TheTimPlummerJoomlaShowCoverImage 200

When using Joomla as a corporate Intranet, integration with Active Directory significantly improves the user experience, as the user’s windows credentials can be used to log onto Joomla. This is commonly referred to as Single Sign On (SSO), where one account can be used on multiple systems. To make this experience even better, we can implement Single Sign In (SSI), where the windows username and password are automatically passed to the browser and the user is logged in automatically.
The active directory integration is achieved with a free extensions provided by JMapMyLDAP. You can download the plugins from their website.
http://shmanic.com/tools/jmapmyldap/download.htm
The documentation is located at:
http://shmanic.com/tools/jmapmyldap/guide.htm#configuser
For this example, I’m going to demonstrate how to set up SSO and SSI on a Joomla 3.1.1 site.

The first step is to download the LDAP package pkg_jmapmyldap.zip from Shmanic.
 

Install this package on your Joomla site.
 

Go to your plugin manager, and locate the “Authentication – JMapMyLDAP” plugin.
 

You will need to enable this plugin, then click the Basic Options tab customize some settings.
 

 

 

The host is the name or IP address of your LDAP server, in this case a Windows Domain Controller. The connect user is the name of the user we are using for the LDAP connection. In this case we are using an account called LDAP Service which is located in the Service Account OU that is within the AU OU.
CN=LDAP service,OU=Service Accounts,OU=AU,DC=yourdominasiapac,DC=com
 

Here is an example of the LDAP Service account.
 

 

The LDAP Service account doesn’t need domain admin rights, just add it to the Domain Users group.
 


The Base DN should match your active directory, in this case DC=yourdomainasiapac,DC=com
 

The User DN / Filter for Active Directory should be set to (sAMAccountName=[username]).

For Active Directory, the Map User ID should be set to sAMAccountName.
The Map Full Name which is set to displayName, you will see below matches up with the Display name field of the user’s active directory account.
The Map Email which is set to mail, referred to the E-mail filed in the user’s active directory account.

 



Next you will need to download and install the SSO package pkg_jssomysite_plugins.zip from Shmanic.
 

Install this via extension manager.
 

Go to your plugin manager, and locate “SSO – HTTP” plugin.
 

You will need to enable the SSO – HTTP plugin.
 

On the Basic Option tab, you will need to set the appropriate User Key that is passed by the browser to your web server, in this case we are using REMOTE_USER, but some web servers use AUTH_USER. Note that this Intranet is hosted on IIS.
 

If you look at your phpinfo, which you can do via the following code <?php phpinfo(); ?>,  you will see the REMOTE_USER in the PHP Variables section. As you can see, the username has a domain prefix, so that is why we needed the ASIAPAC\ in the username replacement.
 

Note that if the username replacement is not configured correctly Single Sign In (SSI) will not work.
The next plugin to locate is System – JSSOMySite.
 

All we need to do is enable this plugin.
 

Now we need to configure “User – JMapMyLDAP” plugin.
 

Enable this plugin, then go to the Basic Options tab.
 

Since we are using the Authentication – JMapMyLDAP plugin, we set Authentication Plugin to jmapmyldap.
 

On the Group Mappings tab, you can configure which AD groups you want to map to which Joomla user groups.
 

 

Now if all goes well, when you type in your website URL in your browser, it should automatically recognize who you are and log you into Joomla, giving you the appropriate access to content.
 

Now the about SSI works with Internet Explorer, but for Firefox, you need to use a plugin called Integrated Authentication for Firefox, which you can download for free from https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/
Once you’ve installed this plugin, you will need to go to Tools->Integrated Authentication Sites and add in your domain.
 


If all goes well, you should now have single sign on and single sign in implemented in your Joomla Intranet. If this blog post helps you to configure it successfully, please let me a comment below.

Leave your comments

Post comment as a guest

0
Your comments are subject to administrator's moderation.

People in this conversation

Load Previous Comments
  • Hi Jeremy,
    The JSSOMySite is not essential, you can still have the LDAP authentication without single sign on, it just means the users will need to enter their username and password manually, rather than the browser passing the windows credentials through automatically.

  • Guest - Jan van Kuijk

    I want to connect with LDAP to a Windows Server 2008 R2.

    Is that possible?

    Jan

  • The version of windows should not matter, LDAP is a pretty standard protocol.

  • Guest - Alberto

    Hi,

    Thanks Tim, great tutorial! A question:

    I have a Joomla Site with a customized LDAP authentication. Now, I need implement a SSO for user's can access with the windows credentials. Is possible use this module only for SSO, and continue using the other module to users authentication?

    Other issue.... I have configured the web server to get the REMOTE_USER value, but this value is some like:

    username@domain.com

    What I must set in "Username Replacement" field at the configuration? @domain.com? domain\ ?

    Thanks!

    from Spain
  • Hi Alberto,
    If you take a look at /plugins/sso/http/http.php, you will see that this is just returning the username from REMOTE_USER, and before it returns it the username replacement filters out unnecessary characters. So while I have never used this with a custom LDAP authentication plugin, I don't see why it wouldn't work.
    For username replacement, have you tried @domain.com

    regards

    Tim

  • Guest - Alberto

    Hi and thanks Tim,

    I have set @domain.com in 'Username replacement' field buth the SSO dont work. To configure only SSO it is the process I have followed:

    - Download 'pkg_jssomysite_plugins' from Shmanic.
    - Install the plugin at Joomla
    - Enable SSO - HTTP plugin setting the 'Username replacemente' to '@domain.com'
    - Enable 'JSSOMySite' plugin

    With these steps if I access to main page, I dont log-in automatically, and any error message is shown.

    I need some aditional step or configuration?

    Thanks Tim,

    Regards

  • Guest - Alberto

    Checking the error.php, the next error is shown with any attemp:

    SSO: Failed to authenticate user 'user@domain.es'.

    The user replacement seems correct. What could be happening?

    Thanks

  • Hi Alberto,
    I suggest you log into the back end of your site, and do the following:
    components->Shmanic LDAP
    LDAP host configuration
    Select your config record
    Full debug = Yes
    Test username = your windows username
    Test passowrd = your windows password
    Press the Test/Debug button at the top left.
    Take a look at the debugging output, it should give you some clues as to why it is not working. One obvious thing to check is that your LDAP service account is not locked out.

    regards

    Tim

  • Guest - Bill

    I've got LDAP integration working, but, using AD groups, how do I associate the appropriate rights in Joomla?

    from San Francisco, CA, USA
  • Hi Bill,
    With JMapMyLDAP, you can map active directory groups to Joomla groups. Based on AD group membership they get the appropriate group assignment on Joomla and permissions based on the access levels assigned to that group.

    http://timplummer.com.au/images/july2013/ldap/16.png

    The number after the colon (in this case 2) is the id of the Joomla group that the AD group maps to. You need to get the OU stuff right, which is going to vary depending on the group structure in AD.

    With example above, I have the User group under the AU (abbreviation for Australia).

    http://timplummer.com.au/images/july2013/ldap/19.png

    regards

    Tim