search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.27k stars 10.45k forks source link

LDAP - user is not logged in automatically (no SSO) #5353

Open Abraka opened 7 years ago

Abraka commented 7 years ago

Your Rocket.Chat version: 0.48.2

I just setup authentication against our ldap server (AD) and connection test gave me a big green OK. Trying to join test user to rocket.chat and get stack at standart login page, no errors in log. Then I put login information into login dialog and then I can login. Well this is very strange-unsuall LDAP integration because the main point of using LDAP for authentication is to avoid putting login information by end user. What do I miss here?

fcoppolani commented 7 years ago

Hi,

I don"t think this is a bug. LDAP is a protocol, it allows an application (rocket.chat) to delegate authentification to a directory (AD in your case). So rocket.chat won't store password but will ask your AD through LDAP protocol if the credential given in input are correct. You will have SSO because only one credential can be used for several applications. But user still need to fill this credentials into the application login form so this application can send them to your AD. What you are looking for is automatic SSO, for example if you are using windows, your browser could ask OS for the token of the windows sessions and send it to your application who will ask your AD (or another third party) to validate this token. This could be achieved with kerberos for example, but your browser/application has to ask for this token. I'm not an expert, so I may be wrong, I just mention : https://en.wikipedia.org/wiki/Single_sign-on for reading.

Abraka commented 7 years ago

Well, in strictly technical view on this problem you are right. But in terms of real deployment scenario of aplications using LDAP for authorization, I cant remember single one using LDAP feature and then require typing name/password by user again. From my point of view(and few others here looks for the same), LDAP without SSO is useles. For my deployment case, users open browser and without any delay get into their channels. If there will be block with putting login info by typing it into dialogs...its end of very short chatting story :)

engelgabriel commented 7 years ago

Refs https://github.com/RocketChat/Rocket.Chat/issues/5124

sternenseemann commented 3 years ago

Looks like you are looking for is a CAS (see https://docs.rocket.chat/guides/administrator-guides/authentication/cas). What you want shouldn't be possible with LDAP Bind authentication.