The background: We (currently) have 2000 domain names pointed at a single IP. Drupal inherently has the ability to use multisite, but for our particular Drupal 7 install we use a module named Domain Access to delegate sites. The gist is though that Domain Access will not allow cross site logins, but yeah, we would like our editors to log in once, and have access to all sites.
The question: Has anyone made any headway with coming up with a single sign on solution with Domain access to date for Drupal 7? I've been looking closely at two old modules, one no longer maintained (SSO for D6) and one still maintained (CAS). I'm worried about using CAS I am not sure if it will work the way I intend it since Domain Access seems to change quite a bit of Drupal(ly) stuff.
We could potentially use facebook, openid, twitter option, but i thing not having able to offer visitors or customers a unique id across a network of sites is too me a big loss of identity and privacy.
Are there any solutions that are known to date, or information on what to start looking into? Has anyone in the Drupal community managed to make a solution that I have not been able to find? The only possiblitiy that I've found was this thread on Domain Access SSO [http://bleen.net/blog/domain-access-sso] but am uncertain to what version it pertains to (Drupal. DA, SSO or otherwise). I tried contacting the author multiple times but never received a response. It looks like the "Solution" was to create a master table set with users and permissions, then share those across the domains. Unfortunetly (again) SSO on Drupal 7 is not an option.
Any opinions out there on the who what or why would be greatly appreciated, I honestly just need a start point to get the ball rolling. Thanks everyone
Comments
BrowserID?
Could you use BrowserID? That might make it seamless.
Stay signed in from site to site?
If these are sub domains then no problem. With the proper configuration, users can stay signed on from the main site and across sub domains. The problem here lies in browser security. All browsers will not allow cookies to be shared between top level domains to guard against cross site scripting. You can still use domain access to allow users to use one sign on between top level domain sites. They will just have to sign on to each site separately. There is some additional configuration needed if you intend to use both top level and sub domains in your session handling. I posted some instructions to the documentation here: http://drupal.org/node/1348784.
I have a site that does just that and then some. I managed to use multi-site with domain access on a couple sites as well as organic groups. Site maintenance is real easy now. I did have to move them from windows to linux hosting to enable wildcard sub domains. The only way to do this in windows is to point a dedicated ip at a single installation and change the bindings. Definitely not ideal.
MrPhilbert
Sorry So Late
If this is still an issue, I'm one of the cas module maintainers and live on Olympia. I'd be willing to help you understand whether CAS will work for your use case. Send me a message via contact form and I'll get back to you.
Single Sign On functionality using CAS module in Drupal 7
Hi,
I am looking for How to do Single Sign On functionality using CAS module in Drupal 7. I went through steps that found on the forums and online and this is what I did so far:
Drupal 7 - Install CAS Module
Install CAS PHP Dependency
Configure the Drupal 7 CAS Module
Not sure what to do after that. wondering what needs to be done? Could you please advise.
Thanks in advance,
chandra.
Any updates?
Any updates?
Exploit cross-site images
We're at the moment trying to solve a similar problem:
The users of our family of different top-level-domains, want a transparent transfer when they follow a link from e.g. http://source.com/nice-link-collection to http://target.com/some-article. They dislike to present their username/password again. We don't want to serve the same content under all domains, but each content under a corresponding domain.
Premise: the server is the same, actually it is even the same site under the same Drupal7 installation. Well, that's the idea of Domain Access anyway.
Problem: the browser won't transfer the session cookie over to the next top-level-domain, for obvious security reasons. And we assume that browsers may not accept a site's cookie under another domain name than the requested URL.
Solution: have the browser make a request on all target domains in advance, with a one-time-login token. Make the browser receive a session cookie for the each target domain before the user will actually click on a link to go there.
For simplicity, let's assume only two sites were involved, one source domain that will contain a page with a link to some page on the target domain.
We include some small image on any page of the source site that points to a special location on the target (
<img src="http://target.com/sneak_login/$user->uid/$token" />).The request to the image file is specialized with a one-time authentication token and intercepted by a PHP script.
This script validates the token, logs the user in at the target site and serves a success-graphic together with a session cookie for the target domain.
Of course, if the validation fails, only a denial-graphic is sent and no valid session.
On a click to logout, all corresponding sessions have to be killed, thus the user will be logged out of every domain in this family.
This is merely a sketch, but our experiments are quite promising.
Disadvantage 1: browsers might only load images coming from the same domain. We assume that users of such browser configurations just want the added security and don't mind to log in to all sites separately. Still, they can get the logout-everywhere functionality.
Disadvantage 2: scalability is an issue, if there are many (hundreds) of domains involved, because every page access triggers a request to every domain in the family. Doing this only on one special source site might be a solution. Pruning if there is already a decent corresponding session per target site might be another.
I disabled domain source
Well, I solved my similar problem by disabling domain source module.
I just installed domain module on my localhost. And as admin I was able to create nodes for all my associated domains.
But when I was trying to edit nodes of different domain(except the domain I logged in). All I get is access denied. Because "Domain Source" is redirecting me to that domain and there I need to again logged in.
I did small trial and error. And "Domain source" was the culprit.
Solved for me
Thanks ash.smarty.
I had a similar problem where I was unable to edit content from other domains until I logged in at the other domains.
After searching to create a rule where I automaticly would log in in all the domains, I used your solution by disabling the "Domain Source" submodule.
Now I can edit the other content even when only logged in in my main domain.