1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Looking for ideas on SSO Passthrough for Staff login

Discussion in 'LoginShare' started by ZiggyStardog, Mar 27, 2013.

  1. ZiggyStardog

    ZiggyStardog New Member

    I read Chris Henry's SSO thread with interest, but I'm looking for a similar solution for opening staff pages rather than user pages with the existing Windows credentials. This is in intranet setting where outside users don't have access to Kayako (mostly phone support).

    Any ideas where to start in the code? I'm trying to pinpoint where from a .../staff/index.php?/... url that Kayako decides that the user isn't authenticated or doesn't have a session going and spits out a login page. Thanks.
     
  2. Drew Keller

    Drew Keller Just one person in a world of millions.

    When you are referring to "Windows Crendentials" are you talkign about a Microsoft Active Directory Domain?

    If Yes then you should ahve a look at the http://forge.kayako.com/projects/ad-ldap-authenticator or http://forge.kayako.com/projects/ad-ldap-sso as these are logon shares that can be used Staff Logon AD Authentication, the second one is specifically SSO. I think the main limitation is with having ot have Kayako running on Windows via IIS so that the credentials can be passed correctly.

    You can also find more on Logon shares on the wiki http://wiki.kayako.com/display/DEV/LoginShare API (Remote Authentication)
     
  3. ZiggyStardog

    ZiggyStardog New Member

    Thanks Drew. Yes I do mean Active Directory Credentials, the difference is by using Windows authentication in IIS the user wouldn't have to enter the password at a login screen. I have LoginShare for Staff implemented, and I'm familiar with the ad-ldap-sso package, I looked into this but this is for user logins not staff logins. The author "exploited" a template page to suppress logins, and I'm looking to do the something similar for Staff logins.

    Since my post I've found that the login logic for is in "class.Controller_StaffBase.php" and I'm looking through the code. It's rough going because the code is formatted all on a single line, either for speed or obfuscation or both. I'm reformatting it, and hoping I can find a spot to modify. There's some code that works with credentials saved in a cookie that might have some promise, but I think it will take a while to decode what's going on.
     
  4. ZiggyStardog

    ZiggyStardog New Member

    Followup-- I made some proof-of-concept modifications, and while it worked with IE, I found that this wasn't feasible using Kayako Desktop as the web client-- Windows would still prompt for a password when you launched a new tab.

    Since the user still has to enter a password, I ended up scripting this in Autoit instead. I wouldn't have to use Autoit if KD had the ability to launch a URL in an existing instance from the command line like most web browsers (my application is a PBX screenpop application).
     
  5. Jason Tang

    Jason Tang New Member

    Hi,

    I am interested in knowing how you achieved the SSO in IE.
     
  6. Torbjörn S.

    Torbjörn S. Reputed Member


    Does anyone know if this works when 4.67 comes? as it supports php 5.4?
     

Share This Page