From 78a400d851b9a567b873637067db17f263e8b1a8 Mon Sep 17 00:00:00 2001
From: Julio Cesar Laura <juliocesar@colosa.com>
Date: Wed, 24 Aug 2011 19:30:03 -0400
Subject: [PATCH] BUG 000 Add hook for the SSO plugin

---
 gulliver/system/class.rbac.php                | 108 +++----
 .../engine/methods/login/authentication.php   | 275 +++++++++---------
 workflow/engine/methods/login/login.php       |  48 +--
 3 files changed, 226 insertions(+), 205 deletions(-)

diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php
index 7f397264a..f5f68365a 100644
--- a/gulliver/system/class.rbac.php
+++ b/gulliver/system/class.rbac.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * class.rbac.php
- * @package gulliver.system 
+ * @package gulliver.system
  *
  * ProcessMaker Open Source Edition
  * Copyright (C) 2004 - 2011 Colosa Inc.
@@ -64,6 +64,8 @@ class RBAC
   var $aRbacPlugins = array();
   var $sSystem = '';
 
+  var $singleSignOn = false;
+
   static private $instance = NULL;
 
   private function __construct() {
@@ -74,7 +76,7 @@ class RBAC
   *
   * @access public
   * @return object
-  */  
+  */
   function &getSingleton() {
     if (self::$instance == NULL) {
       self::$instance = new RBAC();
@@ -87,7 +89,7 @@ class RBAC
   *
   * @access public
   * @return object
-  */ 
+  */
   function initRBAC () {
    if ( is_null($this->userObj ) ) {
      require_once ( "classes/model/RbacUsers.php" );
@@ -170,13 +172,13 @@ class RBAC
     $this->aUserInfo[ $sSystem ]['SYS_UID'] = $fieldsSystem['SYS_UID'];
     $this->aUserInfo[ $sSystem ]['ROLE'] = $fieldsRoles;
     $this->aUserInfo[ $sSystem ]['PERMISSIONS'] = $fieldsPermissions;
-  
+
     if ( $pathData != null && $sid != null ) {
        G::mk_dir ( $pathData );
       file_put_contents( $filePath, serialize ( $this->aUserInfo ) );
     }
   }
-  
+
   /**
   * verification the register automatic
   *
@@ -187,8 +189,8 @@ class RBAC
   * @return $res
   */
   function checkAutomaticRegister( $strUser, $strPass) {
-    $result = -1; //default return value, 
-    
+    $result = -1; //default return value,
+
     foreach ( $this->aRbacPlugins as $sClassName) {
       $plugin =  new $sClassName();
       if ( method_exists($plugin, 'automaticRegister' ) ) {
@@ -223,7 +225,7 @@ class RBAC
   *
   *
   * @access public
-  * @param  string $sAuthType  
+  * @param  string $sAuthType
   * @param  string $sAuthSource
   * @param  string $aUserFields
   * @param  string $sAuthUserDn
@@ -243,7 +245,7 @@ class RBAC
     //check if the user's due date is valid
     if ( $aUserFields['USR_DUE_DATE']  < date('Y-m-d') )
       return -4;  //due date
-      
+
     foreach ( $this->aRbacPlugins as $sClassName) {
       if ( strtolower($sClassName) == strtolower($sAuthType) ) {
         $plugin =  new $sClassName();
@@ -502,7 +504,7 @@ class RBAC
 //  }
 
   /**
-  * create permission 
+  * create permission
   *
   *
   * @access public
@@ -549,11 +551,11 @@ class RBAC
 
   * @param  string $systemCode
   * @return $this->rolesObj->getAllRoles
-  */  
+  */
   function getAllRoles ( $systemCode = 'PROCESSMAKER') {
       return $this->rolesObj->getAllRoles($systemCode);
   }
-  
+
 /**
   * getting all roles by filter
   *
@@ -561,7 +563,7 @@ class RBAC
   * @access public
   * @param  string $filter
   * @return $this->rolesObj->getAllRolesFilter
-  */  
+  */
   function getAllRolesFilter ($start,$limit,$filter) {
       return $this->rolesObj->getAllRolesFilter($start,$limit,$filter);
   }
@@ -574,7 +576,7 @@ class RBAC
 
   * @param  string $systemCode
   * @return $this->rolesObj->listAllPermissions
-  */ 
+  */
   function listAllPermissions ( $systemCode = 'PROCESSMAKER') {
       return $this->rolesObj->listAllPermissions($systemCode);
   }
@@ -587,11 +589,11 @@ class RBAC
 
   * @param  array $aData
   * @return $this->rolesObj->createRole
-  */ 
+  */
   function createRole($aData) {
     return $this->rolesObj->createRole($aData);
   }
-  
+
   /**
   * this function removes a role
   *
@@ -600,11 +602,11 @@ class RBAC
 
   * @param  string $ROL_UID
   * @return $this->rolesObj->removeRole
-  */ 
+  */
   function removeRole($ROL_UID){
     return $this->rolesObj->removeRole($ROL_UID);
   }
-  
+
   /**
   * this function checks a new role
   *
@@ -617,7 +619,7 @@ class RBAC
   function verifyNewRole($code){
   return $this->rolesObj->verifyNewRole($code);
   }
-  
+
   /**
   * this function updates a role
   *
@@ -630,7 +632,7 @@ class RBAC
   function updateRole($fields){
   return $this->rolesObj->updateRole($fields);
   }
-  
+
   /**
   * this function loads by ID
   *
@@ -643,7 +645,7 @@ class RBAC
   function loadById($ROL_UID){
   return $this->rolesObj->loadById($ROL_UID);
   }
-  
+
   /**
   * this function gets the user's roles
   *
@@ -656,33 +658,33 @@ class RBAC
   function getRoleUsers($ROL_UID,$filter=''){
   return $this->rolesObj->getRoleUsers($ROL_UID,$filter);
   }
-  
+
 /**
   * this function gets the number of users by roles
   *
   *
   * @access public
   * @author: Enrique Ponce de Leon <enrique@colosa.com>
-  * 
+  *
   * @return $this->rolesObj->getAllUsersByRole
   */
   function getAllUsersByRole(){
     return $this->rolesObj->getAllUsersByRole();
   }
-  
+
 /**
   * this function gets the number of users by department
   *
   *
   * @access public
   * @author: Enrique Ponce de Leon <enrique@colosa.com>
-  * 
+  *
   * @return $this->rolesObj->getAllUsersByRole
   */
   function getAllUsersByDepartment(){
     return $this->rolesObj->getAllUsersByDepartment();
   }
-  
+
   /**
   * this function gets roles code
   *
@@ -695,7 +697,7 @@ class RBAC
   function getRoleCode($ROL_UID){
   return $this->rolesObj->getRoleCode($ROL_UID);
   }
-  
+
   /**
   * this function removes role from an user
   *
@@ -709,7 +711,7 @@ class RBAC
   function deleteUserRole($ROL_UID, $USR_UID){
   return $this->rolesObj->deleteUserRole($ROL_UID, $USR_UID);
   }
-  
+
   /**
   * this function gets all user
   *
@@ -722,7 +724,7 @@ class RBAC
   function getAllUsers($ROL_UID, $filter=''){
   return $this->rolesObj->getAllUsers($ROL_UID,$filter);
   }
-  
+
   /**
   * this function assigns role an user
   *
@@ -735,7 +737,7 @@ class RBAC
   function assignUserToRole($aData){
   return $this->rolesObj->assignUserToRole($aData);
   }
- 
+
   /**
   * this function gets role permission
   *
@@ -748,7 +750,7 @@ class RBAC
   function getRolePermissions($ROL_UID, $filter=''){
   return $this->rolesObj->getRolePermissions($ROL_UID,$filter);
   }
-  
+
   /**
   * this function gets all permissions
   *
@@ -759,10 +761,10 @@ class RBAC
   * @param  string $PER_SYSTEM
   * @return $this->rolesObj->getAllPermissions
   */
-  function getAllPermissions($ROL_UID,$PER_SYSTEM="",$filter=''){      
+  function getAllPermissions($ROL_UID,$PER_SYSTEM="",$filter=''){
       return $this->rolesObj->getAllPermissions($ROL_UID,$PER_SYSTEM,$filter);
   }
-  
+
   /**
   * this function assigns permissions and role
   *
@@ -775,7 +777,7 @@ class RBAC
   function  assignPermissionRole($sData){
   return $this->rolesObj->assignPermissionRole($sData);
   }
-  
+
   /**
   * this function assigns permissions to a role
   *
@@ -804,7 +806,7 @@ class RBAC
   function  deletePermissionRole($ROL_UID, $PER_UID){
   return $this->rolesObj->deletePermissionRole($ROL_UID, $PER_UID);
   }
-  
+
   /**
   * this function counts number of user without role
   *
@@ -846,18 +848,18 @@ class RBAC
 
   /**
   * this function gets all authentication source
-  * Authentication Sources 
+  * Authentication Sources
   *
   * @access public
 
   * @param  void
   * @return $this->authSourcesObj->getAllAuthSources()
   */
-  
+
   function getAllAuthSources() {
     return $this->authSourcesObj->getAllAuthSources();
   }
-  
+
 /**
   * this function gets all authentication source
   * Authentication Sources By User
@@ -867,14 +869,14 @@ class RBAC
   * @param  void
   * @return $this->authSourcesObj->getAllAuthSources()
   */
-  
+
   function getAllAuthSourcesByUser() {
     return $this->authSourcesObj->getAllAuthSourcesByUser();
   }
-  
+
 /**
   * this function gets all authentication source
-  * Authentication Sources based at parameters 
+  * Authentication Sources based at parameters
   *
   * @access public
   * @author Enrique Ponce de Leon <enrique@colosa.com>
@@ -883,14 +885,14 @@ class RBAC
   * @param  string $filter value to search or filter select
   * @return $this->authSourcesObj->getAuthenticationSources()
   */
-  
+
   function getAuthenticationSources($start,$limit,$filter='') {
     return $this->authSourcesObj->getAuthenticationSources($start,$limit,$filter);
   }
 
   /**
   * this function gets all authentication source
-  * Authentication Sources 
+  * Authentication Sources
   *
   * @access public
 
@@ -903,7 +905,7 @@ class RBAC
 
   /**
   * this function creates an authentication source
-  * Authentication Sources 
+  * Authentication Sources
   *
   * @access public
 
@@ -917,7 +919,7 @@ class RBAC
 
   /**
   * this function updates an authentication source
-  * Authentication Sources 
+  * Authentication Sources
   *
   * @access public
 
@@ -930,7 +932,7 @@ class RBAC
 
   /**
   * this function removes an authentication source
-  * Authentication Sources 
+  * Authentication Sources
   *
   * @access public
 
@@ -940,7 +942,7 @@ class RBAC
   function removeAuthSource($sUID) {
     $this->authSourcesObj->remove($sUID);
   }
-  
+
   /**
   * this function gets all users by authentication source
   *
@@ -949,11 +951,11 @@ class RBAC
   * @param  void
   * @return $this->userObj->getAllUsersByAuthSource()
   */
-  
+
   function getAllUsersByAuthSource(){
   	return $this->userObj->getAllUsersByAuthSource();
   }
-  
+
   /**
   * this function gets all users by authentication source
   *
@@ -962,14 +964,14 @@ class RBAC
   * @param  void
   * @return $this->userObj->getAllUsersByAuthSource()
   */
-  
+
   function getListUsersByAuthSource($aSource){
   	return $this->userObj->getListUsersByAuthSource($aSource);
   }
 
   /**
   * this function searchs users
-  * 
+  *
   *
   * @access public
 
@@ -995,7 +997,7 @@ class RBAC
   function requirePermissions($permissions){
     $numPerms = func_num_args();
     $permissions = func_get_args();
-    
+
     $access = -1;
 
     if ( $numPerms == 1 ){
@@ -1012,7 +1014,7 @@ class RBAC
       throw new Exception('function requirePermissions() ->ERROR: Parameters missing!');
     }
 
-   
+
     if( $access == 1 )
       return true;
     else {
diff --git a/workflow/engine/methods/login/authentication.php b/workflow/engine/methods/login/authentication.php
index 50cf8ab85..88de323f0 100644
--- a/workflow/engine/methods/login/authentication.php
+++ b/workflow/engine/methods/login/authentication.php
@@ -23,124 +23,125 @@
  *
  */
 
-
-  if (!isset($_POST['form']) ) {
-    G::SendTemporalMessage ('ID_USER_HAVENT_RIGHTS_SYSTEM', "error");
-    G::header  ("location: login.html");die;
-  }
-
-
 try {
-    
-  $frm = $_POST['form'];
-  $usr = '';
-  $pwd = '';
-  if (isset($frm['USR_USERNAME'])) {
-    $usr = strtolower(trim($frm['USR_USERNAME']));
-    $pwd = trim($frm['USR_PASSWORD']);
-  }
-  $uid = $RBAC->VerifyLogin($usr , $pwd);
-  //cleaning session files older than 72 hours
-  $RBAC->cleanSessionFiles(72);
-  $sPwd = 'currentPwd';
-  switch ($uid) {
-    //The user does doesn't exist
-    case -1:
+
+  if (!$RBAC->singleSignOn) {
+    $frm = $_POST['form'];
+    $usr = '';
+    $pwd = '';
+    if (isset($frm['USR_USERNAME'])) {
+      $usr = strtolower(trim($frm['USR_USERNAME']));
+      $pwd = trim($frm['USR_PASSWORD']);
+    }
+    $uid = $RBAC->VerifyLogin($usr , $pwd);
+    //cleaning session files older than 72 hours
+    $RBAC->cleanSessionFiles(72);
+    $sPwd = 'currentPwd';
+    switch ($uid) {
+      //The user does doesn't exist
+      case -1:
+        G::SendTemporalMessage ('ID_USER_NOT_REGISTERED', "warning");
+        break;
+      //The password is incorrect
+      case -2:
+        G::SendTemporalMessage ('ID_WRONG_PASS', "warning");
+        if(isset($_SESSION['__AUTH_ERROR__'])){
+        	G::SendMessageText($_SESSION['__AUTH_ERROR__'], "warning");
+        	unset($_SESSION['__AUTH_ERROR__']);
+        }
+        break;
+      //The user is inactive
+      case -3:
+        require_once 'classes/model/Users.php';
+        $user = new Users;
+        $aUser = $user->loadByUsernameInArray($usr);
+        switch($aUser['USR_STATUS']){
+          case 'VACATION':
+            G::SendTemporalMessage ('ID_USER_ONVACATION', "warning");
+            break;
+          CASE 'INACTIVE':
+            G::SendTemporalMessage ('ID_USER_INACTIVE', "warning");
+            break;
+        }
+        break;
+      //The Due date is finished
+      case -4:
+        G::SendTemporalMessage ('ID_USER_INACTIVE_BY_DATE', "warning");
+        break;
+      case -5:
+        G::SendTemporalMessage ('ID_AUTHENTICATION_SOURCE_INVALID', "warning");
+        break;
+      }
+    $$sPwd= $pwd;
+
+    //to avoid empty string in user field.  This will avoid a weird message "this row doesn't exist"
+    if ( !isset($uid) ) {
+      $uid = -1;
       G::SendTemporalMessage ('ID_USER_NOT_REGISTERED', "warning");
-      break;
-    //The password is incorrect
-    case -2:
-      G::SendTemporalMessage ('ID_WRONG_PASS', "warning");
-      if(isset($_SESSION['__AUTH_ERROR__'])){
-      	G::SendMessageText($_SESSION['__AUTH_ERROR__'], "warning");
-      	unset($_SESSION['__AUTH_ERROR__']);
-      }
-      break;
-    //The user is inactive
-    case -3:
-      require_once 'classes/model/Users.php';
-      $user = new Users;
-      $aUser = $user->loadByUsernameInArray($usr);
-      switch($aUser['USR_STATUS']){
-        case 'VACATION':
-          G::SendTemporalMessage ('ID_USER_ONVACATION', "warning");
-          break;
-        CASE 'INACTIVE':
-          G::SendTemporalMessage ('ID_USER_INACTIVE', "warning");
-          break;
-      }
-      break;
-    //The Due date is finished
-    case -4:
-      G::SendTemporalMessage ('ID_USER_INACTIVE_BY_DATE', "warning");
-      break;
-    case -5:
-      G::SendTemporalMessage ('ID_AUTHENTICATION_SOURCE_INVALID', "warning");
-      break;
-    }   
-  $$sPwd= $pwd;
-  
-  //to avoid empty string in user field.  This will avoid a weird message "this row doesn't exist"
-  if ( !isset($uid) ) {
-    $uid = -1;
-    G::SendTemporalMessage ('ID_USER_NOT_REGISTERED', "warning");
-  }
-
-  if ( !isset($uid) || $uid < 0 ) {
-    if(isset($_SESSION['FAILED_LOGINS']))
-      $_SESSION['FAILED_LOGINS']++;
-    if (!defined('PPP_FAILED_LOGINS')) {
-      define('PPP_FAILED_LOGINS', 0);
     }
-    if (PPP_FAILED_LOGINS > 0) {
-      if ($_SESSION['FAILED_LOGINS'] >= PPP_FAILED_LOGINS) {
-        $oConnection = Propel::getConnection('rbac');
-        $oStatement  = $oConnection->prepareStatement("SELECT USR_UID FROM USERS WHERE USR_USERNAME = '" . $usr . "'");
-        $oDataset    = $oStatement->executeQuery();
-        if ($oDataset->next()) {
-          $sUserUID = $oDataset->getString('USR_UID');
+
+    if ( !isset($uid) || $uid < 0 ) {
+      if(isset($_SESSION['FAILED_LOGINS']))
+        $_SESSION['FAILED_LOGINS']++;
+      if (!defined('PPP_FAILED_LOGINS')) {
+        define('PPP_FAILED_LOGINS', 0);
+      }
+      if (PPP_FAILED_LOGINS > 0) {
+        if ($_SESSION['FAILED_LOGINS'] >= PPP_FAILED_LOGINS) {
           $oConnection = Propel::getConnection('rbac');
-          $oStatement  = $oConnection->prepareStatement("UPDATE USERS SET USR_STATUS = 0 WHERE USR_UID = '" . $sUserUID . "'");
-          $oStatement->executeQuery();
-          $oConnection = Propel::getConnection('workflow');
-          $oStatement  = $oConnection->prepareStatement("UPDATE USERS SET USR_STATUS = 'INACTIVE' WHERE USR_UID = '" . $sUserUID . "'");
-          $oStatement->executeQuery();
-          unset($_SESSION['FAILED_LOGINS']);
-          G::SendMessageText(G::LoadTranslation('ID_ACCOUNT') . ' "' . $usr . '" ' . G::LoadTranslation('ID_ACCOUNT_DISABLED_CONTACT_ADMIN'), 'warning');
-        }
-        else {
-          //Nothing
+          $oStatement  = $oConnection->prepareStatement("SELECT USR_UID FROM USERS WHERE USR_USERNAME = '" . $usr . "'");
+          $oDataset    = $oStatement->executeQuery();
+          if ($oDataset->next()) {
+            $sUserUID = $oDataset->getString('USR_UID');
+            $oConnection = Propel::getConnection('rbac');
+            $oStatement  = $oConnection->prepareStatement("UPDATE USERS SET USR_STATUS = 0 WHERE USR_UID = '" . $sUserUID . "'");
+            $oStatement->executeQuery();
+            $oConnection = Propel::getConnection('workflow');
+            $oStatement  = $oConnection->prepareStatement("UPDATE USERS SET USR_STATUS = 'INACTIVE' WHERE USR_UID = '" . $sUserUID . "'");
+            $oStatement->executeQuery();
+            unset($_SESSION['FAILED_LOGINS']);
+            G::SendMessageText(G::LoadTranslation('ID_ACCOUNT') . ' "' . $usr . '" ' . G::LoadTranslation('ID_ACCOUNT_DISABLED_CONTACT_ADMIN'), 'warning');
+          }
+          else {
+            //Nothing
+          }
         }
       }
+      G::header  ("location: login.html");
+      die;
     }
-    G::header  ("location: login.html");
-    die;
-  }
-  if(!isset( $_SESSION['WORKSPACE'] ) ) $_SESSION['WORKSPACE'] = SYS_SYS;
+    if(!isset( $_SESSION['WORKSPACE'] ) ) $_SESSION['WORKSPACE'] = SYS_SYS;
 
-  //Execute the SSO Script from plugin
+    //Execute the SSO Script from plugin
     $oPluginRegistry =& PMPluginRegistry::getSingleton();
     if ( $oPluginRegistry->existsTrigger ( PM_LOGIN ) ) {
             $lSession="";
             $loginInfo = new loginInfo ($usr, $pwd, $lSession  );
             $oPluginRegistry->executeTriggers ( PM_LOGIN , $loginInfo );
     }
+    $_SESSION['USER_LOGGED']  = $uid;
+    $_SESSION['USR_USERNAME'] = $usr;
+  }
+  else {
+    $uid = $RBAC->userObj->fields['USR_UID'];
+    $usr = $RBAC->userObj->fields['USR_USERNAME'];
+    $_SESSION['USER_LOGGED']  = $uid;
+    $_SESSION['USR_USERNAME'] = $usr;
+  }
 
-  $_SESSION['USER_LOGGED']  = $uid;
-  $_SESSION['USR_USERNAME'] = $usr;
   $aUser = $RBAC->userObj->load($_SESSION['USER_LOGGED']);
   $RBAC->loadUserRolePermission($RBAC->sSystem, $_SESSION['USER_LOGGED']);
   //$rol = $RBAC->rolesObj->load($RBAC->aUserInfo['PROCESSMAKER']['ROLE']['ROL_UID']);
   $_SESSION['USR_FULLNAME'] = $aUser['USR_FIRSTNAME'] . ' ' . $aUser['USR_LASTNAME'];
   //$_SESSION['USR_ROLENAME'] = $rol['ROL_NAME'];
-  
+
   unset($_SESSION['FAILED_LOGINS']);
 
   // increment logins in heartbeat
   G::LoadClass('serverConfiguration');
   $oServerConf =& serverConf::getSingleton();
   $oServerConf->sucessfulLogin();
-  
+
   // Assign the uid of user to userloggedobj
   $RBAC->loadUserRolePermission($RBAC->sSystem, $uid);
   $res = $RBAC->userCanAccess('PM_LOGIN');
@@ -180,10 +181,10 @@ try {
   $aLog['USR_UID']            = $_SESSION['USER_LOGGED'];
   $weblog->create($aLog);
   /**end log**/
-  
+
 //************** background processes, here we are putting some back office routines **********
   $oServerConf->setWsInfo(SYS_SYS,$oServerConf->getWorkspaceInfo(SYS_SYS) );
- 
+
 //**** defining and saving server info, this file has the values of the global array $_SERVER ****
 //this file is useful for command line environment (no Browser), I mean for triggers, crons and other executed over command line
 
@@ -204,58 +205,64 @@ try {
   /* Check password using policy - Start */
   require_once 'classes/model/UsersProperties.php';
   $oUserProperty = new UsersProperties();
-  $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($_SESSION['USER_LOGGED'], array('USR_PASSWORD_HISTORY' => serialize(array(md5($currentPwd)))));  
-  $aErrors       = $oUserProperty->validatePassword($_POST['form']['USR_PASSWORD'], $aUserProperty['USR_LAST_UPDATE_DATE'], $aUserProperty['USR_LOGGED_NEXT_TIME']);
+  if (!$RBAC->singleSignOn) {
+    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($_SESSION['USER_LOGGED'], array('USR_PASSWORD_HISTORY' => serialize(array(md5($currentPwd)))));
+    $aErrors       = $oUserProperty->validatePassword($_POST['form']['USR_PASSWORD'], $aUserProperty['USR_LAST_UPDATE_DATE'], $aUserProperty['USR_LOGGED_NEXT_TIME']);
 
-   if (!empty($aErrors)) {
-     if (!defined('NO_DISPLAY_USERNAME')) {
-      define('NO_DISPLAY_USERNAME', 1);
-    }    
-    $aFields = array();
-    $aFields['DESCRIPTION']  = '<span style="font-weight:normal;">';
-    $aFields['DESCRIPTION'] .= G::LoadTranslation('ID_POLICY_ALERT').':<br /><br />';
-    foreach ($aErrors as $sError)  {
-      switch ($sError) {
-        case 'ID_PPP_MINIMUN_LENGTH':
-          $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).': ' . PPP_MINIMUN_LENGTH . '<br />';
-          $aFields[substr($sError, 3)] = PPP_MINIMUN_LENGTH;
-        break;
-        case 'ID_PPP_MAXIMUN_LENGTH':
-          $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).': ' . PPP_MAXIMUN_LENGTH . '<br />';
-          $aFields[substr($sError, 3)] = PPP_MAXIMUN_LENGTH;
-        break;
-        case 'ID_PPP_EXPIRATION_IN':
-          $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).' ' . PPP_EXPIRATION_IN . ' ' . G::LoadTranslation('ID_DAYS') . '<br />';
-          $aFields[substr($sError, 3)] = PPP_EXPIRATION_IN;
-        break;
-        default:
-          $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).'<br />';
-          $aFields[substr($sError, 3)] = 1;
-        break;
+     if (!empty($aErrors)) {
+       if (!defined('NO_DISPLAY_USERNAME')) {
+        define('NO_DISPLAY_USERNAME', 1);
       }
+      $aFields = array();
+      $aFields['DESCRIPTION']  = '<span style="font-weight:normal;">';
+      $aFields['DESCRIPTION'] .= G::LoadTranslation('ID_POLICY_ALERT').':<br /><br />';
+      foreach ($aErrors as $sError)  {
+        switch ($sError) {
+          case 'ID_PPP_MINIMUN_LENGTH':
+            $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).': ' . PPP_MINIMUN_LENGTH . '<br />';
+            $aFields[substr($sError, 3)] = PPP_MINIMUN_LENGTH;
+          break;
+          case 'ID_PPP_MAXIMUN_LENGTH':
+            $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).': ' . PPP_MAXIMUN_LENGTH . '<br />';
+            $aFields[substr($sError, 3)] = PPP_MAXIMUN_LENGTH;
+          break;
+          case 'ID_PPP_EXPIRATION_IN':
+            $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).' ' . PPP_EXPIRATION_IN . ' ' . G::LoadTranslation('ID_DAYS') . '<br />';
+            $aFields[substr($sError, 3)] = PPP_EXPIRATION_IN;
+          break;
+          default:
+            $aFields['DESCRIPTION'] .= ' - ' . G::LoadTranslation($sError).'<br />';
+            $aFields[substr($sError, 3)] = 1;
+          break;
+        }
+      }
+      $aFields['DESCRIPTION'] .= '<br />' . G::LoadTranslation('ID_PLEASE_CHANGE_PASSWORD_POLICY') . '<br /><br /></span>';
+      $G_PUBLISH = new Publisher;
+      $G_PUBLISH->AddContent('xmlform', 'xmlform', 'login/changePassword', '', $aFields, 'changePassword');
+      G::RenderPage('publish');
+      die;
+    }
+     /* Check password using policy - End */
+    if ( isset($_POST['form']['URL']) && $_POST['form']['URL'] != '') {
+        $sLocation = $_POST['form']['URL'];
+    }
+    else {
+      $sLocation = $oUserProperty->redirectTo($_SESSION['USER_LOGGED'], $lang);
     }
-    $aFields['DESCRIPTION'] .= '<br />' . G::LoadTranslation('ID_PLEASE_CHANGE_PASSWORD_POLICY') . '<br /><br /></span>';
-    $G_PUBLISH = new Publisher;
-    $G_PUBLISH->AddContent('xmlform', 'xmlform', 'login/changePassword', '', $aFields, 'changePassword');
-    G::RenderPage('publish');
-    die;
-  }
-   /* Check password using policy - End */
-  if ( isset($_POST['form']['URL']) && $_POST['form']['URL'] != '') {
-      $sLocation = $_POST['form']['URL'];
   }
   else {
-    $sLocation = $oUserProperty->redirectTo($_SESSION['USER_LOGGED'], $lang);
+    G::header('Location: ' . $oUserProperty->redirectTo($_SESSION['USER_LOGGED'], $lang));
+    die();
   }
-  
+
   $oHeadPublisher =& headPublisher::getSingleton();
   $oHeadPublisher->extJsInit = true;
-  
+
   $oHeadPublisher->addExtJsScript('login/init', false);    //adding a javascript file .js
   $oHeadPublisher->assign('uriReq', $sLocation);
   G::RenderPage('publish', 'extJs');
   //G::header('Location: ' . $sLocation);
-  
+
   die;
 
 }
diff --git a/workflow/engine/methods/login/login.php b/workflow/engine/methods/login/login.php
index 94afeb224..70ad56340 100644
--- a/workflow/engine/methods/login/login.php
+++ b/workflow/engine/methods/login/login.php
@@ -36,19 +36,19 @@
   if (! isset ( $_SESSION ['G_MESSAGE_TYPE'] )) {
     $_SESSION ['G_MESSAGE_TYPE'] = '';
   }
-  
+
   $msg = $_SESSION ['G_MESSAGE'];
   $msgType = $_SESSION ['G_MESSAGE_TYPE'];
-  
+
   if (! isset ( $_SESSION ['FAILED_LOGINS'] )) {
     $_SESSION ['FAILED_LOGINS'] = 0;
   }
   $sFailedLogins = $_SESSION ['FAILED_LOGINS'];
-  
+
   require_once 'classes/model/LoginLog.php';
-  
+
   $aFields ['LOGIN_VERIFY_MSG'] = G::loadTranslation ( 'LOGIN_VERIFY_MSG' );
-  
+
   if ( isset ($_SESSION ['USER_LOGGED']) ) {
   //close the session, if the current session_id was used in PM.
     $oCriteria = new Criteria ( 'workflow' );
@@ -81,7 +81,19 @@
   @session_destroy ();
   session_start ();
   session_regenerate_id ();
-  
+
+  // Execute SSO trigger - Start
+  $pluginRegistry =& PMPluginRegistry::getSingleton();
+  if (defined('PM_SINGLE_SIGN_ON')) {
+    if ($pluginRegistry->existsTrigger(PM_SINGLE_SIGN_ON)) {
+      if ($pluginRegistry->executeTriggers(PM_SINGLE_SIGN_ON, null)) {
+        require_once 'authentication.php';
+        die();
+      }
+    }
+  }
+  // Execute SSO trigger - End
+
   if (strlen ( $msg ) > 0) {
     $_SESSION ['G_MESSAGE'] = $msg;
   }
@@ -89,11 +101,11 @@
     $_SESSION ['G_MESSAGE_TYPE'] = $msgType;
   }
   $_SESSION ['FAILED_LOGINS'] = $sFailedLogins;
-  
+
   //translation
   $Translations = G::getModel("Translation");
   $translationsTable = $Translations->getTranslationEnvironments();
-  
+
   $availableLangArray = array ();
   $availableLangArray [] = array ('LANG_ID' => 'char', 'LANG_NAME' => 'char' );
   foreach ( $translationsTable as $locale ) {
@@ -102,22 +114,22 @@
       $row['LANG_NAME'] = $locale['LANGUAGE'] . ' (' . (ucwords(strtolower($locale['COUNTRY']))) . ')';
     else
       $row['LANG_NAME'] = $locale['LANGUAGE'];
-  
+
     $availableLangArray [] = $row;
   }
   global $_DBArray;
   $_DBArray ['langOptions'] = $availableLangArray;
-  
+
   $G_PUBLISH = new Publisher ( );
   $G_PUBLISH->AddContent ( 'xmlform', 'xmlform', 'login/login', '', $aFields, SYS_URI . 'login/authentication.php' );
   G::LoadClass ( 'serverConfiguration' );
-  
+
   //get the serverconf singleton, and check if we can send the heartbeat
   $oServerConf = & serverConf::getSingleton ();
-  
+
   $sflag = $oServerConf->getHeartbeatProperty('HB_OPTION','HEART_BEAT_CONF');
   $sflag = (trim($sflag)!='')?$sflag:'1';
-  
+
   //get date of next beat
   $nextBeatDate = $oServerConf->getHeartbeatProperty('HB_NEXT_BEAT_DATE','HEART_BEAT_CONF');
   $sflag = 1;
@@ -129,7 +141,7 @@
   }
   else
     $oHeadPublisher->addScriptCode( 'var flagHeartBeat = 0; ');
-  
+
   //check if we show the panel with the getting started info
 
   require_once 'classes/model/Configuration.php';
@@ -141,18 +153,18 @@
   $oCriteria->add ( ConfigurationPeer::PRO_UID, '' );
   $oCriteria->add ( ConfigurationPeer::USR_UID, '' );
   $oCriteria->add ( ConfigurationPeer::APP_UID, '' );
-  $flagGettingStarted =  ConfigurationPeer::doCount ( $oCriteria );  
+  $flagGettingStarted =  ConfigurationPeer::doCount ( $oCriteria );
   if( $flagGettingStarted == 0 ) {
     $oHeadPublisher->addScriptCode( 'var flagGettingStarted = 1; ');
   }
   else
     $oHeadPublisher->addScriptCode( 'var flagGettingStarted = 0; ');
-    
+
   G::loadClass('configuration');
   $oConf = new Configurations;
   $oConf->loadConfig($obj, 'ENVIRONMENT_SETTINGS','');
-  
+
   $flagForgotPassword = isset($oConf->aConfig['login_enableForgotPassword'])? $oConf->aConfig['login_enableForgotPassword']: 'off';
   $oHeadPublisher->addScriptCode("var flagForgotPassword = '$flagForgotPassword';");
-  
+
   G::RenderPage ( "publish" );