Create a secure intranet/extranet with TikiWiki and SecurePass

Cloud is a buzzword and it seems to be hot these days, but at the end of the day is nothing different than a hosting/housing of part or all of companies IT services.

But the world of IT has changed, and this is a fact. Laptops first, netbooks and consumer devices later (iphone/ipad in primis) impacted also the traditional corporate environment, that is more and more roaming; the concept of office itself is now just a place where you can get Internet access and meet with colleagues.
Large companies will surely benefit from this change, but I think that the small and medium companies can benefit more, especially on cost saving of workplaces and IT itself: IT for them is just a cost and nothing more.

In this market segment, there’s still a need for a secure corporate intranet with the need to exchange private information and files. Collaborative places, such as wikis, are perfect solutions to quickly achieve this goal without spending a fortune. I found TikiWiki (http://www.tiki.org/) to suit best in these environments: while extremely easy to use for an end-user through WYSYWIG editor, the complex permission system allow you to set each page access or even show/hide part of the page to a given group of users, which is unique if compared to other solutions.

Choose a web hosting platform you trust is something core, because you don’t want your data to be stolen. But there’s also another key part to take into consideration, i.e. user access: you don’t want your identity to be stolen by someone else and access your confidential data. One Time Passwords are the perfect solutions, but are very costly for small and medium business; also OTPs need additional funding to set-up and maintain the whole environment, which can be huge cost for SMBs. SecurePass is an on-line solution that is both easy to setup and less expensive than traditional OTP architecture. SecurePass is a identity management system on the cloud and provided as a SaaS (Software as a Service), and therefore perfect to be adopted for these kind of applications and business.

The implementation was extremely fast and easy, so i decided to make this essential how-to to explain how it works.

We will use SecurePass’ CAS interface; although LDAP and PAM can be used to integrate with SecurePass, CAS will allow us to have a single sign-on experience through all our web applications.

1) If you don’t own already an account with SecurePass, open a free account by registering on-line:

http://www.secure-pass.net/open

use “misec2011” as a promo code, this will entitle you to 10 users for 2 years for free.

2) Install and configure a web server with PHP and required extensions for TikiWiki, more information on the pre-requisites on the following web site http://doc.tiki.org/Installation

3) Download the TikiWiki package from http://info.tiki.org/Download and install following the above “Installation” documentation as specified above. This article have been written when current release is 8.2

4) Once installed and logged in via the “admin” Let’s activate CAS authentication. From Admin home, select “Log In”. Then, in “General Preferences” tab, set Authentication method to “CAS (Central Authentication Service)” as for Figure “tikiwiki – general prefs.png”.

In the “CAS” tab, as for figure “tikiwiki – cas.png”, check the following options on:

  • Create user if not in Tiki
  • Use Tiki authentication for admin login
  • Show Alternate Login Method in Header
  • Force CAS log-out when the user logs out from Tiki

Then specify the following CAS parameters:

  • CAS server version: 1.0
  • CAS Server Name: login.secure-pass.net
  • CAS server port: 443
  • CAS Server Path: /cas

To apply changes, click on “Change Preferences”

Basically, this is all you need to set-up the whole environment. Easy, isn’t it? However, SecurePass’ CAS interface allows you to authenticate all SecurePass valid users, including those not belonging to our organization. As such, we have two options here:

  1. limit access to each wiki page by the group who have rights. This is perfect if you want to use the same site also as an extranet, allowing external entities (such as partners) to share information with you
  2. limit the access in the code and have the peace of mind that you don’t have to remember each time who can access your wiki pages. This option can be used only if the wiki is used internally and you know that your users are not really security conscious.

In order to implement option 2), we have to slightly modify the code to allow our SecurePass domain/realm into tikiwiki. Modify the library file “lib/userslib.php” at around line 470:

                       // if the user wasn't authenticated through CAS, just fail
                        elseif (!$userCAS) {
                                return array(false, $user, $result);
                        }

                        // --- BEGIN MODIFICATION ---
                        // If user is authenticated, but not belong to us, fails
                        elseif ( $userCAS && !preg_match("/(.*)@mycompany.com$/", $user) ) {
                                return array(false, $user, $result);
                        }
                        // --- END MODIFICATION ---

                        // if the user was authenticated by CAS but not found in Tiki
                        elseif ($userCAS && !$userTikiPresent) {

In the above example, we will allow access to all those users that belong to realm/domain “mycompany.com”. Adjust this code to your SecurePass domain.

You are now ready to log in to your Intranet using the combination user and OTP Password, by simply browsing to your web site and click on “Login through CAS”.

OTP app for android and iPhone.

SecurePass is flexible for SMB, as OTP can be provided by a physical token or, like in this case, by the dedicated Android app, iPhone app or even BlackBerry without any additional cost. Check out the help page below: