SSO/Troubleshooting
From Authentication Tools for Joomla! (JAuthTools)
Note: This page is relevant to Joomla! 1.5, not the Joomla! 1.0 releases. In 1.0 the user source is configured with the plugin itself and can be independently managed. Some information may not be relevant for 1.0 (particularly JDiagnostic and User Sources) however some information may be useful. If you have a choice, 1.5 is really the best way to do things. Documentation written will primarily be aimed at Joomla! 1.5, or the latest relevant release, in the future.
Contents |
Getting Started
SSO, or Single Sign On, is sometimes a hard system to debug because it relies on both external dependencies (typically the web server you are using or the service that is identifying the user) and internal Joomla! dependencies, such as the user source system. As such it can be a bit tricky to get up and running with things.
As I've worked I've developed a tool called "JDiagnostic" which is designed to help you diagnose issues with different parts of the system. What is particularly useful is the SSO Checker and User Source Checker. Both of these provide tests for each of the important parts of the system, one to check you're actually detecting a user and another to check if they would be created properly once they have been detected.
HTTP SSO
HTTP SSO is usually reliant on another system to handle the actual user identification procedure, typically the web server. Web servers are usually very good at doing this and are much more efficient than doing this in PHP code (especially when the work has already been done!).
Active Directory Troubleshooting
If you're using Active Directory, be aware that the domain will typically be prefixed onto the provided username (e.g. DOMAIN\username). Because of this you will normally need to put your domain down level name with a slash at the end into the username replacement setting of the SSO - HTTP plugin.
This will also impact on the username that is handed to the user source. So depending on how your user source is configured, SSO may not work properly because if you are connecting to AD you will need a service account to find the user's details as you won't have their account to begin with.
I've had great amounts of issues, perhaps due to my lack of understanding of Kerberos, in getting Linux and Active Directory's KDC to play nicely together. It is possible, but be prepared to brave the command line.
IIS Issues
Please note that if you are using "Integrated Windows Authentication" (IE setting) or "domain authentication" (IIS setting) that this will typically onlty work in the intranet zone for IE. If you access the site using the web zone or with another browser that hasn't been configured to use Negotiate authentication, then you will be prompted for a password dialog as a fallback.
