DEPRECATION WARNING
This documentation is not using the current rendering mechanism and is probably outdated. The extension maintainer should switch to the new system. Details on how to use the rendering mechanism can be found here.
EXT: OWA Single Sign On¶
| Author: | Kasper Skårhøj |
|---|---|
| Created: | 2002-11-01T00:32:00 |
| Changed: | 2005-08-19T01:13:34 |
| Author: | Norman Seibert |
| Email: | seibert@entios.de |
| Info 3: | |
| Info 4: |
EXT: OWA Single Sign On¶
Extension Key: eu_sso_owa
Copyright 2000-2002, Norman Seibert, <seibert@entios.de>
This document is published under the Open Content License
available from http://www.opencontent.org/opl.shtml
The content of this document is related to TYPO3
- a GNU/GPL CMS/Framework available from www.typo3.com
Outlook and Outlook Web Access are trademarks of Microsoft Corporation.
Table of Contents¶
EXT: OWA Single Sign On 1
Introduction 1
What does it do? 1
Users manual 1
Adminstration 2
Prerequisites 2
How Single Sign On works 2
Known problems 2
Security considerations 2
Introduction¶
What does it do?¶
This extension enables single sign on (SSO) between TYPO3 and Microsoft Outlook Web Access (OWA) 2003. If you are authenticating your users via LDAP (using the eu_ldap extension) this feature is particularly useful.
Users manual¶
In the following I assume that you are familiar with installation, deployment and security measures of OWA!
Configure your OWA for form based authentication.
Copy the file 'grabber/eu_sso.php' to your OWA server in an accessible location. This means it must be possible to invoke this file by an URL and anonymous authentication.
Change the file 'grabber/owa_key.php' by chnaging the variable definiton to a random value and copy it to your OWA server and your TYPO3 server. This file contains the key for the encryption of the messages between the two servers. The anonymous account IUSR_xxx must have write access to this location but it should not be possible to access this file via your web server.
Configure 'eu_sso.php':
Change the file used for temporary data. Just change the path at the beginning of the file according to your needs:define('SERVERVARS_FILE',' d:/cache.php ');The anonymous account IUSR_xxx must have write access to this location but it should not be possible to access this file via your web server because user credentials are cached in this file (only for some fractions of a second, but ...).
Define the path to your keyfile:define('KEY_FILE',' d:/owa_key.php ');
Apply step 4.2 to the extension file 'pi1/class.tx_eussoowa_pi1.php'.
Create a new page in the backend which will forward the user to the OWA frontend.
Insert the OWA SSO plugin on the page.
Configure the template of the page:plugin.tx_eussoowa_pi1 {# Host name of the OWA serverhost = https://owa.mydomain.com# Exchange Domaindomain = intranet.local# relative path to eu_sso.php on OWA serverwg_path = php}
Adminstration¶
Prerequisites¶
Your PHP installation must support Curl (with SSL) and Mcrypt! Just google a litte bit for OS specific installation instructions.
If you do not use eu_ldap for LDAP integration you must synchronize your users' Windows and TYPO3 passwords and store the passwords in the TYPO3 user table in clear text!
How Single Sign On works¶
When the page containing the OWA plugin is loaded TYPO3 calls 'eu_sso.php' on the OWA server and transfers the necessary parameters for calling OWA together with the user's credentials. The plugin now redirects the user's browser directly to 'eu_sso.php' and transfers the key the password is encrypted with. 'eu_sso.php' then calls the login form, creates a session with the Exchange server and forwards the user to the result page.
All data transferred between the TYPO3 and the OWA server is encrypted!
Known problems¶
Security considerations¶
Storing passwords in the TYPO3 database in cleartext is a security risk – if you are using LDAP authentication you get rid of that!
Additionally the passwords are cached on the OWA server for the time between the background call to 'eu_sso.php' and the frontend redirection.
EXT: OWA Single Sign On - 3