[Sharing Exp] - Protect cacti with Shibboleth Single Sign On

[kuma3]

We hit a little obstacle when trying to protect cacti using Shibboleth. We had to modify auth_login.php a bit to make login work with Shibboleth.

First, change authentication to "Web Basic Authentication", then assign an user template from existing users in DB.

Then in auth_login.php, we did this change

Code: Select all

195,196c195,197
<                                       if (isset($_SERVER["HTTP_REFERER"])) {
<                                               $referer = $_SERVER["HTTP_REFERER"];
---
>                                       # Under shib protected site, the referer would be idp, so we'll use REQUEST_URI first
>                                       if (isset($_SERVER["REQUEST_URI"])) {
>                                               $referer = $_SERVER["REQUEST_URI"];
200,201c201,202
<                                       } else if (isset($_SERVER["REQUEST_URI"])) {
<                                               $referer = $_SERVER["REQUEST_URI"];
---
>                                       } else if (isset($_SERVER["HTTP_REFERER"])) {
>                                               $referer = $_SERVER["HTTP_REFERER"];

Since we’re protecting cacti under with apache’s http auth using shibboleth, $_SERVER["HTTP_REFERER"] would be the IDP when user login for the first time because the way SP and IDP forward user to login page and forward him back to Cacti. So we just have to switch the order of HTTP_REFERRER and REQUEST_URI and user will be redirected correctly.

I don't know if there is any bad implication with this change tho, please comment on the thread if you see any.