Our company has a mobile app. Until now we used LDAP authentication using PHP code to login on the app using the company's Active Directory user and password.
Now they tell me we have to stop using LDAP because there has been some security breach.
My question is, is there an equivalent of ldap_bind for Azure AD?
I've been looking for information and the answers I found are too complicated and elaborated.
Would be better to use a Native Azure App to link to our mobile App or is the PHP aproach better?
I don't need to get the Azure AD token and be able to do some operations or anything. I just want to check if user & password are correct and that's it.
Any guidance would be apreciated.
You will need to redirect the user to authenticate e.g. by using the OpenId Connect protocol.
LDAP is not supported in AAD.
The user may have e.g. Multi-Factor Authentication enabled and thus there is no way to surely authenticate programmatically.
So the right way is to register a Native app, and authenticate from your mobile app using ADAL or MSAL.
Related
My actual requirement is i have 2 AWS servers on both server I have added xml file, my requirement is I want to login from our application page using email and password, this credential check in active directory is this user exists if yes it should return to my application with user details like email id, I want to implement this in PHP.
ADFS supports WS-Fed, SAML 2.0 and OpenId Connect so you need a PHP client-side stack for one of these.
ADFS sits on top of AD so it will check the user in AD.
You have to use the ADFS login screen. There is no way to use a custom one.
I am working on one project in Angular and PHP, I want to make login on Azure using ADAL (Azure Active Directory Library).
It is possible to do that without popup login Microsoft something like pass only username and password or client secret and to get the token for future request?
The way Azure authenticates external websites is through OAuth 2.0 which requires the user to login to their account on the Azure servers and then give your website authorization code so that you can request an access token to complete the OAuth flow.
It isn't secure to capture the user's Username and Password on your website and then send through to Azure, therefore they do not let you do that.
More explanation of the oAuth flow: https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
I am having a PHP based application, that uses MySQL as the DB. I am currently trying to build a real-time messaging system for the users in the application. I have found Firebase to be a very good solution for building this. However, I am not sure if the architecture I am planning is compatible with the architecture am planning. Digging through the documentation didn't really get me the answers.
My Doubts are:
I don't want users to again login to use chat, so I want to
authenticated via the server (i.e from php).
I want, the further chat/messaging to happen from client to Firebase directly as I don't want to have unwanted overhead on my server, especially when a direct connection is not only supported but also efficient.
Can I authenticate via php and get some secret key or something and then use that to connect securely via Js?
I found this link which talks about custom authentication system. But am not sure, if this is what I have to use. And if the solution am planning is scalable and ok.
Firebase Auth persists the session on the client via localStorage/indexedDB and is a headless API that doesn't require a hosted server. So you are not required to authenticate the user via your server.
You can definitely build the messaging app entirely on the client with real-time database without routing traffic to your server. Here is an example of a chat app built with Firebase: https://github.com/firebase/friendlychat
If you already have an existing authentication system, you can use custom auth which requires that you mint a custom token after you authenticate a user with your system, you then send that custom token to the client and then signInWithCustomToken. Here is some code to create a custom token with PHP: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
If you don't have an existing auth system, you can entirely run the authentication on the client side. Another good library for authentication that is built on top of Firebase is FirebaseUI: https://github.com/firebase/firebaseui-web
Situation background:
We have company Azure with dozens of existing users with existing credentials for Azure access.
Beside that, we have CMS (in PHP) on separate webhosting (no relationship with Azure, not hosted under Azure).
What we need:
All existing Azure users will be able to access in our web CMS and we have dilema if CMS (php script) will be possible to check credentials remotely by requesting Azure API.
Or even better if user is already logged in Azure account and have active cookie (like in Facebook), CMS would only request some users details and check users tenant and domain and allow access automatically without any login form.
The best would be to combine both mentioned.
The goal is:
PHP script checking "Azure login cookie" (such as Facebook?) and ensuring communication with Azure API giving params like email and password and recieving true/false if some Azure user is exists for given credentials.
Appreciate any help and tips, regards, Jan.
The is no such Azure AD API that provide the service to check the credential. And the flow describe above that require users enter their Azure AD credentials in you apps which is more like Phishing which is easy to leakage the users credential.
If you want to authenticate your apps via Azure AD, you can using the OpenId connect stand protocol. Here is the authentication flow using the OpenId connect for your reference:
More detail about authorizing access to web applications using OpenID Connect and Azure Active Directory, you can refer here.
Scenario:
I have a area of a website that needs to be secure and accessible when offsite. I want the user to enter the username and password used to login at work in a web form. The form will send the username and password to authenticate it. If it works the user is logged in.
I need to use a form not a pop-up login box. PHP is preferred but I'm flexible. Any ideas to point me in the right direction?
My employer has a few secure areas they have set up that uses the "pop-up box". For what I need to accomplish I need to use a web form.
Try LDAP
http://www.devshed.com/c/a/PHP/Using-PHP-With-LDAP-part-1/
http://us2.php.net/ldap
I've written intranet web applications that use the local windows username and password to authenticate and LDAP is by far the best solution.
If you are using LDAP at work, go with that, if not, well you have to access it thru .NET.
Since there are several but not fully reliable .NET implementations for PHP, I would recommend using a WebService, which PHP would consume, that will pass the user and pass - encrypted would be nice - to it, and it will return if the credentials are valid or not.
You should be able to use LDAP, in your case it is most likely Windows Active Directory via IIS. There are php packages out there to interact with various types of LDAP implementations. Here is a link:
http://php.net/manual/en/book.ldap.php
use this http://pear.php.net/package/Auth and tie it in to ldap authentication at the back-end.
of especial interest to you would be the Auth::setShowLogin method...