How can I implement single sign on capability with Check_MK?

Question

I am working on a dashboard type website. We have a login page implemented in php that authenticates against an LDAP server. We also have a Check_MK page that has its own login dialog that authenticates against the same LDAP server. I would like for the user to not have to re-enter their credentials into the Check_MK login dialog. I would prefer that the credentials entered into our php login page be passed on to Check_MK so that authentication can be done without user interaction. Is this possible? If so, how do I do it?

Edit for those who marked this as too broad, please explain.

I was able to get automatic login with check_MK by passing the username and password in via the url as described on this website: http://stichl.at/2014/04/check_mk-multisite-auto-login/
I don't think that this will be a viable option for me though as it seems to be insecure as is detailed in this question Is it secure to pass login credentials as plain text in an HTTPS URL?

Although open source, I am unable to modify the checkMK login.py file due to its GNU license. Besides passing the credentials via the URL in plain text, how can I use credentials provided to my php login page to automatically log into the check_MK page?

Below is the php/html code where I open up the Check_MK login screen.

<script type="text/javascript">
    var version = global.dashboard_version;
    console.log("version = " + version);
    var url = global.ips[version+"_nagios_iframe"];
    var suffix = <?php echo "'".
        '&_username='.
        $_SESSION['username'].
        '&_password='.
        $_SESSION['password'].
        "&_login=1'";?>;          
    console.log("suffix = "+suffix); 
url = url + suffix;
console.log("url = "+url); 
document.getElementById("nagiosiframe").src = url;
</script>

The Check_MK login code can be found here: https://github.com/sileht/check_mk/blob/master/web/htdocs/login.py

The relevant function is called do_login and is on line 147.

Specifically, I don't know how to communicate the values of my session variables (username and password) to the login.py code in a secure fashion.

This is my first exposure to any of these languages and technologies. Even search term suggestions would be appreciated.

Answer 1

Justin,

Since you are not able to modify the code for check_mk page, you must pass the credentials to it. if this restriction was not there, then there are numerous secure ways of doing this.

Now with this restriction, this is an option that I have used in the past and could work for you.

Step1. In your PHP code, you have access to the original password...(keep it safely stored) Step2. Within a transaction (all or none, perform the following) a. Set the password in the ldap for that particular user to a random password that you just now generated b. Pass that password into that check_mk page c. as soon as authentication is complete, from your PHP page, set the ldap password back to the original one.

This way you will not be passing the real password and will be accomplishing single sign on between your php and the check_mk page as well.

If you can modify the check_mk, i would have given you other answers. Let me know if this works.