I have an intern website with a simple login window where you have to login before you can access the website. This login works with PHP and ldap, you have to log in with your AD credentials.
Now i have to implement Kerberos for single sign on. I have already installed the needed modules on the webserver and configured everything. Single sign on works, i can get the user with $_SERVER['REMOTE_USER'].
Not all interns are allowed to have access to the website. Because of that there are different AD user groups to handle the different access rights. With ldap its simple to check if a user is member of a specific group. But how can i do this with Kerberos? Do i still need to use ldap or has kerberos some inbuilt functions to do that?
Related
My actual requirement is i have 2 AWS servers on both server I have added xml file, my requirement is I want to login from our application page using email and password, this credential check in active directory is this user exists if yes it should return to my application with user details like email id, I want to implement this in PHP.
ADFS supports WS-Fed, SAML 2.0 and OpenId Connect so you need a PHP client-side stack for one of these.
ADFS sits on top of AD so it will check the user in AD.
You have to use the ADFS login screen. There is no way to use a custom one.
I have this web application with LDAP backend, to read and modify some LDAP attributes.
Web application use the SSO (Single Sign-on) to authenticate user.
How can I bind to LDAP, if I only get a user name as an attribute from SSO, withouth asking for password again, because it will make SSO useless?
I use SimpleSAMLphp as identity provider, and python driven web application for LDAP management.
Rather than using the user's credentials to bind to LDAP, get an application account at LDAP that has read permissions for the attributes you need on the users within the directory. Then, when you get the username via SSO, you just query LDAP using your application's ID.
Make sure you make your application ID's password super strong - 64 chars with a yearly change should be good. Better yet, do certificate-based authn.
I am trying to implement single sign-on authentication between two of my applications one in PHP and the other in .NET. The PHP site currently makes a Web Service call to a .NET Web method to authenticate the user. Both the .NET site and the PHP site use the same database. I was inclined to think I could implement a single sign on mechanism where if the user logs in to the php site he is automatically authenticated to the .net site as well. CAS authentication seems to be somewhat relevant to my case. But I am not sure where it exactly fits between my applications. So let me break it down into distinct steps please let me know if I am right?
User visits www.myphpsite.com/login
He supplies the username and password and clicks on the login button.
A web service call is then made to the .NET web method hosted in the same server as my .NET application www.myDotNetApp.com
The Web service uses the database to authenticate the user.
Somewhere here CAS has to fit in and has to ensure that I am authenticated for both www..com and www.myDotNetApp.com. In addition to doing this it has to set some session variables for the www..com site for the user to be able to view the different pages in the site.
Then the Web method has to redirect the user to the homepage in the www.myphpsite.com.
Now if the user clicks the link to www.myDotNetApp.com from www.myphpsite.com he must be taken to his profile page in www.myDotNetApp.com because he is already authenticated.
Now, is it possible to achieve this? If so, how?
What you propose is possible but I would suggest doing a little reading about how CAS works, the CAS Protocol is a good resource.
What CAS provides is an authentication provider trusted by each of your websites. It is an additional hosted website / service along side your other websites wanting to use CAS to provide authentication.
Based on the information you provided in your example, here is how it would mostly likely play out:
User visits the PHP website www.myphpsite.com/login, recognizing the user is not yet authenticated the PHP website redirects the user to your CAS website.
The CAS website also does not recognize the user as authenticated and so presents the user with a login screen. The user enters their credentials which CAS verifies against the database and then redirects the user back to the PHP website.
The PHP website receives a service-ticket from CAS via URL parameter which it verifies with CAS making a back-end web-service call. Having received a confirmation from CAS that the service ticket was valid PHP then logs the user in using its built-in authentication procedure (i.e. instead of validating against the database the PHP website now validates with CAS to assert that a user is authentic).
At this point if the user attempts to access the .NET website www.myDotNetApp.com it would not be able to recognize the user as authenticated using its built-in authentication procedure and so it would redirect the user to the CAS website.
However, the CAS website would already recognize the user as authenticated. Instead of prompting the user to login, CAS would automatically redirect the user back to the .NET website providing a service-ticket as a URL parameter. The .NET website would then make a back-end web-service call to CAS verifying the service-ticket and log the user in using its built-in authentication procedure.
In summary, CAS provides a single place for users to authenticate. Other websites can then direct needs for authentication to CAS where CAS either asks the user to login or recognizes the user as already logged and notifies the website.
Think of CAS as being the HUB and your apps as being spokes in the hub & spoke model. A lot is based on implementation, but here's the general process.
When a users hits a protected area of your php app they will be redirected to CAS. They will authenticate against CAS which has been setup against your database. After successful authentication, they are routed back to your application with a token that gets verified and they are signed in. If the app is implemented correctly, then they end up back on the same page they were attempting to navigate to.
When they hit a link that sends them to your .net app, they will go over like normal. If the page requires authentication, then they are routed to CAS which already knows them and passes them back to the app with a token that gets verified and then get in, and most likely never realized they hit the CAS application.
Just in case it is pertinent, let's assume that the PHP app needs to call the .net app as the user, not just linking to a page, but needs to get .net content as the user him or herself... CAS also supports proxying, so the php application can impersonate the user and call .net directly.
Check out the CAS architecture and the protocol for more details.
I am trying to authenticate users against Active Directory with PHP for access to a web page.
ldap_bind works fine for users who are setup with "Logon Workstations" set to "All computers" in Active Directory but not for users who are setup with their computer name in "The following computers" option which only allows them to log on to their own pc.
Is there a way to just authenticate if the users username/password combination are correct and not have it check the computers they can log on to?
If I understand your question correctly, you are trying to allow for manual authentication for users who are not automatically logged in.
I have something similar to this setup on my company's intranet, where if a user is not automatically authenticated they are presented with a login form that submits to a controller that uses the adLDAP library to pass the username and password to the LDAP server for authentication.
I am creating a PHP application in which I want to implement Openid login. I want to implement the following functionality:
If user has already logged in his Google Apps account, then PHP application should not ask him login info again.
How can I check in custom PHP application login, that user has already logged in his Google Apps account? I am using PHP lightopenid.
You can not. You cannot simply check if a random visitor is authenticated on some other random 3rd party site. Because it's none of your business and would be quite a privacy problem.
You can only go through a normal OpenID login process, redirecting the user to Google and see what you get back.
Maybe you mean to implement your login system? An OpenID login just tells you who a user is. It does not remember the user for you or implement any kind of session or permission system for you. If the user has successfully used OpenID to authenticate with your site once, keep track of him using sessions, cookies, database entries or whatever else you need on your site.