Path

7x / documentation / ez publish / technical manual / 5.x / features / single sign on (sso) handlers


Caution: This documentation is for eZ Publish legacy, from version 3.x to 6.x.
For 5.x documentation covering Platform see eZ Documentation Center, for difference between legacy and Platform see 5.x Architecture overview.

Single Sign On (SSO) handlers

eZ Publish supports Single Sign on Handlers.

Written in PHP, those handlers will be executed every time a new session is instantiated. They will let you check if the user is already logged in with another third party system, and automatically log the user in to eZ Publish, without the need for any user interaction.

To add a new SSO handler, you need to create a custom PHP class and the handler itself. It must begin with 'eZ', and implement an handleSSOLogin method. This method doesn't take any argument, and returns either an eZUser (the user that gets logged in), or false if no user must be logged in.

This class name without the eZ prefix and without the SSOHandler suffix must then be added to site.ini, in the SingleSignOnHandlerArray variable in the UserSettings block.
Example: For the class name eZ<custom_name>SSOHandler the value of your SingleSignOnHandlerArray setting should be the name used as <custom_name> in the class name. 

Also, the name of your php class should start with ez and end with ssohandler.

Ideally, this would be done in an extension (that needs to be enabled):

extension/mysso/settings/site.ini.append.php:

[UserSettings]
SingleSignOnHandlerArray[]=My

extension/mysso/sso/ezmyssohandler.php:

<?php
/**
* An SSO handler that automatically logs the admin user if his IP address matches a known one
*/
class eZMySSOHandler
{
    /**
    * My custom SSO handler
    * @return eZUser|false The user we want to log in, or false
    */
    function handleSSOLogin()
    {
        if ( $_SERVER['REMOTE_ADDR'] === '192.168.1.10' )
            return eZUser::fetch( 14 );
        else
            return false;
    }
}

Note that the handler will be executed for every request. Only enable it for siteaccesses it makes sense for, and make sure it doesn't use too much resources.

Bertrand Dunogier (03/07/2013 10:11 am)

Ricardo Correia (04/07/2013 4:17 pm)

Bertrand Dunogier, Ricardo Correia


Comments

There are no comments.