will be added to the core module. * A new permission which **disables** SSO authentication will be added. Admins, who have some role with this permission, won't be authenticated in the SSO authentication filter. ** This new permission, e.g. "App configuration - SSO disabled", will be added to all admin roles during installation. ** The ownership of superAdminRole will automatically disable SSO of the user, because "App configuration - Administration" automatically adds all permissions. So "admin" can never be authenticated by SSO. * Configurable settings: ** enable sso - true/false (the SSO filter could be switched off if needed) ** name of the header (typically "REMOTE_USER") ** uid suffixes (this usually contains the list of AD domains, e.g. "@DOMAIN.TLD;@INTERNAL.DOMAIN.TLD") ** forbidden uids (list of uids that can't be authenticated through SSO)