Loading...
 
Skip to main content

History: Remote Tiki Autologin

View published page

Source of version: 20 (current)

Copy to clipboard
            ! Remote Tiki Autologin

This is a feature introduced in ((Tiki15)) which allows for users from another Tiki to login to this Tiki using their credentials there. This provides a quick way to create a sub-site or sister site. This is similar to ((InterTiki)).

~tc~ Preference documentation generated from https://sourceforge.net/p/tikiwiki/code/HEAD/tree/trunk/lib/prefs/ ~/tc~
~tc~ To update documentation see https://dev.tiki.org/How-to-get-commit-access ~/tc~
{PREFDOC(tab="login-remotetikiautologin")/}

!! Limitations
* There is no password synchronization. Users are expected to always be logging on to the main Tiki site first and then autologging into the sub-site or sister site from there. You can however, set it to redirect users that try to login to the main Tiki site to login from there - the redirection back and forth is automatic. If you need the sister site to be independent and therefore need password synchronization, then you will need to use ((Intertiki)) or other ((External Authentication)) instead.

!! Terms
To avoid confusion, we will be using the terms:
* __Main Tiki__ to refer to the site on which you first need to login, and
* __Sub-Tiki__ to refer to the sub-site to which you are auto-logged in. 

!! Configuration steps
!!! On the Sub-Tiki
#Create a Tiki user that will be used to run the auto-login. (It is recommended that this user be solely used for this purpose. eg. tikiconnector)
# Create a Tiki group (e.g. Autologin. There is no need to assign any users or permissions to this group)
# In Security>Token, turn on the dependency ((Token Access)) feature.
# In Security>General Security, turn on HTTP Basic Authentication. This is needed to allow the Main Tiki from connecting to this Sub-Tiki.
# In Login>Remote Tiki Autologin, Turn on the Autologin feature, and specify the above 2 configurations (user and group).
 
!!!! ''Optional''
# Specify the ((groups)) from the remote Tiki that is allowed to autologin here (comma separated list) If nothing is specified, all registered users in the other Tiki can autologin here.
# Specify ((groups)) memberships that will be synced with the Tiki from which users are autologging in from (comma separated list)).
# Specify that you want to redirect users that attempt to log into the Sub-Tiki directly, back to the Main Tiki so that they may log in there. The page that you should redirect the users back to should be the ((wiki page)) which contains the PluginRedirect in the Main Tiki (this will be covered in "On the Main Tiki").
# Set up user tracker field synchronization. (more info below)

!!! On the Main Tiki
# Setup ((Content Authentication)), at tiki-admin_dsn.php (more info below). 
# Setup a ((wiki page)) with a ((PluginRedirect)) on it and use the ''autologin_remotetiki'' parameter to specify the Tiki base url, e.g. https://othertiki.com/".  You can also set the ''page'' parameter if you wish to redirect users to a particular page in the Sub-Tiki. After doing this, you can create a link or button (linking to this page) for users to click on to initiate the autologin process.

!! SSL is strongly recommended
Very strongly recommended to use SSL encryption (i.e. HTTPS) for both servers, and also for the server-side backend connection between the two servers as secure tokens are being transmitted.

!! System username and password
This is a user account that is used to connect server-side from the Tiki where users are autologging in from to the Tiki where they are autologging in to. The server side exchange retrieves a short-lived single-use token URL that the user is then redirected to to login automatically.

!! System group 
This is a group that is used to identify the validity of the token that users present upon autologging in. There should be no actual users placed in this group and this group should *not* inherit any permissions from any groups, i.e. it should simply have the basic Registered level of permissions.

!! Groups syncing
The list of groups set here will be synced when users auto-login from the remote Tiki. For example, if you specify "Group A, Group B", and the user in the other Tiki is in only Group A but not Group B, when the user auto-logs in here, they will be placed in Group A and removed from Group B.

!! User creation
Unless this preference is disabled, users that are attempting to autologin will have a new account created automatically if their user account does not not exist. The password is set to a random password.

!! Setting up Content Authentication

((Content Authentication)) needs to be setup on the Tiki where you are connecting from. For example, enable HTTP Basic Auth on the Tiki where users are autologging into and setup on the Tiki where users are autologging in from as follows:

{img type="fileId" fileId="1251" thumb="box"}

or alternatively 

{img type="fileId" fileId="1250" thumb="box"}

!! Setting up User Tracker Field Synchronization
When auto-logging in a user, you may want to also pass some fields from the Main Tiki's User Tracker to the Sub-Tiki. 

To do this, in Login > Remote Tiki Autologin:
# Check User Tracker Sync
# Identify the permName of the "User" field in the User tracker. 
# Identify the fields that you want to pass from the Main Tiki to the Sub-Tiki in a comma-separated list. If the fields do not have the same permname, you can translate them with =>. 
*Ex: 'firstname,lastname,title,city=>location' would pass the firstname, lastname, and title from the Main Tiki to the Sub-Tiki. Then it would pass the "city" field of the Main Tiki into the "location" field of the Sub-Tiki.

!! Example Remote Tiki Autologin Page
{img src="display1253" link="display1253" width="400" rel="box[g]" imalign="center" desc="Click to expand" align="center" styleimage="border"}

!! User information
!!! What is synced
Right now, the real name and email is synced from the Tiki from which users are auto logging in from. The feature could be expanded in future to sync other user information as well.

!!! User Tracker Synchronization
User Tracker Synchronization is not part of this feature. However, you can use ((Tracker Synchronization)).

!!! Links to user profiles etc
In the future, there should be an option(s) to automatically convert links to things such as User Profile pages to point back to the Tiki from which users are auto logging in from.

Note to developers:  This should be achievable by checking if the feature is active and changing links to use  ~np~$_SESSION['autologin_baseurl']~/np~ if activated. This session variable is set as part of the token exchange autologging process. You cannot simply use a hardcoded domain as the domain might not be exactly the same depending on where the user logged in from, e.g. othertiki.com and www.othertiki.com would be different and the user is typically not logged on to both simultaneously.