Libre Software People's Front

don't confuse it with People's Front of Open Source

Posts Tagged ‘single sign on

Single Sign On with Pubcookie

leave a comment »

A couple of months ago I had to find a solution to offer a single sign on service in a environment with PHP applications and Plone. I decided to use Pubcookie which is a good solution and has a good documentation although due to its small niche market its community is not very big.

According to SLOCCount most of the code is C and it has almost 50 thousand lines of code

Totals grouped by language (dominant language first):
ansic: 40864 (85.89%)
cpp: 4215 (8.86%)
sh: 2500 (5.25%)

Total Physical Source Lines of Code (SLOC) = 47,579

The documentation is available here, it is clear but from my point of view it lacks of a set of examples. The first time I installed pubcookie I was a bit confused, my first error was trying to install it without understand completely how it worked so my first advice is that you must understand how it works before. The key concept is to realize that the authentication and creation/validation of cookies is going to be performed by the pubcookie service. Your web applications won’t have to deal with this issues anymore.

Have a look at the diagram in the section How Pubcookie Works. In our example with Plone, PHP applications and Apache our agents would be:

  • User-Agent, your browser
  • Application Server, an apache module installed in the server which offers the web application. In our example we would have one for each web application
  • Login Server, the service in charge of creating and delivering the important cookies and dealing with the user login form
  • AuthN Server, in our example it could be offered by an LDAP server. The Login Server would deal with this authentication server. We only need one

Every time the user visits a protected url (by the apache module / application server) in one of the server applications, the application server finds out whether the users’ cookie is valid or not. Depending on the type of cookie the user provide, it (the application server) can forward the user to the login server or give him access as logged in. Once the application server ensures the user is a valid user with a valid cookie it passes the user to the web application using an apache header, this last step is very important from the security point of view. The web applications will blindly accept the user passed in that HTTP header so it must come only from localhost and only when the apache module checks the request comes from a valid user.

Hands on. Download it and install all the components (keyserver, keyclient, apache module ..), you will need to generate some keys used to sign and encrypt the cookies which are exchanged between the login server and the application server.

Once the daemons are running and the apache module is built, we can start setting up our Plone. The most important part is the configuration of the apache module, there is a Plone plugin (product) called WebServerAuth that will do the rest of the job.

This is the important part of the apache configuration for our traffic over SSL:

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.key
# Prompt for authentication:
<Location />
AuthType EXAMPLEAuth
PubcookieAppID zope
Require valid-user

# once we know the user is a valid user, we set the HTTP header with the username
RewriteEngine On
RewriteRule .* - [E=RU:%{REMOTE_USER}]
RequestHeader set X_REMOTE_USER %{RU}e

As I remarked before, the application (Plone in this case) will accept any user in the HTTP_X_REMOTE_USER header so we must avoid that header when our apache module for pubcookie is not checking it is sent by a valid user. That is, we remove this header unless it goes to the URL protected by the apache module (our application server).

<VirtualHost *:80>
RequestHeader unset X_REMOTE_USER

At this point, you would be able of using the single sign on service with Plone. The next step would be to add more web applications. If you don’t find a pubcookie plugin for your PHP application, you would have to edit the code to bypass the user and session verification in order to accept the user included in the HTTP_X_REMOTE_USER header.

Last but not least, thanks to cewing and erikrose in #plone IRC channel at, they were very helpful 🙂


Written by sanacl

February 24, 2010 at 7:24 pm

Posted in web services

Tagged with ,