Hi all… I'm trying to understand how Authentication Redirects work… any help please? :rolleyes:
Authentication redirects are used with external third-party authenticating reverse proxy servers (like IBM's WebSEAL/Tivoli Access Manager). Essentially, you can get Matrix to redirect any request that requires authentication to a specific URL, which would then be authenticated by your reverse proxy. Remember to also configure Matrix with the specific HTTP header field that contains the authenticated username.
Thanks. I can't figure out how to set the actual redirection, as i always get the address of the matrix site itself in the From/To dropdown boxes.
Your Site asset needs to have multiple URLs configured. You can then configure Authentication on one URL to redirect to another. All the URLs need to point to the Matrix system (either directly or via the authentication proxy). You may want to contact Squiz Support for onsite assistance with this configuration.
just be careful when setting them up - i couldnt get authentication to work so i tried swapping the redirection around - now i cant get into the backend - just 404's me 
anyone know where this authentication redirect stuff is physically kept? cant grep files to find my stuff up, cant seem to find any value in postgres relating to it…
and if you do know a way around this be nice :blink:
It is stored in the sq_ast_url table. Each URL has an auth_urlid field as well. Just null that out. If you are a Squiz client with an active SLA, you need to request this from Squiz Support as directly editing your database could potentially void your warranty.
Though, I'm curious to why you're getting 404s -- if you're redirecting from one URL to another and both work in Matrix, it should still log you in on the new URL. Is it a Matrix generated 404 or is there a proxy server generating it?
well since im 'evaluating' the open source version i dont have the option for integrated ldap (a great pity since its been perfect in classic for years:( ) so im forced to try that external authentication route - i have another server that can authenticate me via an .htaccess file so i thought starting there and redirecting into my matrix install would work - but i keep getting that damn login box.
Matrix still has to have users configured and needs to be presented with an authenticated username during the request. If your other server is not a reverse authenticating proxy, then there is no way for the authenticated username to be passed to Matrix. Also, if you are not connected to your LDAP server, Matrix cannot log you in, because there is no user account.
The Authentication Redirect option is designed to work with the HTTP Header authentication. So, a reverse proxy triggers authentication and then adds a HTTP header to the request made to Matrix. Matrix then takes the username in the header and tries to find a user with that username. If it is successful, you are automatically logged in as that user. If there is no username in the header, or if Matrix can't find a user with that username, then it paints a login dialog box.
im logged in again 
here’s what i have … a user with same ldap name setup in matrix (not sure about the password within matrix - would have thought you cant have a user without a password?) - then on another server i have ldap setup using apache module - so one line has AuthLDAPStartTLS on etc - i know this works as i can can echo $PHP_AUTH_USER in the external login page and return the proper username.
i thought by setting up external authentication in matrix i could start at that external page - authenticate - and then use a php header string to pass onto my matrix admin page
http://externalserver/auth/ => http://externalserver/auth/
or should i have three setup? matrix/_admin => external/auth = >matrix/_admin
maybe i should keep at it before bothering you on a friday afternoon
ps - i did notice a ldap.inc file somewhere in the installation - are you 100% i cant use built-in ldap with the OS version? (please!)
The LDAP functions are in the core of Matrix, but not the LDAP Bridge (i.e. the exposure of actual users/groups). You would still need to create Matrix user assets for each LDAP account. However, you could enabled mod_auth_ldap on the Matrix server and get that to insert the username into the $_SERVER global variable which can be read by Matrix. This would not require an authentication redirect -- you just need to setup which variable Matrix should look for the username in. Note that I haven't actually tried this in production, but the theory is sound. :)
Authentication Redirects were added for full authenticating proxy servers like IBM WebSEAL. The problem with the external auth is getting that string into the request sent to Matrix. I'm not entirely sure how your current external engine would send the username to Matrix in the header. With WebSEAL, it always sits between the user and Matrix and it inserts the username into the HTTP headers sent to the Matrix server.