I have this web application with LDAP backend, to read and modify some LDAP attributes.
Web application use the SSO (Single Sign-on) to authenticate user.
How can I bind to LDAP, if I only get a user name as an attribute from SSO, withouth asking for password again, because it will make SSO useless?
I use SimpleSAMLphp as identity provider, and python driven web application for LDAP management.
Rather than using the user's credentials to bind to LDAP, get an application account at LDAP that has read permissions for the attributes you need on the users within the directory. Then, when you get the username via SSO, you just query LDAP using your application's ID.
Make sure you make your application ID's password super strong - 64 chars with a yearly change should be good. Better yet, do certificate-based authn.
Related
I'm having difficulty finding guidance on the implementation of SAML alongside an existing, traditional authentication system.
I have created a SaaS application in CodeIgnitor which has the typical, run-of-the-mill authentication system using a local users table with hashing and salting etc.
I'm looking to add SAML SSO to attract more enterprise customers. I have a question however where my Google Fu is falling short.
How can I integrate SAML authentication so that it works along-side my traditional, local authentication? If my customers choose SAML then I will require them to bind their existing local accounts to their SAML federated identities. What do I do to cater for my non-SAML users?
Do I need two login URL's such as https://app.com/saml/login for my SAML users and https://app.com/login for my non-SAML users, and just expect customers to choose the right one? Or perhaps I ask for their email/username first, and then require them to submit that value to see if they're SAML or not - and route them accordingly?
You need to install an Identity provider (IDP) that supports SAML.
You use the IDP Initiated SAML profile.
Your app. is connected to the IDP via a SAML stack.
Other enterprises can then federate with your IDP i.e. login to your web site with their credentials via SAML.
The IDP Initiated SAML profile provides a URL that you give to customers that takes them to your IDP with their customer credentials and thence to your app.
Users going direct to your website use the local connection.
That said, rather use OpenID Connect - it's much simpler but the principles are the same.
Our company has a mobile app. Until now we used LDAP authentication using PHP code to login on the app using the company's Active Directory user and password.
Now they tell me we have to stop using LDAP because there has been some security breach.
My question is, is there an equivalent of ldap_bind for Azure AD?
I've been looking for information and the answers I found are too complicated and elaborated.
Would be better to use a Native Azure App to link to our mobile App or is the PHP aproach better?
I don't need to get the Azure AD token and be able to do some operations or anything. I just want to check if user & password are correct and that's it.
Any guidance would be apreciated.
You will need to redirect the user to authenticate e.g. by using the OpenId Connect protocol.
LDAP is not supported in AAD.
The user may have e.g. Multi-Factor Authentication enabled and thus there is no way to surely authenticate programmatically.
So the right way is to register a Native app, and authenticate from your mobile app using ADAL or MSAL.
I am learning about SAML and already read many articles and forums but I still having confusion about setup IdP.
I am using "https://simplesamlphp.org/"
For example, I have 3 websites "example.com", "one.example.com", "two.example.com";
All are on three different server.
Now, I want to setup single sign on login using SAML then on which server I need to setup IdP.
As "example.com" is main domain which has all the information about user.
As I learn, when I login to "example.com" then it sends request to IdP.
But I don't get any idea where I have to set IdP and what Idp contains?.
Its on same server where "example.com" hosted OR its different server and what logic I have to write on that server?
It's simple login function OR I need to setup "simplesaml" for this and set login logic to there.
After setting up IdP, what I need to do on other server "one.example.com", "two.example.com"?
Do I need to install again "simplesaml" to both server and set SP and IdP?
In sort, which server has IdP and SP? And on which server I need to install "simplesaml"?
Thanks in advance
simpleSAMLphp is the IDP.
You don't need to write any code, just setup the config.
You will also have 3 SP = the three websites.
They can all be on the same server or you can have one server for the IDP and one server each for the websites. It doesn't actually matter.
The simpleSAMLphp web site shows you the changes you need to make to each of the SP in order to communicate with the IDP.
Identity provider is the one who supplies info about users. You'd create one, let's call it idp.example.com.
You'd install simpleSAML there and configure it so it can read info about your users, be it in MySQL, LDAP etc. (this is the tricky part with IdP setup).
Now, your websites would be service providers and if user isn't authenticated, they'd redirect the user to idp.example.com, user logs in, idp.example.com returns the user to service provider with the XML document containing assertions.
That means your SP needs to be able to consume the SAMLResponse which IdP sends to your site.
You can consume this with simpleSAML, which you'd configure in SP mode now.
Bear in mind that SSP (simplesamlphp) isn't the only option in PHP to deal with SAML. There's also Lightsaml - a proper library. SimpleSAML isn't just a library, it's a complete solution and quite honestly - a super SUPER terrible one at that, it's the epitome of crap code one can type out and make a system that actually works (much like wordpress).
TL;DR:
create an IdP -> idp.example.com -> configure or create the module that authenticates users against your user source (LDAP, ActiveDirectory, relational database etc.)
configure your 3 websites to authenticate using idp.example.com
configure your 3 websites to be able to consume responses from idp.example.com
It's all doable with simplesamlphp. If you want to take it further and implement or play with SAML on your own - you can use the library I linked. It'll take way, way, way longer to do it via Lightsaml library though since you have to take care of single logout and single sign-on, encryption, digital signatures, endpoints, metadata etc.
Situation background:
We have company Azure with dozens of existing users with existing credentials for Azure access.
Beside that, we have CMS (in PHP) on separate webhosting (no relationship with Azure, not hosted under Azure).
What we need:
All existing Azure users will be able to access in our web CMS and we have dilema if CMS (php script) will be possible to check credentials remotely by requesting Azure API.
Or even better if user is already logged in Azure account and have active cookie (like in Facebook), CMS would only request some users details and check users tenant and domain and allow access automatically without any login form.
The best would be to combine both mentioned.
The goal is:
PHP script checking "Azure login cookie" (such as Facebook?) and ensuring communication with Azure API giving params like email and password and recieving true/false if some Azure user is exists for given credentials.
Appreciate any help and tips, regards, Jan.
The is no such Azure AD API that provide the service to check the credential. And the flow describe above that require users enter their Azure AD credentials in you apps which is more like Phishing which is easy to leakage the users credential.
If you want to authenticate your apps via Azure AD, you can using the OpenId connect stand protocol. Here is the authentication flow using the OpenId connect for your reference:
More detail about authorizing access to web applications using OpenID Connect and Azure Active Directory, you can refer here.
Scenario:
I have a area of a website that needs to be secure and accessible when offsite. I want the user to enter the username and password used to login at work in a web form. The form will send the username and password to authenticate it. If it works the user is logged in.
I need to use a form not a pop-up login box. PHP is preferred but I'm flexible. Any ideas to point me in the right direction?
My employer has a few secure areas they have set up that uses the "pop-up box". For what I need to accomplish I need to use a web form.
Try LDAP
http://www.devshed.com/c/a/PHP/Using-PHP-With-LDAP-part-1/
http://us2.php.net/ldap
I've written intranet web applications that use the local windows username and password to authenticate and LDAP is by far the best solution.
If you are using LDAP at work, go with that, if not, well you have to access it thru .NET.
Since there are several but not fully reliable .NET implementations for PHP, I would recommend using a WebService, which PHP would consume, that will pass the user and pass - encrypted would be nice - to it, and it will return if the credentials are valid or not.
You should be able to use LDAP, in your case it is most likely Windows Active Directory via IIS. There are php packages out there to interact with various types of LDAP implementations. Here is a link:
http://php.net/manual/en/book.ldap.php
use this http://pear.php.net/package/Auth and tie it in to ldap authentication at the back-end.
of especial interest to you would be the Auth::setShowLogin method...