Sympa

Presentation

Sympa is a mailing list manager.

There are two ways to configure SSO with Sympa:

Auto login: a special LL::NG Handler will generate Sympa cookie (for Sympa 5 only !)
Magic authentication: a special SSO URL is protected by LL::NG, Sympa will display a button for users who wants to use this feature.

How to choose? Here are some advices:

Auto login is very secure for Sympa 5, as Sympa cookie is only exchanged between LL::NG Handler and Sympa (user cannot see it)
Magic authentication allows to mix standard Sympa authentication and SSO

Configuration

Choose one of the following method:

Auto login

Sympa virtual host in Apache

Configure Sympa virtual host like other protected virtual host but use Sympa Handler instead of default Handler.

<VirtualHost *:80>
       ServerName sympa.example.com
 
       # Load Sympa Handler
       PerlRequire Lemonldap/NG/Handler/Specific/SympaAutoLogin.pm
       PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::SympaAutoLogin
 
       ...
 
</VirtualHost>

Sympa virtual host in Manager

Go to the Manager and create a new virtual host for Sympa.

Just configure the access rules.

Sympa Handler parameters

Go in Manager, Default parameters » Advanced parameters » Special handlers » Sympa, and edit the different keys:

Shared key: correspond to the cookie parameter of sympa.conf
Mail session key: session field where to find user mail (by default: mail)

Magic authentication

Sympa configuration

Edit the file “auth.conf”, for example:

vi /etc/sympa/auth.conf

And fill it:

generic_sso
        service_name                   Centralized auth service
        service_id                          lemonldapng
        email_http_header            HTTP_MAIL
        netid_http_header             HTTP_AUTH_USER
        internal_email_by_netid    1
        logout_url                          http://sympa.example.com/wws/logout

You can also disable internal Sympa authentication to keep only LemonLDAP::NG by removing user_table paragraph

Note that if you use FastCGI, you must restart Apache to enable changes.

You can also use <portal>?logout=1 as logout_url to remove LemonLDAP::NG session when “disconnect” is chosen.

Sympa virtual host in Apache

Configure Sympa virtual host like other protected virtual host but protect only magic authentication URL.

<VirtualHost *:80>
       ServerName sympa.example.com
 
       <Location /wws/sso_login/lemonldapng>
       PerlHeaderParserHandler Lemonldap::NG::Handler
       </Location>
 
       ...
 
</VirtualHost>

The location URL end is based on the service_id defined in Sympa apache configuration.

Sympa virtual host in Manager

Go to the Manager and create a new virtual host for Sympa.

Configure the access rules and define the following headers:

Auth-User
Mail