elentra_auth.user_datadatabase table for the username and password provided by the user, then ensures a valid
elentra_auth.user_accessdatabase table record exists.
settings.inc.php. Also, you must ensure that
ldapis present in the
index.phpsubmits the authentication request to the Elentra API, which attempts the bind to the LDAP server (defined by the
LDAP_BIND_REQUIRES_DNcontrols whether this user_dn is fully qualified.
numberfield (defined by the
LDAP_LOCAL_USER_QUERY_FIELDconstant) for the
UniCaPKeyidentifier (defined by the
LDAP_USER_QUERY_FIELDconstant) returned by the directory for that account.
ldapmethods above. The implementation allows for the possibility to have either SSO as an option, or to eliminate the local/LDAP login and force SSO to be used. The setting of
AUTH_METHODwill determine how this works.
AUTH_METHODchains "sso" with "ldap" or "local", Elentra will present a local login screen, with a link to select SSO or a form to provide local or LDAP credentials.
AUTH_METHODcontains only "sso", the only valid way to authenticate is SSO, so the local login screen will be bypassed completely. On startup of Elentra, you will immediately re-direct to the SSO authority if you are not already logged in.
Identity Provider (IDP)and
Service Provider (SP)components, where the IDP performs the authentication and the SP acts as the interface to the application. In a typical configuration, the IDP would provide SSO services for a range of different websites at the same organization. The Shibboleth Website provides a good overview of the concepts and architecture.
Passivemode. In Active mode, the Apache webserver configuration determines which pages within Elentra are protected and the system will automatically prompt for SSO authentication before displaying the pages. This method is possible for Elentra, but you will have to very carefully configure the apache web server to allow non-secure access to things like RSS feeds.
core/config/settings.inc.phpsettings are related to the Service Provider configuration:
.htaccessfile to ensure the login and logout URIs are not re-written.
user_datatable, based on the column name contained in AUTH_SSO_LOCAL_USER_QUERY_FIELD. This defaults to the "number" column. Other good candidate columns might be username or email, depending on what your organization is prepared to return from the Identity Provider.
numbercolumn of the Elentra Authorization database's
core/config/settings.inc.phpto be "local, ldap" or "ldap, local" (depending on the chain order you prefer) instead of "local" or "ldap".