Plugin to provide Login via Central Authentication Service (CAS)

[rbalfanz]

Single sign-on authentication would be useful when incorporating Piwik into existing environments already using CAS.

[vipsoft]

Probably depends on #551 to be fixed to implement CAS logout.

[vipsoft]

Note: phpCAS depends on the PEAR DB package and there's no indication if the developers will migrate to PEAR MDB2.

[avel]

Hi, I just finished writing a CAS plugin using phpCAS.

Is there interest in this work? I will be able to release this shortly.

[matt]

avel, I'm sure there is interest. Maybe post your plugin here, with a README and explaining the differences with this plugin. Thanks!

PS: does it work with the current trunk too? we made some changes in the Login plugin, and I'm not sure if this breaks other Login plugins or not?

[avel]

I'm not sure if it works with latest trunk, will need to test; it was developed on piwik 0.5.5.

I will post the plugin here in a couple of days. First I need to do some cleanups, make some things configurable and document the behavior I've chosen.

Regards, Alexandros Vellis

[avel]

Attaching a "0.1" working package.

From the README:

User Provisioning Rationale

CASLogin currently authenticates users against the CAS service, but then authorizes them to piwik according to the user configuration tables inside piwik itself.

To make this work, first you need to make sure that the user that logs in also exists in piwik user tables and has some rights to view or edit sites.

The superuser login value in piwik itself should also correspond to a proper user in CAS.

So a way to make this work in *new* piwik installations is:

• In main piwik configuration, set the "login" in [superuser] section to correspond to an actual CAS user.
• Enable the CASLogin plugin (see "Installation" below).
• Log in as the superuser. Go to Settings -> Users. Add a username (just the actual username is needed, other data can be left empty). And for that username, add some rights.

A further authorization and auto-provisioning mechanism can be written based on specific SAML attributes or any other data. See "Further Customization, Hacking" below.

Installation

• Disable the "Login" plugin in administration panel.
• Enable the "CASLogin" plugin.
• In your main config/config.ini.php piwik configuration file, add a section that reads like this:

[caslogin]
protocol = SAML_VERSION_1_1
host = login.example.org
port = 443

Option "protocol" is one of CAS_VERSION_1_0, CAS_VERSION_2_0 or SAML_VERSION_1_1 .

Further Customization, Hacking

If you want to grab some additional attributes, e.g. SAML, from your login server, then you can edit the file Auth.php. Search for "Additional Attributes", that's where they can be added to the session and made available to piwik.

If you want a user to be added automatically to the piwik users database, edit Auth.php and search for "User Autocreate". This is the place where you can enable adding to the database and probably add some default ACLs later, depending on specific SAML attributes or anything else you use in your CAS solution. The superuser can add rights by hand, or you can choose to add them at this step using the piwik API.

TODO

• Coding style
• Credit the authors of the plugins CASLogin was based on
• Remove some duplicate functions
• Allow more configurable provisioning
• Make default login page somewhat more elegant

[avel]

Perhaps a piwik developer could put this ticket in milestone "Third party piwik plugins" and rename it to "Login via CAS" so that it can get more exposure and feedback.

[avel]

I am attaching a new version 0.2.

Known Issue

When one tries to add a user in piwik tables in order to authorize them, one has to enter dummy data in "password" field (which is not used) and has to fill in an e-mail address too.

It's a minor inconvenience for the superuser who authorizes other users manually in piwik administration interface.

Changelog

0.2: Fixes and slight improvements

• Added the config option "additional root logins"
• Small bugfix in login template
• Cleanups
• Coding style fixes

Additional Options

By default, only the user defined in piwik configuration (config/config.ini.php) in the [superuser] section is regarded as a superuser / root administrator.

However, with the CAS Login scheme, you might need to add additional accounts as superusers, each one of them logging in as normal with their own password.

If you'd like to do that, add these accounts in section [caslogin] as follows:

additionalsuperusers[] = uid1
additionalsuperusers[] = uid2

Note for this ticket: why am I not allowing a simple username/password login against the piwik database, like the Login plugin does? Because that would require including an extra username/password form in the login page. Just for that one superuser. That's why I include only the link to CAS login and just authorize a superuser later in piwik.

Feedback is welcome.

[avel]

I am attaching CASLogin 0.3, for anyone who might be interested. It has been at use at our environment for some weeks now, without any apparent issues.

Your feedback is still welcome.

Changelog

0.3:

• Enabled single signout feature
• Upgraded to phpCAS library 1.1.0RC8
• Slightly modified phpCAS so as not to emit any PHP 5.3 warnings / deprecated messages.
• Compatible with Piwik 0.6.x.
• Allows use of CoreUpdater without signing in via CAS. (Fixed bug with endless loop redirects).

[avel]

I am attaching CASLogin 0.4. There is a security update of the bundled phpCAS library, which is now version 1.1.2, and the plugin was briefly tested and confirmed to work with piwik 0.8.

[avel]

Note about the security fixes of phpCAS 1.1.2: According to the  Changelog:

• Fix a session hijacking hole CVE-2010-2795 [PHPCAS-61] (Joachim Fritschi)
• callbackurl in proxy mode should be urlencoded, possible XSS CVE-2010-2796 [PHPCAS-67] (Joachim Fritschi)

If you are using CASLogin in a production environment, you are urged to either upgrade the plugin or upgrade the bundled phpCAS library.

[avel]

Version 0.5, attached below, fixes a compatibility issue with Piwik 0.8.

[vipsoft]

I'll attempt to update this plugin later today. (I won't be able to test it though.)

The following security issues are addressed in  phpcas 1.1.3:

• CVE-2010-3690 phpCAS: XSS during a proxy callback [PHPCAS-80] (Joachim Fritschi)
• CVE-2010-3691 phpCAS: prevent symlink attacks during a proxy callback [PHPCAS-80] (Joachim Fritschi)
• CVE-2010-3692 phpCAS: directory traversal during a proxy callback [PHPCAS-80] (Joachim Fritschi)

Piwik 1.1 may have also introduced some compatibility issues as there are references to new view properties in the Login module's templates (eg enableFramedlogins).

[ow]

* Security : Upgraded bundled phpCAS to version 1.1.3. See CVE-2010-3690, CVE-2010-3691, CVE-2010-3692

* Work with Piwik 1.1.1 (Fixed bug with enableFramedlogins)

[ow]

The version 0.6.2 display now the good version in thepiwik plugin interface.

[eashman]

Maybe I'm missing something, but it appears that with the CAS plugin active, the "archive.sh" and other API based command line tools fail. Is there a way to flag the system so API calls and other administrative tasks do not have to authenticate with CAS?

Or maybe even a special array of usernames that can bypass CAS? Kind of like the way Unix allows you to step through various authentication methods until one works before rejecting a login?

[yato]

Hello,

i started using this plugin. It is really cool and works. But there seems to be a problem with languages that include special characters. For example: If a User with an Umlaut like ä, ö, ü tries to log in via the CAS-Plugin, we get the following Error:

There is an error. Please report the message and full backtrace in the Piwik forums.

Warning: DOMDocument::loadXML(): Input is not proper UTF-8, indicate encoding !Bytes: 0xF6 0x67 0x65 0x72 in Entity, line: 14 in
/path/to/piwik/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php on line 72

Backtrace -->
#0 Piwik_ErrorHandler(2, DOMDocument::loadXML(): Input is not proper UTF-8, indicate encoding !Bytes: 0xF6 0x67 0x65 0x72 in Entity, line: 14,
/path/to/piwik/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php, 72, Array ([str] => <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes --> <cas:attributes> <cas:GivenName>Mr</cas:GivenName>
<cas:Surname>Möller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail> </cas:attributes> <!-- End Ldap Attributes -->
</cas:authenticationSuccess></cas:serviceResponse>,[mode] => 0,[error] => ,[dom] => php4DOMDocument Object ([myDOMNode] => DOMDocument Object
(),[myOwnerDocument] => php4DOMDocument Object ( *RECURSION*),[errorMode] => ))#1 DOMDocument->loadXML(<cas:serviceResponse
xmlns:cas='X'> <cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes --> <cas:attributes>
<cas:GivenName>Mr</cas:GivenName> <cas:Surname>Möller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail> </cas:attributes> <!-- End Ldap
Attributes --> </cas:authenticationSuccess></cas:serviceResponse>) called at [/path/to/piwik/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php:72]#2
domxml_open_mem(<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes
--> <cas:attributes> <cas:GivenName>Mr</cas:GivenName> <cas:Surname>Möller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail>
</cas:attributes> <!-- End Ldap Attributes --> </cas:authenticationSuccess></cas:serviceResponse>) called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS/client.php:2544]#3
CASClient->validatePT(X/cas/proxyValidate?service=https%3A%2F%2Fexample.piwiktracking.de%2Fpiwik%2Findex.php%3Fmodule%3DCASLogin%26action%3DredirectToCAS&ticket=ST-219-Fbm9AGJWRDE7kgVp3iTQ-cas,
<cas:serviceResponse xmlns:cas='X'> <cas:authenticationSuccess> <cas:user>user</cas:user> <!-- Begin Ldap Attributes -->
<cas:attributes> <cas:GivenName>Mr</cas:GivenName> <cas:Surname>Möller</cas:Surname> <cas:Mail>mail@example.com</cas:Mail>
</cas:attributes> <!-- End Ldap Attributes --> </cas:authenticationSuccess></cas:serviceResponse>, ) called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS/client.php:1006]#4 CASClient->isAuthenticated() called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS/client.php:915]#5 CASClient->checkAuthentication() called at
[/path/to/piwik/plugins/CASLogin/CAS/CAS.php:865]#6 phpCAS->checkAuthentication() called at [/path/to/piwik/plugins/CASLogin/Auth.php:68]#7
Piwik_CASLogin_Auth->authenticate() called at [/path/to/piwik/core/Access.php:131]#8 Piwik_Access->reloadAccess(Piwik_CASLogin_Auth Object ([] => ,[] =>
)) called at [/path/to/piwik/core/FrontController.php:243]#9 Piwik_FrontController->init() called at [/path/to/piwik/index.php:56]


CAS Authentication failed!

You were not authenticated.

Thanks alot in advance,

yato

[avel]

To reply to eashman, since I haven't had time to update the plugin:

Yes, archive.sh cannot run. CASLogin needs to be fixed. However, what I have done in my installations as a temporary workaround is: copy the whole directory tree of piwik to another location; change that directory's configuration to _not_ use CASLogin plugin; point cron's archive.sh to that directory. It's beyond ugly but it works.

There are also further bugs and logic errors that need to be fixed. I haven't checked ow's changes yet to confirm that they fix them. I might be able to pick it up again in the near future (2 or 3 months' time).

[yato]

Hello

CAS Authentication failed! You were not authenticated.

The bug i had was a configuration of the CASserver. We changed the encoding to utf8 on the server side (was i8... before). Works now.

yato

[Nirzol]

hello Just try to test this plugin but have some errors : Warning: DOMDocument::loadXML(): Space required after the Public Identifier in Entity, line: 1 in /var/www/piwik2/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php on line 72

Backtrace --> #0 Piwik_ErrorHandler(2, DOMDocument::loadXML(): Space required after the Public Identifier in Entity, line: 1, /var/www/piwik2/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php, 72, Array ([str] => <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href=" https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fxxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>,[mode] => 0,[error] => ,[dom] => php4DOMDocument Object ([myDOMNode] => DOMDocument Object (),[myOwnerDocument] => php4DOMDocument Object ( *RECURSION*),[errorMode] => ))#1 DOMDocument->loadXML(<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href=" https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fxxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>) called at /var/www/piwik2/plugins/CASLogin/CAS/CAS/domxml-php4-to-php5.php:72#2 domxml_open_mem(<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href=" https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fwww-stats.xxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>) called at /var/www/piwik2/plugins/CASLogin/CAS/CAS/client.php:1534#3 CASClient->validateSA(, <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href=" https://cas3.xxx.fr/cas/?TARGET=http%3A%2F%2Fwww-stats.xxx.fr%2Fpiwik-dev%2Findex.php%3Fmodule%3DCASLogin%26action%3Dlogin">here</a>.</p><hr><address>Apache Server at cas3.xxx.fr Port 443</address></body></html>, ) called at /var/www/piwik2/plugins/CASLogin/CAS/CAS/client.php:1019#4 CASClient->isAuthenticated() called at /var/www/piwik2/plugins/CASLogin/CAS/CAS/client.php:915#5 CASClient->checkAuthentication() called at /var/www/piwik2/plugins/CASLogin/CAS/CAS.php:865#6 phpCAS->checkAuthentication() called at /var/www/piwik2/plugins/CASLogin/Auth.php:68#7 Piwik_CASLogin_Auth->authenticate() called at /var/www/piwik2/core/Access.php:131#8 Piwik_Access->reloadAccess(Piwik_CASLogin_Auth Object ([] => ,[] => )) called at /var/www/piwik2/core/FrontController.php:256#9 Piwik_FrontController->init() called at /var/www/piwik2/index.php:57

[tkuipers]

After upgrading to Piwik 1.6 I received a lot of missing variable errors. See this thread  http://forum.piwik.org/read.php?2,83925. I've attached a new version  http://dev.piwik.org/trac/attachment/ticket/598/CASLogin-0.6.3.tgz to resolve these issues.

[matt]

tkuipers, thanks for fixing the bug!