search

3liz / lizmap-web-client

Transfer a QGIS project on a server, Lizmap is providing the web interface to browse it
https://www.lizmap.com
Mozilla Public License 2.0
254 stars 143 forks source link

LizMap SSO REMOTE_USER integration #3540

Open men-chris opened 1 year ago

men-chris commented 1 year ago

Good morning,

Is it planned to implement SSO authentication in a future version of LiZmap? We use a very simple to implement SSO based on the REMOTE_USER HTTP header.

Thank you for your feedback

laurentj commented 1 year ago

We did not plane to implement SSO authentication based on the REMOTE_USER value, as we didn't know it.

However, we could study this kind of SSO. As I see in my search, REMOTE_USER is not an http header but an environment variable.

Even if it seems "easy" to implement (REMOTE_USER should contains the login), there is not many documentation about this SSO authentication. It will take time to create an environment having such authentication mode, to test the feature.

TeoGoddet commented 1 year ago

This works with 3.5 but not 3.6 and i did no test with ldap, You should add some code to autocreate groups if you want to have them from the env

Go here : lizmap/plugins/coord/auth/

<?php
/**
* @package    jelix
* @subpackage coord_plugin
*/
class AuthCoordPlugin implements jICoordPlugin {
    public $config;

    function __construct($conf){
        $this->config = $conf;

        if (!isset($this->config['session_name'])
            || $this->config['session_name'] == ''){
            $this->config['session_name'] = 'JELIX_USER';
        }
    }

    /**
     * @param    array $params plugin parameters for the current action
     * @return null or jSelectorAct  if action should change
     * @throws jException
     */
    public function beforeAction ($params){
        $_SESSION[$this->config['session_name']] = new jAuthDummyUser();
        $_SESSION[$this->config['session_name']]->login = $_SERVER["HTTP_REMOTE_USER"] ?? 'anonymous';
        $_SESSION[$this->config['session_name']]->password = $_SERVER["HTTP_REMOTE_USER"] ?? '!!!!!fake_password!!!!!';
        $_SESSION[$this->config['session_name']]->firstname = $_SERVER["HTTP_REMOTE_FIRSTNAME"] ?? 'Ano';
        $_SESSION[$this->config['session_name']]->lastname = $_SERVER["HTTP_REMOTE_LASTNAME"] ?? 'Nymous';

        jAcl2DbUserGroup::createUser($_SERVER["HTTP_REMOTE_USER"] ?? 'anonymous', true);
    }

    public function beforeOutput(){}

    public function afterProcess (){}

}