I have created an application writing in php language. Now,i need develop new .net application using same login database. What i want is after end user login by the php application and click a link to my .net new application without re-sign in again. Any Idea or suggestion??
Why not implement WIF on the .net side and SimpleSAML in the PHP solution? Federated security with the WIF framework using the SAML protocol should work. What's better is SAML is an open standard so a lot of resources out there.
To get you started:
Windows Identity Foundation (WIF) https://msdn.microsoft.com/en-za/library/ee748475.aspx
SimpleSAML https://simplesamlphp.org/
EDIT: I'm recommending the above because you cannot share cookies cross domain and you shouldn't really be trying to roll your own security where possible. You can also look at OAuth2 http://openid.net/connect/.
It seems WIF can also support OAuth2 with extensions https://blogs.msdn.microsoft.com/alikl/2011/03/03/running-windows-identity-foundation-wif-extensions-for-oauth-2-0-sample/
Related
I have a scenario, we have an PHP based website through which the users login using credentials stored in a database. Now we have another SPA website with .NET CORE as API layer.We don't have an option of having a central authentication server like Azure. If I want to let the users of SPA to access the website since they have already been authenticated in PHP, What should I do? Can PHP generate a JWT to pass it to API? How does that JWT then gets to SPA and how do I validate it? Please be kind as I am a newbie to website programming.
Json Web Tokens are a very specific format for a Bearer token. There are protocols like OpenID Connect that provide more structure around the login and trust process but at their heart, JWTs are just BASE64 encoded json with a verification hash.
You can roll your own SSO with JWT but as with everything in security, rolling your own comes with significant risks of making a bone head mistake and compromising your security. So research research and research some more if you take this route.
I did a very similar thing but stayed purely in the .net world. I used a .net library to build the JWT (https://learn.microsoft.com/en-us/previous-versions/visualstudio/dn464181(v%3Dvs.114)) and ASP.NET Core Identity to handle verification of the JWT (https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer) so I didn't write the code to actually generate the JWT. There is also only SSL connections made between the servers so some of the risk of the token getting sniffed is mitigated.
There are libraries for PHP to generate JWT or you could stand up your own JWT token provider in any language.
There also may be the possiblility of finding an OpenId Connect provider that could hook into your existing database. Identity Server 4 is one for .net but there may be one to be found in the PHP world. This introduces some overhead but does solve the problem of not having the ability to have a third party OpenId Connect provider.
Its not too terrible but security is one place where you wnat to be absolutely sure you get things right.
Authenticating from another server is SSO. There are lots of ways you could do this, but SSO protocols like OpenID Connect and SAML are specifically designed for what you're trying to do.
However, those protocols are anything but simple. You should try to see if you can find existing libraries to have your PHP application act as an Identity Provider (IdP), and your SPA to act as a Service Provider (SP) using the same protocol.
An idea that's a stretch - you didn't explain WHY you can't use a central authentication server. You might consider something like Keycloak (there are other options - that's the one I've used), which you can self-host, and can serve as either an IdP or an SP using OpenID-Connect or SAML 2.0.
You definitely shouldn't build this from scratch on your own (unless this is a hobby project). Authentication is full of security pitfalls that can trip up even the most experienced programmers.
I just wondered if you could answer a question regarding authentication in an enterprise's intranet. We are currently setting up a server for intranet publishing which of course needs protection via an enterprise single sign on.
Unfortunately we are stuck with an IIS server as we need to run both PHP and .NET applications. The main app is programmed in PHP, but we have to feature some jQuery included widgets that rely on ASPX handlers.
The company offers all types of authentication. We've already successfully protected the server with Shibboleth (using SAML 2.0). It shows the ESO screen to login and then redirects to our server with a logged-in session. Unfortunately the widgets that are referring to the ASPX handlers don't authenticate correctly.
I've never done authentication / SAML / WiF / anything, so please excuse my question:
What would be the most promising way for authentication with our setup (IIS featuren PHP and ASPX apps)? Should we stick to SAML and Shibboleth or should we use WiF / WS Federation / Windows Authentication?
Is it possible to support both PHP and ASPX with one authentication method?
Thanks for a response!
Nik
I don't know much about single sign in but check The DOTNET class
The DOTNET class allows you to instantiate a class from a .Net assembly and call its methods and access its properties.
$obj = new DOTNET("assembly", "classname")
So you can keep authentication # single library of DOT NET to support both PHP and ASPX with one authentication method.
<?php
$stack = new DOTNET("mscorlib", "System.Collections.Stack");
$stack->Push(".Net");
$stack->Push("Hello ");
echo $stack->Pop() . $stack->Pop();
?>
See also Best way to call .NET classes from PHP?
I have WPF app and Web browser control in it. I am opening a web page which is a php application.
I need to pass my machine credential's to the php application.
The Web browser control opens a [http://app/login.php]. The user has logged onto the machine with his domain credential's. The PHP website uses windows authentication..
Both the WPF application and php site are internal application(i.e. same domain)
You have a CakePHP application and a login.php? Then there is something seriously wrong with it.
You need to get your current logged in users identity and pass that on to the php application.
See Using windows authentication with php?
If you're using CakePHP 2.0 you might find an LDAP adapter for the AuthComponent. I guess you can use google to find more, I don't know if this one here is any good or not http://www.analogrithems.com/rant/2012/01/03/cakephp-2-0-ldapauth/
My answer covers the CakePHP part
Best practice would be to communicate using REST, between your wpf and cakephp. CakePHP provides a very easy way to connect your actions via REST. You will have to connect your authentication method using the REST.
Cake's documentation has a nice section on REST from CakePHP.
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
I need to provide SSO for a Webpshere portal. The authentication process needs to be handled by a PHP site (which itself should authenticate a user against an Active Directory via LDAP - think I have this bit covered though). I have been told I need to create an LTPA cookie. How would I go about doing this? What information need to be set? Will Websphere be able to read this cookie and grant access to the user?
Websphere comes with out-of-box support of proapgation of authentication using LTPA tokens (in web apps, these are usually stored in cookies named LTPAToken and LTPAToken2).
In general, for this to work both the Websphere and your PHP app have to share the same LTPA keys (based on which the LTPA tokens are generated). In websphere administration, a little configuration is needed to enable LTPA and synchronize the keys.
However, I'm completely ignorant about PHP capabilities for this; don't know if there are any LTPA PHP libraries or a builtin Apache/PHP support for LTPA whatsoever. Googling IBM's infocenter (publib.boulder.ibm.com) may help.
This ST Awareness on a PHP page article on IBM developerWorks may help you.
There is also an example of adding awareness to an ASP page in chapter 12 of the Redbook Building Sametime Enabled Applications. It details a way of doing it if you don't have LTPA in your environment.
WAS can create a LTPA cookie with a custom TAI, please read the link below for further details:
Developing a custom trust association interceptor