Table of Contents
This authentication method is often used for SSO (Single Sign-On) especially for large organizations.
The authentication is done by another system, Kanboard doesn’t know your password and suppose you are already authenticated.
Apache Auth on the same server or a well-configured reverse proxy.
This is not in the scope of this documentation. You should check the user login is sent by the reverse proxy using a HTTP header, and find out which one.
Create a custom
config.php file or copy the
<?php // Enable/disable reverse proxy authentication define('REVERSE_PROXY_AUTH', true); // Set this value to true // The HTTP header to retrieve. If not specified, REMOTE_USER is the default define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER'); // The default Kanboard admin for your organization. // Since everything should be filtered by the reverse proxy, // you should want to have a bootstrap admin user. define('REVERSE_PROXY_DEFAULT_ADMIN', 'myadmin'); // The default domain to assume for the email address. // In case the username is not an email address, it // will be updated automatically as USER@mydomain.com define('REVERSE_PROXY_DEFAULT_DOMAIN', 'mydomain.com'); // Header name to use for the user email (optional) define('REVERSE_PROXY_EMAIL_HEADER', 'REMOTE_EMAIL'); // Header name to use for the user full name (optional) define('REVERSE_PROXY_FULLNAME_HEADER', 'REMOTE_NAME');
REMOTE_USER. For example, Apache add
REMOTE_USERby default if
Require valid-useris set.
REVERSE_PROXY_USER_HEADER, the value must be prefixed by
HTTP_, all hyphens must be replaced by underscores, and the string must be in all capitals, because it's fetched from the
$_SERVERarray. For example,
REMOTE_USERis not set (same behavior with IIS and Nginx).
X-Authenticated-User. This de facto standard has been adopted by a number of tools.