/redmine_http_auth

HTTP Authentication plugin for redmine

Primary LanguageRubyMIT LicenseMIT

UPDATE (2013-01-15)
=======

This is an updated, updated version of the original Adam Lantos redmine_http_auth 
plugin. 

This update is known to work with Redmine 2.0.x versions.

To the best of my knowledge the original functionality is complete. 


HTTP Authentication plugin for Redmine
=======

This plugin enables an optional HTTP authentication method in the Redmine
project management tool.

If the REMOTE_USER server environment variable is set, an attempt is
made to look up the matching local user account and log in. An attempt is made
to synchronize redmine session with the container managed authentication session,
but this can be switched off.

This module does not disable the form-based login unless HTTP authentication
credentials are available, in which case the username from the environment
will override the form-based login.


Installation
=======

Use the following command from within your Redmine plugin directory:

# git checkout https://github.com/uberamd/redmine_http_auth.git 


Settings
=======

The behavior of this plugin can be customized through the 'settings' page in the
plugins menu. Currently there are six options:

- enable / disable HTTP Authentication (default: enable)
- set the header / environment value to look for (default: REMOTE_USER)
- change local user lookup mode from login name to email address
  (default: login name)
- enable / disable automatic registration (default: disable), see below
- enable / disable the "keep session" behavior (default: disable), see below
- disable newly auto registered accounts, allowing admins to verify accounts before allowing access (work in progress)

Known issues
=======

If you encounter "uninitialized constant Rails::Plugin::ApplicationController"
exception with any Redmine version prior to Redmine-0.9, just rename your
app/controllers/application.rb to app/controllers/application_controller.rb.


Automatic registration of user accounts
=======

If a user doesn't exist in the redmine local database, the http_authentication
plugin can automatically create an account for them. This automatic registration
currently presents a form to the user where additional attributes (like email
address, first name or last name) should be entered.

The plugin currently doesn't handle automatic attribute transformation from the
authentication environment (eg. Shibboleth session), but it does enforce the
lookup attribute matching with the environment.

Automatically registered accounts don't have associated passwords, but the
user can change their password via the common password change form.

Newly registered accounts can be disabled by default which requires an administrator
to grant access to the user. This is ideal for more closed environments with many
potential users. It doesn't require manual registration of users by admins, but
doesn't allow everyone and their mother into the system. Strikes a balance.

Session synchronization
=======

When using container managed authentication (like SSO systems), one needs to
ensure, that the currently logged-on user is the same which initiated the session.
Additionally, there is a need to offer logout functionality to the end user.

By default, the http_authentication plugin synchronizes the container managed
authentication session to the redmine session. This means that if the underlying
session changes or ends, the redmine session changes and ends as well.


Using lazy authentication
=======

The http_authentication plugin provides a top menu link for lazy, user-requested
authentication purposes. This link points to the `/httpauth-login` URL. If you
want to enable both http_authentication and normal form-based logins, you need
to use this link to enforce container authentication.

However, many authentication mechanisms (namely apache httpd mod_auth_basic)
don't offer a way to do lazy authentication. If an URL is not "enforced", the
authorization information (eg. REMOTE_USER) is not populated. Thus, the session
synchronization code will invalidate user sessions outside the protected realm.

You can alter this behavior by switching on the "keep sessions" setting. But
please consider that this might be dangerous. Do not use this feature if you
are implementing SSO systems, you've been warned.


Planned features
=======

- option to disable form-based login for users when the plugin is activated
- integration with the custom features of various SSO systems (eg. Shibboleth)


Copyright (c) 2010 NIIF Institute and Adam Lantos, released under the MIT license