This authentication method is often used for SSO (Single Sign-On) especially for large organizations.
The authentication is done by another system, Kanboard doesn't know your password and suppose you are already authenticated.
- A well configured reverse proxy
or
- Apache auth on the same server
- Your reverse proxy authenticates the user and send the username through a HTTP header.
- Kanboard retreive the username from the request
- The user is created automatically if necessary
- Open a new Kanboard session without any prompt assuming it's valid
This is not in the scope of this documentation. You should check the user login is sent by the reverse proxy using a HTTP header, and find which one.
Create a custom config.php
file or copy the config.default.php
file:
<?php
// Enable/disable reverse proxy authentication
define('REVERSE_PROXY_AUTH', true); // Set this value to true
// The HTTP header to retrieve. If not specified, REMOTE_USER is the default
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
// The default Kanboard admin for your organization.
// Since everything should be filtered by the reverse proxy,
// you should want to have a bootstrap admin user.
define('REVERSE_PROXY_DEFAULT_ADMIN', 'myadmin');
// The default domain to assume for the email address.
// In case the username is not an email address, it
// will be updated automatically as [email protected]
define('REVERSE_PROXY_DEFAULT_DOMAIN', 'mydomain.com');
Notes:
-
If the proxy is the same web server that runs Kanboard, according the CGI protocol the header name will be
REMOTE_USER
. By example, Apache addREMOTE_USER
by default ifRequire valid-user
is set. -
If Apache is a reverse proxy to another Apache running Kanboard, the header
REMOTE_USER
is not set (same behaviour with IIS and Nginx). -
If you have a real reverse proxy, the HTTP ICAP draft proposes the header to be
X-Authenticated-User
. This de-facto standart has been adopted by a number of tools.