1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Active Directory SSO with Pass-Thru enabled

Discussion in 'LoginShare' started by chris88, Jan 11, 2012.

  1. cginest

    cginest Established Member

    Does commenting this result in any security risks?
  2. Farhaz Hofman

    Farhaz Hofman New Member

    I am running Kayako on our intranet. So not that scared of CSRF.
    But it's another story if it publicly available.
    Then again... Doing AD SSO over public internet ??

    Just upgraded to 4.60.
    "Problem" with CSRF check still exists.
    Workaround still works.
  3. cesarin

    cesarin Member

    My suggestion in this whole affair:

    Kayako staff, please add a whitelist where you can type the urls or domains you can access directly to the support center without triggering the cross site forgery protection.

    Because I'm pretty sure I'm not the only one who has a single support center for a variety of sites-domains.
  4. tkwleboss

    tkwleboss New Member

    can i have an example of index.php code with a redirection if user are not authenticated and the name of user if the authentication is successful?
    thank you for help.
  5. adr132

    adr132 Established Member

    We have an outsourced SSO portal service setup, one of the apps is Fusion and Gary's suggestion worked for us.
  6. stevenwells99

    stevenwells99 Member

    Just wondering if this thread is still active, or the product still being developed?
    Trying to get it working on Fusion 4.69.0 but running into the cross site scripting error and the invalid data issue.

    Really need to get SSO working within our environment.

    Date: 2015.04.30 10:38:41 | Failure. XML output was:
    Date: 2015.04.30 10:38:41 | <?xml version="1.0" encoding="UTF-8"?><loginshare><result>0</result><message>AD SSO: Error - Invalid username, or no response from Active Directory.</message></loginshare>

    No issues logged in PHP log. Seems to be issue transforming email address to logon name.

    Would love to see if this product can work under current release.
  7. Herb Meehan

    Herb Meehan Member

    Any chance you can bypass the CSRF check for OnDemand / Cloud?
  8. Gary McGrath

    Gary McGrath Staff Member

    Hi there,

    It would not be possible to bypass the CSRF check when using on demand, as you are not able to edit the code with on demand.

  9. Herb Meehan

    Herb Meehan Member

    That's a real shame. What a breaker.
  10. Gary McGrath

    Gary McGrath Staff Member

    Loginshare in general works fine, e.g. using a shared login from another system. You just cannot "seamlessly" have them logged in automatically from another system. ( e.g. they will get prompted for their username and password, which can come from another system )

  11. Herb Meehan

    Herb Meehan Member

    SOB.... my GET log-in form, read and store _csrfhash, and then do an immediate POST no longer works. Ughhh, I knew this ghetto approach would get majorly c-blocked.

    The whole LoginShare is just weird. Too bad there isn't any log-in functionality in the API.

    I was almost expecting a "what is your domain name": mydomain, and being able to log-in people easily if the referring domain is mydomain and the username+password matches (the one I'm sending to kayako's info). THAT would be awesome.

Share This Page