Adding Cosign/iFriend Support to Elgg

Assuming you have a working Apache/Elgg setup these notes will take you through converting this setup to use Cosign authentication supporting iFriend.

Add SSL support

Using any form of authentication securely requires that the site run over SSL (as a normal web connection provides no integrity protection). Configure SSL for your site, obtaining a server certificate from a suitable source, in the normal manner.

Create Administrators

Using cosign authentication means that the standard Elgg 'Admin' account will no longer work, as there isn't a cosign account associated with that user. Create an account for the iFriend address you will be using to administer Elgg (this will typically be your email address), and give that account admin permissions by logging into Elgg as an existing admin user, and going to Administration > User Administration, selecting the user in question, and clicking the 'Make admin' button on the left.

Add RemoteUser Authentication

Now we need to add an authentication plugin module to Elgg that supports REMOTE_USER authentication. This offloads authentication to Apache where you can use whatever authentication mechanism you like that sets REMOTE_USER with the authenticated username. The Apache authentication then works in preference to the Elgg built-in authentication, login and logout mechanism.

  • Download elgg-mod-remoteuser.tar.gz.
  • Change to the top level Elgg tree (DocumentRoot) and untar the archive downloaded above. This will create the mod/remoteuser plugin module directory.
  • Enable the plugin in Elgg. As the Administrator choose Administration tab, then choose Tool Administration tab. Down the bottom of the list should be the remoteuser entry, click on Enable to turn it on.

Add Cosign Authentication to use Informatics Service

Now we setup Apache to use Cosign as the authentication mechanism to set REMOTE_USER. We assume you already have an SSL infrastructure.

  • Download mod_cosign.tar.gz and install on your system. This installs the Apache cosign module.
  • Create a certificate signing request for your server, and send it, along with your Elgg server URL to Informatics. We will then send you a certificate for use with cosign (you should continue using your normal server certificate, as obtained in the first step for web access)
  • Add (or update) the following lines to the Apache configuration, either as part of the main configuration or within the VirtualHost for Elgg. Items highlighted in blue are likely to need modification based on the local installation paths and SSL setup.

    LoadModule cosign_module /usr/lib/httpd/modules/mod_cosign.so

    CosignHostname weblogin.inf.ed.ac.uk
    CosignRedirect https://weblogin.inf.ed.ac.uk/cosign-bin/cosign.cgi
    CosignPostErrorRedirect https://weblogin.inf.ed.ac.uk/cosign/post_error.html
    CosignService elgg.not-a-service.inf.ed.ac.uk
    CosignCrypto /etc/pki/tls/certs/elggcosign.key /etc/pki/tls/certs/elggcosign.crt /etc/pki/tls/certs/elggcosign.CA
    CosignProtected Off
    ScriptAlias /logout /var/www/cosign-logout/logout.cgi

    <Location /logout>
      CosignProtected On
      AuthType Cosign
    </Location>

    DocumentRoot /disk/dbdata/elgg/htdocs

    <Directory /disk/dbdata/elgg/htdocs>
      AllowOverride all
    </Directory>

    <Location /action/login>
      order allow,deny
      allow from all
      AuthType Cosign
      CosignProtected On
      Require valid-user
    </Location>

  • Create the logout script at /var/www/cosign-logout/logout.cgi. It should have the content below.

    #!/usr/bin/perl -wT

    use strict;

    # change 'central' to the url of your weblogin server.
    my $central = "https://weblogin.inf.ed.ac.uk/cosign-bin/logout";
    my $query_string = "";

    # expire and nullify service cookie
    print( "Set-Cookie: $ENV{ COSIGN_SERVICE }=null; path=/; expires=Wednesday, 27-Jan-77 00:00:00 GMT; secure\n" );

    if ( $ENV{ QUERY_STRING } =~ m|^(https?://.*)$| ) {
        $query_string = "?$1";
    }

    # perform any local cleanup here

    # redirect to central weblogin server
    print( "Location: $central$query_string\n\n" );

    exit( 0 );

  • Restart Apache.

That should be iFriend authentication working. If you go to the Elgg site you should have a single "Login" button. Clicking on this button will take you to the iFriend login site. Login with your iFriend account (register first if you don't have one) and then you should be taken back to the dashboard of your Elgg account (an account will be created by Elgg if one does not already exist).

Add Informatics Support

Since most Informatics users don't have an iFriend account and use Cosign directly it would also be desirable (although optional) to add support for Informatics users local single sign-on. Do this as follows.

  • Download mod_user_rewrite.tar.gz and install. This provides the User Rewrite Apache module.
  • Update the Apache configuration as below.

    LoadModule user_rewrite_module  /usr/lib/httpd/modules/mod_user_rewrite.so

    <Location /action/login>
      order allow,deny
      allow from all
      AuthType Cosign
      CosignProtected On
      UserRewrite On
      UserRewriteUsername On
      UserRewriteRule ^([^\@]+)$ $1@inf.ed.ac.uk
      Require valid-user
    </Location>

  • Restart Apache.

-- TimColles - 30 Jan 2009

Topic revision: r3 - 02 Feb 2009 - 16:52:42 - TimColles
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies