Joomla SSO (Single Sign On) with mod_auth_tkt and tktcookie
- Category: Misc
- Hits: 10205
Been wanting to get SSO working on the site for awhile to work with the Invoicing, Bugzilla and BackupPC systems. Joomla already has a database for accounts and the default security access of Joomla menus and pages are helpful - but how do I get Joomla to tell Apache once a user has authenticated?
Apache module mod_auth_tkt and a little unknown Joomla plugin called tktcookie hold the answer.
mod_auth_tkt is an authentication module for Apache, it reads a cookie on the clients computer and if the secret key matches the one Apache is expecting login is allowed. The tktcookie plugin allows Joomla to create this cookie after a user has successfully logged into Joomla, therefore Joomla logs the user in and passes the details to Apache - SSO!
Steps I followed...
Get mod_auth_tkt
On my CentOS box
{codecitation style="brush: bash;"}#yum install mod_auth_tkt{/codecitation}
In /httpd/conf.d rename 02_auth_tkt.conf to 02_auth_tkt.conf.old as we will load these details in httpd.conf
Edit httpd.conf
Note: the below can be added in the 02_auth_tkt.conf if you wish, this just worked well for me
Add the following line to the top of the LoadModule section to load mod_auth_tkt
{codecitation style="brush: bash;"}LoadModule auth_tkt_module modules/mod_auth_tkt.so{/codecitation}
Add the following to your VirtualHost, this is your secret key
{codecitation style="brush: bash;"}TKTAuthSecret "change me!"{/codecitation}
Note! The TKTAuthSecret line must not be indented at all, I belive this is a bug with tktcookie where if the line has any spaces in front of it the key will not be read correctly.
Setting up .htaccess file
An example...
{codecitation style="brush: bash;"}AuthType none
Require valid-user
TKTAuthCookieName name for your cookie
TKTAuthDomain your domain
TKTAuthLoginURL http://url for your Joomla login page
TKTAuthIgnoreIP on{/codecitation}
Setting up Joomla
Grab tktcookie and install as a standard plugin
Enable the plugin and set the required settings, important points to note...
- TKT Secret file - location of your TKTAuthSecret
- TKT Cookie name - same as TKTAuthCookieName
