Feature Wiki
Information about planned and released features
Reiter
Certificate-based Single-Sign On
Seitenübersicht
[Ausblenden]1 Description
The Certificate bases SSO uses x509v3 client certificates and allows users to login to ILIAS using a softwaretoken (client certificate installed in browser) or hardwaretoken (e.g. smartcard). As additional feature, it is possible to enable auto-generation of new user accounts. A special reqiurement of this SSO is, that users might call a direct link (e.g. a goto-link) to access content without beeing redirected to the login-screen.
An external PKI is required for managing the certificates. The certificate validation takes place during a SSL connection initialisation. For that reasion, certificate based SSO requires a proper Apache webserver configuration with mod_ssl and client authentication enabled.
The certficate based SSO will be implemented as "Apache based authentication feature". It should be possible to use other authentication mechanism offered by apache webserver, e.g. basic authentication or kerberos.
To match the requirements of "Bundesagentur für Arbeit" two additional features must be implemented and requires Jour Fixe confirmation.
Overwriting the default login is needed because users must not use a username/password combination. The certificated based SSO takes places in background. Because an alternative page might be only needed for certificate based authentication I suggest a setting in the new Apache auth configuration tab in administration. In the login.php-script a few lines would be added to realize an on demand redirect which might be disabled by setting a get-Parameter to allow a traditional login for administrators.
The auto-redirect is required for first-time users calling a goto-link. After an account has been autocreated and the user accepted the user-aggreement, he is redirected to the profile-screen. The auto-redirect will redirect the user to the requested page after the profile fields has been completed and the user saves the profile form. For implementation, a few lines of code has to be added to the profile form class which redirects if a special session field is set. The field will be set by the apache auth classes when a new account has been created.
An external PKI is required for managing the certificates. The certificate validation takes place during a SSL connection initialisation. For that reasion, certificate based SSO requires a proper Apache webserver configuration with mod_ssl and client authentication enabled.
The certficate based SSO will be implemented as "Apache based authentication feature". It should be possible to use other authentication mechanism offered by apache webserver, e.g. basic authentication or kerberos.
To match the requirements of "Bundesagentur für Arbeit" two additional features must be implemented and requires Jour Fixe confirmation.
- Overwriting the default login page
- Auto-redirect after profile has been completed
Overwriting the default login is needed because users must not use a username/password combination. The certificated based SSO takes places in background. Because an alternative page might be only needed for certificate based authentication I suggest a setting in the new Apache auth configuration tab in administration. In the login.php-script a few lines would be added to realize an on demand redirect which might be disabled by setting a get-Parameter to allow a traditional login for administrators.
The auto-redirect is required for first-time users calling a goto-link. After an account has been autocreated and the user accepted the user-aggreement, he is redirected to the profile-screen. The auto-redirect will redirect the user to the requested page after the profile fields has been completed and the user saves the profile form. For implementation, a few lines of code has to be added to the profile form class which redirects if a special session field is set. The field will be set by the apache auth classes when a new account has been created.
2 Status
- Scheduled for Release: ILIAS 4.1
- Funding: Funded by Bundesagentur für Arbeit
- Development: Feature is to be developed by Databay AG AG / Jan Posselt
3 Additional Information
- If you want to know more about this feature, its implementation or funding, please contact: Jan Posselt / jposselt at databay . de
4 Discussion
JF 22 Feb 2010: We highly appreciate this feature.
5 Follow-up
Zuletzt geändert: 17. Apr 2025, 15:11, Kunkel, Matthias [mkunkel]