I'm trying to authenticate a username and password with a CAS server using phpCAS but didn't find anything relevant on the internet. Once the user inputs their username and password how do I authenticate it with a CAS server using phpCAS? Also, how do I redirect user to a different .php page? I saw that we can use phpCAS:foreAuthentication() to authenticate users, but I'm trying to understand how a user is authenticated using this. Thanks!
Once the user inputs their username and password how do I authenticate it with a CAS server using phpCAS?
You do not. The CAS server authenticates the credentials, not the phpCAS library.
Also, how do I redirect user to a different .php page?
Redirects are controlled by the initial service parameter that CAS would use, after issuing a ticket. Once you are at that location, you can redirect to anywhere you like.
I'm trying to understand how a user is authenticated using this.
The authentication strategies are defined inside the CAS server, which takes the credentials provided and verify them against relevant account sources. You, as the client, do not need to bother with how that happens; just that it happens and that you are provided a ticket and that you need to validate it; a task that the CAS client library does for you.
Related
I am working on SAML authentication for my application which has the following architecture.
Frontend application written in Laravel - does not handle authentication
Backed API also written in Laravel which handles authentication
What I have now is a login form that has a login with SAML button which uppon clicked redirects to a Microsoft page and redirects a callback page on the frontend application with information from the saml request.
Now I need to authenticate the user and create a token, then make a session in the frontend application.
Since I was using SAML, I have no password to do a traditional authenticate.
This would mean that I need some API to which I pass some info from SAML to be able to check whether that email exists in the db and subsequently created a token.
But since this API is public, I can't just pass an email because that would allow someone to guess it.
How do I prevent this?
redirects a callback page on the frontend application with information
from the saml request
the information from the SAML request is your authentication event. The user has authenticated to your application by logging in at their Identity Provider (Microsoft page) and returning to your application with their SAML attributes.
If it was a traditional authentication with a username/password, once the password matches, you would create a session for them. In this case the password check was done by Microsoft and told your application it was successful by sending the SAML Response to your callback.
If you parse the SAML Response and extract the attributes you can use one of them to create the session. Something persistent such as eduPersonTargetedID which will always be the same value for that user will let you create their session. When they logout and log back in, that eduPersonTargetedID will have the same value in their SAML Response.
SAML Response samples are available here.
We're currently working on an external LDAP authentication for the owncloud sync app and webdav. While I'm able to authenticate with LDAP, I am unsure of how to login to owncloud without knowing the users owncloud password. I've been looking through the source code, but I can't find where login occurs in the LDAP module. We don't want to use the LDAP module that is included in owncloud.
Basically, I want to know if there is a way to retrieve an unencrypted password from the owncloud DB? If the encrypted password in the DB would work for logins? or if there is a way to login a user after LDAP authentication with only a username?
Thanks in advance for the help.
Basically, I want to know if there is a way to retrieve an unencrypted password from the owncloud DB? If the encrypted password in the DB would work for logins?
LDAP user passwords are not stored at all.
I've been looking through the source code, but I can't find where login occurs in the LDAP module.
In ownCloud, the login credentials are passed to the checkPassword method of the registered user backend, which replies with false (not granted) or the username (= granted).
I am trying to implement single sign-on authentication between two of my applications one in PHP and the other in .NET. The PHP site currently makes a Web Service call to a .NET Web method to authenticate the user. Both the .NET site and the PHP site use the same database. I was inclined to think I could implement a single sign on mechanism where if the user logs in to the php site he is automatically authenticated to the .net site as well. CAS authentication seems to be somewhat relevant to my case. But I am not sure where it exactly fits between my applications. So let me break it down into distinct steps please let me know if I am right?
User visits www.myphpsite.com/login
He supplies the username and password and clicks on the login button.
A web service call is then made to the .NET web method hosted in the same server as my .NET application www.myDotNetApp.com
The Web service uses the database to authenticate the user.
Somewhere here CAS has to fit in and has to ensure that I am authenticated for both www..com and www.myDotNetApp.com. In addition to doing this it has to set some session variables for the www..com site for the user to be able to view the different pages in the site.
Then the Web method has to redirect the user to the homepage in the www.myphpsite.com.
Now if the user clicks the link to www.myDotNetApp.com from www.myphpsite.com he must be taken to his profile page in www.myDotNetApp.com because he is already authenticated.
Now, is it possible to achieve this? If so, how?
What you propose is possible but I would suggest doing a little reading about how CAS works, the CAS Protocol is a good resource.
What CAS provides is an authentication provider trusted by each of your websites. It is an additional hosted website / service along side your other websites wanting to use CAS to provide authentication.
Based on the information you provided in your example, here is how it would mostly likely play out:
User visits the PHP website www.myphpsite.com/login, recognizing the user is not yet authenticated the PHP website redirects the user to your CAS website.
The CAS website also does not recognize the user as authenticated and so presents the user with a login screen. The user enters their credentials which CAS verifies against the database and then redirects the user back to the PHP website.
The PHP website receives a service-ticket from CAS via URL parameter which it verifies with CAS making a back-end web-service call. Having received a confirmation from CAS that the service ticket was valid PHP then logs the user in using its built-in authentication procedure (i.e. instead of validating against the database the PHP website now validates with CAS to assert that a user is authentic).
At this point if the user attempts to access the .NET website www.myDotNetApp.com it would not be able to recognize the user as authenticated using its built-in authentication procedure and so it would redirect the user to the CAS website.
However, the CAS website would already recognize the user as authenticated. Instead of prompting the user to login, CAS would automatically redirect the user back to the .NET website providing a service-ticket as a URL parameter. The .NET website would then make a back-end web-service call to CAS verifying the service-ticket and log the user in using its built-in authentication procedure.
In summary, CAS provides a single place for users to authenticate. Other websites can then direct needs for authentication to CAS where CAS either asks the user to login or recognizes the user as already logged and notifies the website.
Think of CAS as being the HUB and your apps as being spokes in the hub & spoke model. A lot is based on implementation, but here's the general process.
When a users hits a protected area of your php app they will be redirected to CAS. They will authenticate against CAS which has been setup against your database. After successful authentication, they are routed back to your application with a token that gets verified and they are signed in. If the app is implemented correctly, then they end up back on the same page they were attempting to navigate to.
When they hit a link that sends them to your .net app, they will go over like normal. If the page requires authentication, then they are routed to CAS which already knows them and passes them back to the app with a token that gets verified and then get in, and most likely never realized they hit the CAS application.
Just in case it is pertinent, let's assume that the PHP app needs to call the .net app as the user, not just linking to a page, but needs to get .net content as the user him or herself... CAS also supports proxying, so the php application can impersonate the user and call .net directly.
Check out the CAS architecture and the protocol for more details.
I am trying to authenticate users against Active Directory with PHP for access to a web page.
ldap_bind works fine for users who are setup with "Logon Workstations" set to "All computers" in Active Directory but not for users who are setup with their computer name in "The following computers" option which only allows them to log on to their own pc.
Is there a way to just authenticate if the users username/password combination are correct and not have it check the computers they can log on to?
If I understand your question correctly, you are trying to allow for manual authentication for users who are not automatically logged in.
I have something similar to this setup on my company's intranet, where if a user is not automatically authenticated they are presented with a login form that submits to a controller that uses the adLDAP library to pass the username and password to the LDAP server for authentication.
Twitter'll phase out HTTP basic authentication by August 2010. In the link my scenarios are from Desktop Applications. Basically my client should tweet new posts on a website.
This would be incredibly simple with HTTP basic auth, because I can store and use my account's username and password in the app to authenticate.
However, with OAUTH I can get final credentials by two means:
Callback method. You are redirected to Twitter, (login if isn't), click allow access, get redirection back to your callback URL.
PIN mode. You get a link to open, (login if isn't), click allow access, receive PIN code. Use this PIN code to authenticate your app.
Do I understand correctly that PIN codes also expire? How is it possible, given a username and password just to tweet from a client application? How can a server side script log in with the username/password and click allow access? All scenarios I could google up are for a web application to authenticate via twitter where the user is in front of the browser to walk through the redirect.
All scenarios I could google up are for a web application to authenticate via twitter where the user is in front of the browser to walk through the redirect.
The user has to be there to authorise you the first time (just as they'd have to provide you a username and password), but the resulting access token does not expire and can be reused (unless the user deauthorises your application, that is).
Store the access token - it's as good as a username/password. Better, actually - if they change their password, your access remains.
The PIN does expire under OAuth 1.0a. Using the verification code returned requires use of the temporary request token in the initial authorization request.
OAuth 2.0 defines more flows - one of which uses a direct login/password mechanism. It's up to Twitter to determine which flows they decide to implement. You can also embed a user-agent in the app.
Desktop apps suffered from a really bad user-experience with OAuth 1.0 which led to 2.0. It's doable, but painful. You can request XAuth access if you need to from Twitter as well. It's almost the same as basic auth.