More and more people are traveling nowadays, connecting to company information around the planet to exchange information and files with colleagues and customers. While large companies can afford a full infrastructure made up of VPN, strong authentication, failover, etc, small and medium organizations share the same need (secure corporate intranet with the need to exchange private information and files) with smaller budgets.
Collaborative places, such as wikis, are perfect solutions to quickly achieve this goal without spending a fortune. I found TikiWiki to suit best in these environments: while extremely easy to use for an end-user through a WYSYWIG editor, its advanced permission system allows you to set each page access or even show/hide part of the page to a given group of users, which is unique if compared to other solutions.
Choose a web hosting platform you trust is important, as you don’t want your data to be stolen. But there’s also another key part to take into consideration, i.e. user access: you don’t want your identity to be stolen by someone else and access your confidential data. One Time Passwords are the perfect solutions, but are very expensive for small and medium business; also OTPs need additional funding to set-up and maintain the whole environment, which can increase costs further. SecurePass is an on-line solution that is both easy to setup and less expensive than traditional OTP architecture. It’s an identity management system on the cloud and provided as a SaaS (Software as a Service), thus perfect to be adopted for these kinds of applications and business.
The implementation was extremely fast and easy, so I decided to make this essential how-to to explaining how it works.
We will use SecurePass’ CAS interface; although LDAP and PAM can be used to integrate with SecurePass, CAS will allow us to have a single sign-on experience through all our web applications.
1) If you don’t own already an account with SecurePass, you can sign-up for a new account here: http://www.secure-pass.net/open
Note: Use “misec2011” as promo code, it will give you an entitlement for using SecurePass up to 10 users for 2 years free-of-charge.
2) Install and configure a web server with PHP and required extensions for TikiWiki. More information related to its requirements are available here.
3) Download the TikiWiki package from http://info.tiki.org/Download and install it following the above “Installation” document.
4) Once installed and logged in, we have to activate CAS authentication. From Admin home, select “Log In”. Then, under “General Preferences” tab, set Authentication method to “CAS (Central Authentication Service)”.
In the “CAS” tab, check the following options:
- Create user if not in Tiki
- Use Tiki authentication for admin login
- Show Alternate Login Method in Header
- Force CAS log-out when the user logs out from Tiki
Then specify the following CAS parameters:
- CAS server version: 1.0
- CAS Server Name: login.secure-pass.net
- CAS server port: 443
- CAS Server Path: /cas
To apply changes, click on “Change Preferences”
Basically, this is all you need to set-up the whole environment. Easy, isn’t it? However, SecurePass’ CAS interface allows you to authenticate all SecurePass valid users, including those not belonging to our organization. As such, we have two options here:
- limit access to each wiki page by the group who have rights. This is perfect if you want to use the same site also as an extranet, allowing external entities (such as partners) to share information with you
- limit the access in the code and have the peace of mind that you don’t have to remember each time who can access your wiki pages. This option can be used only if the wiki is used internally and you know that your users are not really security conscious.
In order to implement option 2), we have to slightly modify the code to allow our SecurePass domain/realm into tikiwiki. Modify the library file “lib/userslib.php” at around line 470:
// if the user wasn't authenticated through CAS, just fail
elseif (!$userCAS) {
return array(false, $user, $result);
}
// If user is authenticated, but not belong to us, fails
elseif ( $userCAS && !preg_match(“/(.*)@mycompany.com$/”, $user) ) {
return array(false, $user, $result);
}
// if the user was authenticated by CAS but not found in Tiki
elseif ($userCAS && !$userTikiPresent) {
In the example above, we will allow access to all those users that belong to realm/domain “mycompany.com”. Replace it with your SecurePass domain.
You are now ready to log in to your Intranet using the combination user and OTP Password, by simply browsing to your web site and click on “Login through CAS”.
OTP app for Android and iPhone.
OTP can be provided by a physical token or, like in our case, by mobile apps available for iOS/Android-powered devices without any additional cost.
{ 0 comments }
