hello - we’re trying to create a single sign on architecture either using SAML or Jasig CAS. The Expression Engine platform would serve as the primary interface for our members but would log in to an external system. Our sponsor does not want any changes to redirects for their users when logging in. They prefer an http post but this would be a security risk. I know that there is a php CAS client which can be incorporated (and someone else has done it). They also desire Expression Engine to be the portal to internal content but also outside services like Google Apps, Hosted Blackboard, etc. I am not an Expression Engine user or developer - so the question I had was this.
Using Expression Engine version 2.x - can I integrate it with an external authentication service but also keep all of the application elements within MySQL. Has anyone else tried this (at least integrating CAS or other outside SSO services?) Which modules would need to be modified/replaced in order to provide either an external authentication or at least a pass through login for additional services?
I’m pretty new to EE 2 myself.
Here are two commercial Add-Ons I was looking at for my own purposes: http://devot-ee.com/add-ons/social-sign-on http://devot-ee.com/add-ons/social-login-pro
The former uses HybridAuth, the latter didn’t support an email/identity provider we require otherwise I may have went with that (don’t recall what the advantages were anymore, though).
Essentially what the former does is register (create) new EE members when someone authorizes your app (settings which you store in EE) and is redirected to hybridauth under EE (via a link that you generate). If the user’s id for that idp is already in your database then it will match up with that EE user and log them in. The former has custom hooks (points in its own process that calls other add-ons utilizing that hook) with which you could add your own business logic to either prevent registration/login and/or add to it.
I’m assuming other external authentication add-ons could work similarly, some way to create an EE member, and/or link the IdP info to an EE member, then simple create/load the session with this member’s data (thus authentication is independent from EE, but you still retain all of EE’s content/users, i.e. MySQL stuff).
I don’t know about SAML or CAS. I’ve worked with Google+SAML for a LMS in the past but most of the integration work was already done, had to just keep playing around and tweaking until both sides were up-to-date. I haven’t looked for SAML stuff with EE, so no comment. Check out devot-ee, lots of excellent add-ons there!
The only way to log into EE is either via login forms that you create or via the administrative Control Panel. So if your site doesn’t have any login forms there shouldn’t be any way to log in (don’t quote me on that! not sure how the /member/ directory works), ergo nothing to replace really. There is not necessarily any base site, your site is bare until you create template groups, templates (presentation folder, presentation files, tied to URLs unless you do something programatically or use the Structure add-on), even Channels & Channel Entries (content containers & content) have no exposure until you provide a template that tells EE to do so, and a visitor goes to that particular URL that prompts all this to happen. EE offers tags you can use in your template so you can create secure login forms, but if you want other means of authentication then you just wouldn’t use it, you would use whatever your add-on provides or whatever you build.
Whatever you want can be done for sure, but seeing as I’m relatively fresh to EE I can’t really comment on what’s been done already to save you time/work/$. Just trying to provide some insight.
TL;DR
You can get EE to do whatever you want. It may have to be built/adapted, though.
Yes, we have recently published a module(plugin) to do Single Sign On with any IdP.
You can check it at devot-ee.com by the name ‘miniorange saml sso’
Here is the link. https://devot-ee.com/add-ons/miniorange-saml-2.0-sso-sp
For any queries, feel free to mail us at info@miniorange.com
miniOrange Security Solutions
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.