Category: SSO/Authentication

Quick and dirty PlaySMS LDAP auth

Post author By Matt Peacock
Post date July 10, 2020
No Comments on Quick and dirty PlaySMS LDAP auth

PlaySMS is some awesome Open Souce SMS software but it lacks a couple of features for our use case, one of which was some form of centralised auth. Ultimately I’d like to write a proper plugin to allow SAML auth so we can front this with AzureAD but for now, as it’s at on premise anyway, we’ll have to make do with this bodgey LDAP integration.

Bear in mind that with this in place you’ll no longer be able login with any internal PlaySMS credentials so ensure that you create a user that matches your LDAP username and grant it admin permission before you apply this modification. It would of course be a trivial change to make this try to auth via the DB, then fail back to LDAP or vice versa if that’s what you’d prefer.

Anyway, open up plugins/core/auth/fn.php and replace

$db_query = "SELECT password,salt FROM " . _DB_PREF_ . "_tblUser WHERE flag_deleted='0' AND username='$username'";
	$db_result = dba_query($db_query);
	$db_row = dba_fetch_array($db_result);
	$res_password = trim($db_row['password']);
	$res_salt = trim($db_row['salt']);
	$password = md5($password . $res_salt);
	if ($password && $res_password && ($password == $res_password)) {

with

$ldapserver= "ldaps://ldapservername";
$ldap = ldap_connect($ldapserver);
$bind = @ldap_bind($ldap, $username . "@domainname.tld", $password);
if ($bind) {

Told you it was quick and dirty, but it works. Obviously you’ll need to ensure that you create users within PlaySMS that match the users in LDAP, we’re currently shoving this directly into the MySQL database.

You’ll also need to install the PHP LDAP extension.

Tags ldap, php, playsms, sms

SSO/Authentication

Mist AzureAD SAML configuration

Post author By Matt Peacock
Post date May 20, 2020
No Comments on Mist AzureAD SAML configuration

Login to your Azure portal and go to Azure Active Directory -> Enterprise Applications -> New Application. Click “Non-Gallery Application”, enter whatever name you wish to use for the Application, e.g. “Mist” then Add. Go to the new application, click “Single Sign-On” and select “SAML”. Copy the “AzureAD Identifier” from section 4.

Click on the pencil icon next to SAML Signing Certificate and set “Signing option” to “Sign SAML response and assertion”

Download “Certificate (Base64)”

Login to https://manage.mist.com and go to Organisation -> Settings. Under Single Sign-On click “Add IDP”. Enter a name such as “AzureAD” and complete the fields as per the below table. For the certificate, open the “Certificate (Base64)” file that you downloaded from your Azure app in a text editor, copy the entire content of the file and paste into the “Certificate” box.

The rest of the fields can be copied and pasted from your Azure app as follows

Mist	Azure
SSO URL	Login URL
Custom Logout URL	Logout URL
Issuer	AzureAD Identifier
Certificate	Content of downloaded “Certificate (Base64)”

Next, we need to complete the configuration of Azure. You can do this manually, but it is easier to download your metadata file from Mist and upload it to Azure.

The URL for https://manage.mist.com contains your organisation ID, i.e. https://manage.mist.com/admin/?org_id={orgid} copy your orgid from this link and go to https://api.mist.com/api/v1/orgs/{orgid}/ssos you’ll see a JSON object returned, one of the elements will be “id”: “{ssoid} copy your ssoid from this link and go to https://api.mist.com/api/v1/orgs/{orgid}/ssos/{ssoid}/metadata.xml which will give you your metadata.xml file. Save this somewhere.

Go to your AzureAD application -> Single Sign On – > SAML -> Upload metadata file and select the metadata.xml you downloaded.

You now have SAML set up between AzureAD and Mist, but you can’t login as you’re not currently passing a “Role” attribute.

Firstly, log into Mist -> Organization -> Settings. Under “Single Sign-on” click Create Role. For “Name” enter a sensible value for each role that you wish to set up.

It probably makes most sense to use AzureAD group memberships for this. There are several ways to do this, but we do it like this.

Go back to your Azure Mist app -> Single Sign-on. Click the pencil button next to “User Attributes & Claims” then “Add a new claim”. Enter the name as “Role”, source as Attribute and then enter “None” in the “Source attribute”, this ensures people that aren’t in the correct groups get a role of “None” which prevents them from logging in.

Expand “Claim conditions” then in the “User type” dropdown select “Members”. Click “Select groups” and select the relevant group. For “Source” select Attribute and for “Value” type in the Mist role name you wish to assign to users that are members of this group. Continue to add groups for your desired roles.

In your Azure Mist app you’ll need to grant access to users at “Users and Groups”. Add the relevant groups to allow access. Users will see Mist in the Office 365 launcher under

Tags Mist, Wifi

SSO/Authentication

Workrite quick and dirty user creation from AD when you already have SSO

Post author By Matt Peacock
Post date April 3, 2020
No Comments on Workrite quick and dirty user creation from AD when you already have SSO

This is ugly but it’ll get you started, there are definitely better ways. User creation script for https://www.workrite.co.uk

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12



$Workriteuser="{workrite username}"
$WorkritePW="{workrite password}"
$WorkriteID="{workrite ID}"

$BaseOUS="OU=SomeOU,DC=domainname,DC=co,DC=uk”,"OU=SomeOtherOU,DC=domainname,DC=co,DC=uk"

$BaseOUS| ForEach-Object{

	get-aduser -properties mail,employeenumber -searchbase $_ -filter {enabled -eq "True" -and emailaddress -like "*@domainname.co.uk"} -resultsetsize 10000 | foreach-object {

	
	$mailaddress = $_.mail
	$firstname = $_.givenname
	$surname = $_.surname
	$employeeid = $_.employeenumber


	$url="https://app.workrite.co.uk/services/wr_service.asmx/CreateUserIncEmployeeId?coWsId=$WorkriteID&coLogin=$Workriteuser&coPassword=$WorkritePW&emailAddress=${mailaddress}&firstName=${firstname}&surname=${surname}&role=Student&facilitator=false&places=WholeCollege,Member&employeeId=${employeeid}&templateName="

	
	$url = $url -replace '\s',''


	[xml]$output = Invoke-WebRequest "$url"
		
		#API response 13 duplicate username
		if ($output.int."#text" -eq "13")
		{
			Write-Host "User $mailaddress already exists"
		}
		#API Response 0 success
		elseif ($output.int."#text" -eq "0")
		{
			Write-Host "User $mailaddress successfully created"
		}
	}
}

Tags powershell, workrite