LoginHTTPAuth - SSO & remote_user


#1

The documentation provided for this particular plugin, explains how to configure utilizing .htpasswd and not an alternate database (ldap, etc.). Can this plugin be configured, to query the contents of the Apache “remote_user” variable, for authentication? I have an SSO product installed onto Apache. I do believe, it’s just a matter of configuring this application/plugin, to pass the “remote_user” variable to Apache. Any ideas or am I missing some available documentation? All that I found, was:

http://plugins.piwik.org/LoginHttpAuth


(Matthieu Aubry) #2

Here is the code that reads the various values when authenticating in Piwik: plugin-LoginHttpAuth/Auth.php at master · matomo-org/plugin-LoginHttpAuth · GitHub

In your use case, maybe there is a new value we could add in this function, to auhenticate against HTTP AUTH?


#3

Thanks for the response, Matt. I do see that “remote_user,” is a variable that is included. However, when the plugin is enabled & SSO is enabled, the user is not authenticated (it fails). The logon page displays for manual authentication. When attempting to login, Piwik responds:

Error: Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Piwik to accept the proxy header https://website.com/?module=Proxy&action=redirect&url=http%3A%2F%2Fpiwik.org%2Ffaq%2Fhow-to-install%2F%23faq_98 that forwards the Host header. Also, check that your Referrer header is sent correctly.

It’s my understanding that the http header should pass the “remote_user” attribute, authenticating the user against the database and logging the user into the application, Piwik. How does .htaccess, come into play here? Why would a users password, be stored locally and why would the web server have anything to do with storing the user info, in this situation?

I appreciate the assistance.


(Matthieu Aubry) #4

What do you mean by SSO is enabled? because this plugin does not handle SSO but only HTTP Auth htpasswd type authentication


#5

I’m utilizing a Single Sign-On product (e.g. Shibboleth, Cosign, OpenSSO). In my case, I’m utilizing CA’s Siteminder.

Are users utilizing ldap authentication? If so, are the user accounts still stored in htpasswd?

Is there a plugin, that supports SSO?

Edit: Problem resolved and is successful.


(Matthieu Aubry) #6

How did you solve your problem? It would be interesting for other people who will read this post :slight_smile: