First of all, you need to install the ProxyConnect plugin. Then you have to enable it from the dashboard.
Finally, configure it like that:
Main Site URL | http://your-vanilla2-web-site/ |
---|---|
Authenticate URL | http://your-vanilla2-web-site/sso/authenticate.php |
Registration URL | http://your-vanilla2-web-site/sso/register.php |
Sign-In URL | http://your-vanilla2-web-site/sso/signin.php |
Sign-Out URL | http://your-vanilla2-web-site/sso/signout.php |
Now, you have to setup these "sso scripts".
The two more importants are sso/authenticate.php
and sso/signin.php
. These scripts will share some parameters that will be stored in sso/config.php
.
$secret
is a private key, it is used to secure the cookie between signin.php
and authenticate.php
. getMailFromLogin($login)
is used to return the mail address corresponding to the login (write your own)getUserIDFromLogin($login)
is used to return a unique id to identified your login in the vanilla2 bdd<?php $secret = "zef43kjdf657kjdf243"; function getMailFromLogin($login) { // TODO: write your own code to search the Mail // corresponding to $login // for example, connect to your BDD or LDAP and search in it. } function getUserIDFromLogin($login) { // TODO: write your own code to associate // a unique numerical id for $login // for example, connect to your BDD or LDAP and search in it. // Or use this very simple code to handle unique id in flat file $dbfile = dirname(__FILE__).'/userid.data.php'; $users = array(); if (!file_exists($dbfile)) { file_put_contents($dbfile, '<?php $users = '.var_export($users, true).';'); } include $dbfile; if (!isset($users[$login])) { asort($users); $maxid = array_pop(array_values(array_slice($users, 1))); $users[$login] = $maxid+1; } file_put_contents($dbfile, '<?php $users = '.var_export($users, true).';'); return $users[$login]; }
This one will redirect user to your SSO in order to get the authenticated login, then it will setup a cookie to communicate this login to the sso/authenticate.php
script. It supposes that you have the phpCAS library (CAS client) installed and accessible through your PHP include_path.
<?php include dirname(__FILE__).'/config.php'; include_once('CAS.php'); //phpCAS::setDebug(); phpCAS::client(CAS_VERSION_2_0,'your.sso.domaine',443,''); phpCAS::setNoCasServerValidation(); phpCAS::forceAuthentication(); $login = phpCAS::getUser(); // setup a secure cookie for login communication to sso-authenticate.php $hash = base64_encode(sha1($login.$secret).'/'.$login); setcookie("SSO_ID", $hash, 0, '/'); // redirect to the vanilla 2 forum $url = ($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].'/'.(isset($_GET['r'])?$_GET['r']:'/'); $url = rtrim($url, '/'); header('Location: '.$url);
This script get the cookie previously setup by sso/signin.php
to extract the login value. Then it searches for a unique id and for the user's mail. And finally it returns result as vanilla2 is waiting for.
Notice : this script will be called directly by vanilla after sso/signin.php
is called. This script is never loaded be the user's browser.
<?php include dirname(__FILE__).'/config.php'; if (!isset($_COOKIE['SSO_ID'])) { die(); } $hash = explode('/',base64_decode($_COOKIE['SSO_ID'])); if ($hash[0] == sha1($hash[1].$secret)) { $login = $hash[1]; } else { die(); } $login = strtolower($login); $id = getUserIDFromLogin($login); $mail = getMailFromLogin($login); if (!$login || !$mail || !$id) { die(); } ?> UniqueID=<?php echo $id; ?> Name=<?php echo $login; ?> Email=<?php echo $mail; ?>
This script will just destroy the vanilla cookie and the SSO cookie.
<?php setcookie('Vanilla', ' ', time() - 3600, '/'); setcookie('SSO_ID', ' ', time() - 3600, '/'); // redirect to the vanilla home header('Location: '.($_SERVER['HTTPS'] == 'on' ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'].'/');
favicon.ico
in your vanilla root directory if you want to be able to logout.
This script should redirect to your centralized user registration url…
header('Location: http://your-registration-url');
Discussion