SAML Single Sign-On - Kayako Forge

Wiki

Version 2 (Ashish Kataria, 10/17/2012 07:26 am)

 Using single sign-on (SSO) will permit a single action of user authentication and authorization to access all computers and systems where he has access permission, without the need to enter multiple passwords.
 INSTALLATION
 ---------------------
 . Download and extract Single.
 You can obtain the latest Single Sign-On release from [[http://forge.kayako.com/attachments/download/260/samlsso.zip]] -- the files are available in .zip formats and can be extracted using most compression tools.
 To download and extract the files, on a typical Unix/Linux command line, use the following commands:
-Ashish Kataria
+<pre>
 wget http://forge.kayako.com/attachments/download/260/samlsso.zip
 tar -zxvf samlsso.zip
-Ashish Kataria
+</pre>
 This will create a new directory samlsso/ containing all samlsso files and directories. Then, to move the contents of that directory within your helpdesk app folder, continue with this command:
 Ashish Kataria
-Ashish Kataria
+<pre>
 mv samlsso /path/to/your/installation/__apps/
-Ashish Kataria
+</pre>
 . Go to Admin interface of your helpdesk and click on Apps on left hand side menu
 !http://forge.kayako.com/attachments/download/309/Screen_Shot_2012-10-12_at_11.27.33_AM.png!
 . Now click on Single Sign On and then click on Install button, this will install this app
 !http://forge.kayako.com/attachments/download/310/Screen_Shot_2012-10-12_at_11.34.35_AM.png!
 . Now click on Settings option from left side menu and click on Single Sign On
 !http://forge.kayako.com/attachments/download/311/Screen_Shot_2012-10-12_at_11.45.25_AM.png!
 . You will see Single Sign On settings page
-Ashish Kataria
+!http://forge.kayako.com/attachments/download/315/Screen_Shot_2012-10-17_at_5.05.30_PM.png!
 . First you have to enable the Single Sign On by selecting yes for first option i.e. "Enable Single Sign"
-Ashish Kataria
+. Next you can enable sign on through twitter or facebook by enabling option “Enable Twitter Authentication” or “Enable Facebook Authentication” correspondingly but if you want to use Twitter or Facebook login then first you have to configure your Apache
-Ashish Kataria
+. Find the Apache configuration file for the virtual hosts where you run your helpdesk. The configuration may look like this:
-Ashish Kataria
+<pre>
-Ashish Kataria
+<VirtualHost *>
-Ashish Kataria
+        ServerName service.example.com
-Ashish Kataria
+        DocumentRoot /var/www/service.example.com(i.e. path to your helpdesk trunk folder)
-Ashish Kataria
+        Alias /samlidp path to your helpdesk trunk folder/__apps/samlsso/thirdparty/samlidp/www
-Ashish Kataria
+</VirtualHost>
-Ashish Kataria
+</pre>
-Ashish Kataria
+. For Twitter integration you need to get an API Consumer key and a Consumer secret (update it in Admin settings), by register the application at: http://twitter.com/oauth_clients
-Ashish Kataria
+. Set the callback URL to be: http://ky.example.org/samlidp/module.php/authtwitter/linkback.php . Replace ky.example.org with your hostname.
-Ashish Kataria
+. For Facebook integration you need to get App ID (or API Key) and App Secret (update it in Admin settings), by register the application at: http://www.facebook.com/developers/
-Ashish Kataria
+       Please Note :- Facebook needs the CURL and JSON PHP extensions.
-Ashish Kataria
+. If you want to login from your own Identity Provider then provides your IdP details in next few settings options (for setting up your IdP and adding our Service Provider to your IdP refer to http://simplesamlphp.org/docs/stable/simplesamlphp-idp )
-Ashish Kataria
+. Entity ID – Specify the index of your IdP metadata array, use these while setting IdP for your help desk
-Ashish Kataria
+. SingleSignOnService URL – Specify the URL that Kayako will invoke to redirect users to your Identity Provider
-Ashish Kataria
+. Your IdP should return Email address and Name
-Ashish Kataria
+. Our Assertion Consumer Service (ACS) URL is http://yourservername.kayako.com/index.php?/Samlsso/Sso/Idp/Login
-Ashish Kataria
+. Next provide the path for your certificate which you can obtain this from your SAML identity provider
-Ashish Kataria
+. Once you are done with all the settings then change the template.
 Ashish Kataria
-Ashish Kataria
+. Now click on Templates -> Templates option from left side menu and click on General
 Ashish Kataria
-Ashish Kataria
+. List of templates will be shown up, click on header template
 Ashish Kataria
-Ashish Kataria
+. Add the below code: -
 Ashish Kataria
-Ashish Kataria
+*After*
-Ashish Kataria
+<pre>
-Ashish Kataria
+<div id="loginsubscribebuttons"><input class="rebutton" value="<{$_language[login]}>" type="submit" /></div>
-Ashish Kataria
+</pre>
-Ashish Kataria
+*Add code*
-Ashish Kataria
+<pre>
-Ashish Kataria
+<{if isset($_twitterEnable) || isset($_facebookEnable) || isset($_ssoIdpEnable)}>
-Ashish Kataria
+<hr class="vdivider">
-Ashish Kataria
+ <{/if}>
-Ashish Kataria
+<{if isset($_twitterEnable)}>
-Ashish Kataria
+<div id="twitterlogin" class="widgetrow" style="padding-left:5px; " >
      <span onclick="javascript: window.location.href='http://ver2.kayako.com/index.php?/Samlsso/Sso/Twitter/Login';">
             <a class="widgetrowitem defaultwidget" style="background-repeat: no-repeat; background-position: 5px 5px; width: 139px; font-size: 13px; padding: 14px 10px 15px 50px;background-image: URL('http://ver2.kayako.com/__swift/themes/client/images/twitter_icon.jpg');" href="<{$_baseName}><{$_templateGroupPrefix}>/Samlsso/Sso/Twitter/Login">
                    <span class="widgetitemtitle">Login Using Twitter</span>
               </a>
       </span>
-Ashish Kataria
+</div>
-Ashish Kataria
+<{/if}>
-Ashish Kataria
+<{if isset($_facebookEnable)}>
-Ashish Kataria
+<div id="facebooklogin" class="widgetrow" style="padding-left:5px;" >
      <span onclick="javascript: window.location.href='http://ver2.kayako.com/index.php?/Samlsso/Sso/Facebook/Login';">
             <a class="widgetrowitem defaultwidget" style="background-repeat: no-repeat; background-position: 5px 5px; width: 139px; font-size: 13px; padding: 14px 10px 15px 50px;background-image: URL('http://ver2.kayako.com/__swift/themes/client/images/facebook_icon.jpg');" href="<{$_baseName}><{$_templateGroupPrefix}>/Samlsso/Sso/Facebook/Login">
                    <span class="widgetitemtitle">Login Using Facebook</span>
               </a>
       </span>
-Ashish Kataria
+</div>
-Ashish Kataria
+<{/if}>
-Ashish Kataria
+<{if isset($_ssoIdpEnable)}>
-Ashish Kataria
+<div id="ssoidplogin" class="widgetrow" style="padding-left:5px;" >
      <span onclick="javascript: window.location.href='http://ver2.kayako.com/index.php?/Samlsso/Sso/Idp/Login';">
             <a class="widgetrowitem defaultwidget" style="background-repeat: no-repeat; background-position: 5px 5px; width: 139px; font-size: 13px; padding: 14px 10px 15px 50px;background-image: URL('http://ver2.kayako.com/__swift/themes/client/images/saml_icon.jpg');" href="<{$_baseName}><{$_templateGroupPrefix}>/Samlsso/Sso/Idp">
                    <span class="widgetitemtitle">Login Using Your IdP</span>
               </a>
       </span>
-Ashish Kataria
+</div>
-Ashish Kataria
+<{/if}>
-Ashish Kataria
+</pre>
-Ashish Kataria
+. After changing the template file you can see the login buttons in Support Center corresponding to remote authentications you have enabled
 !http://forge.kayako.com/attachments/download/313/Screen_Shot_2012-10-12_at_2.41.57_PM.png!
-Ashish Kataria
+. Now you can login with any account