Author Topic: Single Sign On  (Read 10044 times)

Offline kc9ddi

  • Newbie
  • *
  • Posts: 2
Single Sign On
« on: January 25, 2011, 11:01:37 AM »
Hi - My company has an internally developed web application, and uses Roundcube for webmail.  The custom web app and the email servers share a common username/password database, and a feature that has been requested of me is to create a "single sign on" functionality where if a user logs in to the web app, they are automatically logged in to Roundcube.

In the past, I tried a very hacky solution where I included the Roundcube login page as a hidden iframe on the web app login page, and then did some javascript magic to copy the username/password into the right fields and POST the forms at the right time.  This kind of worked, but the web app and roundcube live at different subdomains (myapp.example.com and webmail.example.com), so I had to add some javascript to every roundcube page telling it to allow cookies for/from the other subdomain.  This worked fairly well, but it was very difficult to track down every single HTML page, and also made it very difficult to upgrade to new versions of Roundcube.

Does anyone have any suggestions for a better way to handle this?

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Single Sign On
« Reply #1 on: January 25, 2011, 01:14:10 PM »
Take a look at the example auto login plugin, you could easy adapted it to with your other system. http://trac.roundcube.net/browser/trunk/plugins/autologon/autologon.php

Offline kc9ddi

  • Newbie
  • *
  • Posts: 2
Single Sign On
« Reply #2 on: January 29, 2011, 05:03:16 PM »
Well, I've looked at the autologin plugin, and have modified it like so:


<?php

class sso extends rcube_plugin {
  public 
$task 'login';

  function 
init() {
    
$this->add_hook('startup', array($this'startup'));
    
$this->add_hook('authenticate', array($this'authenticate'));
  }

  function 
startup($args) {
    
$rcmail rcmail::get_instance();

    
// change action to login
    
if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']))
      
$args['action'] = 'login';

    return 
$args;
  }

  function 
authenticate($args) {
    if (!empty(
$_GET['_autologin'])) {
      
$args['user'] = $_POST['user'];
      
$args['pass'] = $_POST['password'];
    }
    return 
$args;
  }
}


I've enabled the plugin in my roundcube config.  I then call it from Javascript from the login page of the other web app:





I don't get any errors, and firebug shows that the post request went OK, but I am definitely not logged in to roundcube.

As you can see, I am using CORS to handle the cross-site ajax request.

Any ideas on where the problem might be, or some good debugging steps?