SSO
uniqueculture - May 5, 2009 - 20:32
| Project: | netFORUM Authentication |
| Version: | 5.x-0.9 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | james.michael-hill |
| Status: | closed |
Jump to:
Description
I'm testing the module and Drupal login with netForum users is great. However, when I jump to a eWeb site I'm not logged in. Based on my observations cookies that the module is setting (for sso) are nothing like the cookies set by eWeb site. Cookie names are different as well as value.
The module sets: cstid and pw cookie (with website code prefix). eWeb login sets: login and pw cookie (with website code prefix). In addition, eWeb password cookie value is encoded once more when the module takes the password from Customer object (md5 I think).
Example:
Module cookies:
<?php
array(
'eWebcstid' => '00000000-0000-0000-0000',
'eWebpw' => '098f6bcd4621d373cade4e832627b4f6'
);
?>eWeb login cookies:
<?php
array(
'eWeblogin' => 'example@example.com',
'eWebpw' => 'DGRFDGHTZaCMYUiAgltEuA=='
);
?>
#1
What version and build of netforum are you using? Looking at the wiki pages on SSO it looks like they changed the functionality recently (http://wiki.avectra.com/SSO). It looks like under the new system users are required to log into eWeb directly, is that something you'd be set up and ready for?
#2
I'm having the same issue on version 2008.1.0.32520. Are you working on a patch for this problem?
#3
The newer versions of netFORUM have started using a different method to encrypt the eWeb cookies and there are releases where the key is intentionally unknown and can't be set. Starting with 2008.01 service pack 3 (which it looks like you have - right?) there is a configuration option in eweb/web.config called CustomPasswordEncryptionKey . Do you have access to a netFORUM testing site for eWeb? I'm looking to verify that A) the web.config option can be easily set and take effect and that B) encrypted eWeb passwords set in the cookie using the custom key will match passwords encrypted in the Drupal module.
#4
Yes I am using 2008.01 service pack 3. Sorry, I don't have access to the web.config file. However, the people at Avectra did direct me to http://wiki.avectra.com/index.php?title=Hashing_passwords which has a function that lets you convert md5 encrypted passwords to a netforum encrypted password:
function client_hash_web_password($password = '') {$hash = md5($password);
$mod_hash = "";
for($i=0; $i<strlen($hash); $i++){
$c = substr($hash, $i, 1);
if($c != "0" || ($i % 2) != 0) {
$mod_hash .= $c;
}
}
return $mod_hash;
}
#5
Did you ask specifically about CustomPasswordEncryptionKey ? Can you ask them to humor you and put in the web.config variable anyway? If it isn't in use then I don't think having it added to the web.config will cause any problems, but I should warn you that I think it will break all existing passwords.
I wrote the bulk of the usage section for that wiki page as part of the initial work for the SSO module, but from my understanding it is out of date for the latest netforum versions.
#6
This has been updated to match the AES encryption used by netFORUM version 2.2 and above. It does rely on a custom value set in the eweb/web.config file and will need to be calculated for each installation.
#7