Howdy. I just signed up.

I built the latest mindtouch-core and the trial version on separate Ubuntu Jaunty VMs. Honestly, the first time I ever looked at this was when a business partner asked me to this morning. I'm signed onto the webinar tomorrow morning. But at the moment, I'm wading through SSO threads. I was hoping to get the 411 first, before I waste any time. My impression from searching is that a lot of thought has already been put into SSO, but not for CAS.

I've got this platform where I've integrated multiple opensource apps with CAS for single-sign. I've got a rubycas-server backed with openldap. I've got a mix of php-based apps and rails-based apps. I wrote a CAS authentication class for SugarCRM following an example written for crowd. So you can say that I'm committed to using CAS and probably looking for a php way to do this. At the same time, I'm open to what's easiest.

It seems straightforward enough to install the phpcas-client library and then use either a php script or dekiscript to login the user. There's also a REST API and this Dream thing. I'm already using SnapLogic, which could give me an entry point. But that all seems completely unnecessary. If I understand it correctly, I can just write a php Authentication class that gets a ticket from my CAS server and then logs the user into mindtouch? I'm guessing that I have to set it to be used in the php config file? In SugarCRM I also had to set it to execute in index.php so that it would run on every page. Is there an equivalent here?

I looked at some sample code in the wiki that returned an AuthToken. Is that a good place to start, or is there an appropriate php example?

And I also have a confession to make. I'm all Ubuntu all the time. I'm fatally allergic to anything Microsoft. It makes my tongue swell and I break out in hives.

Thanks.
Paul

Ok, I've done a little more homework.

I see from the RESTFul HTTP example that, after authentication, there is a "user lookup".


"When a user successfully authenticates, DekiWiki retrieves additional information about the user to create an internal user record. The internal record is only used for tracking the user's activities and not for authentication."

At the same time, the HTTP auth call is expected to return user info as well.


The provider responds with status code 200 (ok) upon successful authentication while also returning the requestor's user info.


The HTTP example goes on to show email, group info, etc. in the response.

Now, my cas-server can optionally pass user info along with the ticket in response to the cas-client request. So I could do that if I wanted to. In my case, I've got openldap setup for the cas-server. With my other applications, I also installed openldap on those servers and then setup multi-master replication. The idea is that it keeps user logins in-sync between servers and that, should I ever have a reason, I could pass user info along with the ticket. Also, that way I don't profliferate user databases with every new app and I get good redundancy.

In this case, it seems logical to either pass info along with the CAS ticket, or just pass the ticket and create the user record from the local openldap server. There is a good example from the wiki of loading user data from openldap. Ultimately, in my case, it's the same data anyway.

But why does the example pass user info beyond the login name and token TWICE?

--Paul

This example looks pretty relavant.

http://forums.developer.mindtouch.com/showthread.php?t=4737&highlight=authentication+php



// first open a plug to the server
$wgDekiPlug = new Plug('http://localhost:8081');
$wgDekiPlug = $wgDekiPlug->At('deki');

// authenticate with the $_SERVER['REMOTE_USER'];
$auth_result = $wgDekiPlug->At('users', 'authenticate')->With('apikey', 'API KEY HERE')->WithCredentials($_SERVER['REMOTE_USER'], '')->With('authprovider', AUTH_PROVIDER_ID_FROM_DB)->Post();

if ($auth_result ['status'] == '200') {
// get the user's cookie
$cookie = $result['body'];
}

// set auth token
$wgDekiPlug = $wgDekiPlug->setHeader('X-Authtoken', $cookie);


Here's an interesting solution for creating users in ldap. http://ldapweb.sourceforge.net/. From this thread: http://forums.developer.mindtouch.com/showthread.php?t=935&highlight=authentication+php

And finally, I see that this CAS question has been asked before without a response. Where's the love?

Ok. I hope you guys don't mind me scarp booking here. It helps me organize, and may help others.

I think that I have a solution that is suboptimal and slightly kluged, but might work. The problem is that all the API's assume that someone is going to enter a username and password into a login page that gets passed to the custom authentication service. Then the API assumes that the service will return that the user is valid. If you use User/authenticate/post, it will even create the new user after checking the database. CAS doesn't really work that way. The only login screen that a user should EVER see is the CAS server login. I think it makes sense to redirect back on a failed login and let the application put an "access denied" message. We're going to have to work around some things.

Here are my assumptions:

1. I can set a script to execute on every page in index.php (the one in the install dir ??).
2. I can execute that script before there is a valid login.
3. I can create and register as default an authentication service called fooAuthenticate that basically just returns "True".
4. I'm going to later deal with passing user information from with the CAS return call, or tell Mindtouch to get that info from the local LDAP server. That server would have a multi-master setup with the LDAP server on my CAS-server. That way, the user logins won't get out of sync.

Here's my script that is included at the top of index.php


<?

include ../includes/dream.php
include ../includes/CAS/CAS.php

class CASAuthenticate {

ini_set("display_errors","2");
ERROR_REPORTING(E_ALL);

function CASAuthenticate(){

//I'm guessing on this one based on my experience with SugarCRM.
@session_start();

// Don't try to login if the user is logging out
if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'Logout') {
$this->logout();
}
// If the user is already authenticated, there's nothing to do
elseif (isset($_COOKIE['authtoken'])) {
return; }
// Try to log the user in via CAS for seamless SSO
else {
phpCAS::client(CAS_VERSION_2_0,'12.24.56.78',443,' CAS');
phpCAS::setNoCasServerValidation();
phpCAS::forceAuthentication();
$authenticated = phpCAS::isAuthenticated();
$user = phpCAS::getUser();
$password= foobar;

// We already know that person is legit.
if ($authenticated){

// first open a plug to the server
$wgDekiPlug = new Plug('http://localhost:8081');
$wgDekiPlug = $wgDekiPlug->At('deki');

// authenticate with User/authenticate post. Will call fooAuthenticate that I setup already.
$auth_result = $wgDekiPlug->At('users', 'authenticate')->With('apikey', 'myAPI KEY HERE')->WithCredentials($user, $password)->With('authprovider', AUTH_PROVIDER_ID_FROM_DB)->Post();
$authToken = $authResult['body'];
}
else {
die(); } // I should probably set some kind of error message, May be by modifying the stock login page.
} // end top else.
} //end function CASAuthenticate()

function logout() {
phpCAS::setDebug();
phpCAS::client(CAS_VERSION_2_0,'12.24.56.78',443,' CAS');
phpCAS::setNoCasServerValidation();
phpCAS::logout();
}//end logout()

}//end class CasAuthenticate
?>

A couple more things.

Here's where you go for a php client. They list many others.
http://www.jasig.org/cas/client-integration/other-clients

Here's where you go for a rubycas-server. It's easy to install.

http://code.google.com/p/rubycas-server/

I know the MindTouch guys are big on concurrency. If you install it with Apache2, Phusion Passenger, and Ruby Enterprise Edition, you can overcome the Ruby single-threadedness to a large extent. This setup is simple as a hammer and just as effective. If you're using REE on Debian / Ubuntu, don't forget to add /opt/ruby/bin to the path in /etc/init.d/apache2 as well as /etc/environment.

Thanks for sharing the process as you are going through it. I'd recommend hopping into IRC as you are working through this as that is a good resource. You can access the IRC channel through this link: http://developer.mindtouch.com/IRC_Relay

WE also have professional services that can develop a solution for you. If you are interested in this as an option contact our sales team here: sales [at] mindtouch.com

Thanks Corey. I'll check out the IRC later if I need it. I think I'm pretty close; My major handicap is complete ignorance of MindTouch. Given that 3 days ago was the first time I heard of it, I'd say I've learned quite a bit. I'm mostly doing skunkworks, so the learning process is valuable. I also find that the documentation has been pretty good. What I found more challenging was understanding the overall architecture. I came across the technology overview yesterday, which was quite helpful.

As I work through my offering, I find that many OSS offerings overlap. I try to cherrypick the best for each role. My philosophy is to avoid torturing software to try and make do what it doesn't do. If there's too much heavy lifting, my perspective is that you need a different piece of software. That's why I place more emphasis on SSO and integration. Others may see it differently.

I'm starting to form a few overall impressions that may be closer to philosophy than tech support. A couple of things stuck out in my mind in the technology overview in particular. There's a lot of emphasis on Dream's multi-threaded concurency model. It went on to say that requests are only limited by the slowest resource. Fans of computer science would recognize that as Amdahl's law. More generally, MindTouch as a mashup platform is limited by its ability to transform data, not performance of the SOA bus. I've seen some of the top minds in Silicon Valley go down in flames for failing to appreciate that fact. I think that the partnership with SnapLogic is a tacit admission of that fact. At the end of the day, there are numerous companies that focus on that problem exclusively.

Here's an even more philosophical point from computer science. The technology overview claims that MindTouch is a self-organizing system. I've seen that concept in carbon-based information systems and multi-agent systems. I'm curiouis, dooes the author of that overview consider users to be within the boundary of the system?

Thanks again for the help.

Cheers!
Paul

Hey Bazooka,

Sounds like you're doing some interesting skunkworks there. Let us know when you have something to share.

In the meantime, I think what you're looking for is trusted authentication (http://developer.mindtouch.com/Deki/Specs/Trusted_Authentication). It's a way for another application to tell MindTouch that user X has logged in. No password required. The API call is simply stating that as a fact, not asking, which seems to be what you're after.

Concerning the mashup capability, MindTouch can be pushed quite far. It has native support for XML/JSON data via web calls and the ability to emit dynamic HTML based on it. MindTouch is not trying to solve every conceivable problem when it comes to data integration, but doesn't shy away from overlapping with other tools as well. The end result is that you can go achieve some pretty awesome things without leaving the confines of your wiki page or, when the need arises, call out to other tools to get to that next level. It's all more about pragmatism and RAD than being a recommended alternative. I like to think of it as VBA for wiki pages. Depending on this background, this may either make you nod or give you an aneurism. :)

Concerning the terminology on the technology page, I'd have to reread to establish context. As you probably saw, some of the emphasis is on web-services runtime and its ability to scale-out in-process and out-of-process. Self-organization can be open to interpretation, but I'm confident the author didn't have DNA in mind!

Let us know about your progress and don't hesitate to pop-in on IRC or post here if you run into stumbling blocks.

I'm just wondering if you have had any luck moving forward with this? I could use CAS authentication too.

Just wondering if there is anything I can start from in implementing my own.

Thanks,
.cpb