When using Joomla as a corporate Intranet, integration with Active Directory significantly improves the user experience, as the user’s windows credentials can be used to log onto Joomla. This is commonly referred to as Single Sign On (SSO), where one account can be used on multiple systems. To make this experience even better, we can implement Single Sign In (SSI), where the windows username and password are automatically passed to the browser and the user is logged in automatically.
The active directory integration is achieved with a free extensions provided by JMapMyLDAP. You can download the plugins from their website.
http://shmanic.com/tools/jmapmyldap/download.htm
The documentation is located at:
http://shmanic.com/tools/jmapmyldap/guide.htm#configuser
For this example, I’m going to demonstrate how to set up SSO and SSI on a Joomla 3.1.1 site.
The first step is to download the LDAP package pkg_jmapmyldap.zip from Shmanic.
Install this package on your Joomla site.
Go to your plugin manager, and locate the “Authentication – JMapMyLDAP” plugin.
You will need to enable this plugin, then click the Basic Options tab customize some settings.
The host is the name or IP address of your LDAP server, in this case a Windows Domain Controller. The connect user is the name of the user we are using for the LDAP connection. In this case we are using an account called LDAP Service which is located in the Service Account OU that is within the AU OU.
CN=LDAP service,OU=Service Accounts,OU=AU,DC=yourdominasiapac,DC=com
Here is an example of the LDAP Service account.
The LDAP Service account doesn’t need domain admin rights, just add it to the Domain Users group.
The Base DN should match your active directory, in this case DC=yourdomainasiapac,DC=com
The User DN / Filter for Active Directory should be set to (sAMAccountName=[username]).
For Active Directory, the Map User ID should be set to sAMAccountName.
The Map Full Name which is set to displayName, you will see below matches up with the Display name field of the user’s active directory account.
The Map Email which is set to mail, referred to the E-mail filed in the user’s active directory account.
Next you will need to download and install the SSO package pkg_jssomysite_plugins.zip from Shmanic.
Install this via extension manager.
Go to your plugin manager, and locate “SSO – HTTP” plugin.
You will need to enable the SSO – HTTP plugin.
On the Basic Option tab, you will need to set the appropriate User Key that is passed by the browser to your web server, in this case we are using REMOTE_USER, but some web servers use AUTH_USER. Note that this Intranet is hosted on IIS.
If you look at your phpinfo, which you can do via the following code <?php phpinfo(); ?>, you will see the REMOTE_USER in the PHP Variables section. As you can see, the username has a domain prefix, so that is why we needed the ASIAPAC\ in the username replacement.
Note that if the username replacement is not configured correctly Single Sign In (SSI) will not work.
The next plugin to locate is System – JSSOMySite.
All we need to do is enable this plugin.
Now we need to configure “User – JMapMyLDAP” plugin.
Enable this plugin, then go to the Basic Options tab.
Since we are using the Authentication – JMapMyLDAP plugin, we set Authentication Plugin to jmapmyldap.
On the Group Mappings tab, you can configure which AD groups you want to map to which Joomla user groups.
Now if all goes well, when you type in your website URL in your browser, it should automatically recognize who you are and log you into Joomla, giving you the appropriate access to content.
Now the about SSI works with Internet Explorer, but for Firefox, you need to use a plugin called Integrated Authentication for Firefox, which you can download for free from https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/
Once you’ve installed this plugin, you will need to go to Tools->Integrated Authentication Sites and add in your domain.
If all goes well, you should now have single sign on and single sign in implemented in your Joomla Intranet. If this blog post helps you to configure it successfully, please let me a comment below.
Leave your comments
Login to post a comment
Post comment as a guest