Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: kc9ddi on January 25, 2011, 11:01:37 AM

Title: Single Sign On
Post by: kc9ddi on January 25, 2011, 11:01:37 AM
Hi - My company has an internally developed web application, and uses Roundcube for webmail.  The custom web app and the email servers share a common username/password database, and a feature that has been requested of me is to create a "single sign on" functionality where if a user logs in to the web app, they are automatically logged in to Roundcube.

In the past, I tried a very hacky solution where I included the Roundcube login page as a hidden iframe on the web app login page, and then did some javascript magic to copy the username/password into the right fields and POST the forms at the right time.  This kind of worked, but the web app and roundcube live at different subdomains ( and, so I had to add some javascript to every roundcube page telling it to allow cookies for/from the other subdomain.  This worked fairly well, but it was very difficult to track down every single HTML page, and also made it very difficult to upgrade to new versions of Roundcube.

Does anyone have any suggestions for a better way to handle this?
Title: Single Sign On
Post by: SKaero on January 25, 2011, 01:14:10 PM
Take a look at the example auto login plugin, you could easy adapted it to with your other system.
Title: Single Sign On
Post by: kc9ddi on January 29, 2011, 05:03:16 PM
Well, I've looked at the autologin plugin, and have modified it like so:

class sso extends rcube_plugin {
  public $task = 'login';

  function init() {
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));

  function startup($args) {
    $rcmail = rcmail::get_instance();

    // change action to login
    if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']))
      $args['action'] = 'login';

    return $args;

  function authenticate($args) {
    if (!empty($_GET['_autologin'])) {
      $args['user'] = $_POST['user'];
      $args['pass'] = $_POST['password'];
    return $args;

I've enabled the plugin in my roundcube config.  I then call it from Javascript from the login page of the other web app:

I don't get any errors, and firebug shows that the post request went OK, but I am definitely not logged in to roundcube.

As you can see, I am using CORS to handle the cross-site ajax request.

Any ideas on where the problem might be, or some good debugging steps?