That's my need: my company run a web-application coded with classic asp. Now one of our customer want that application to use SSO with their own IdP using SAML 2.0. So I have to interface with that service to verify users credential and then granting access.
I search the web to know about SAML protocol and, as far as I understood, my web-app have to act as a Service Provider, but the SAML protocols and specs are quite complex.
So, that's the question: do you know any "middleware", Classic ASP or PHP based, that can help me dealing with this kind of authentication?
Thanks.
EDIT: googling around, I came across this one
https://onelogin.zendesk.com/entries/268420-saml-toolkit-for-php
Anyone knows it?
SimpleSAMLPHP is a solid library, however, I would guess that it's far more than what you are looking for... It's an implementation with both SP and IdP code, and, while it has the name "simple" in it, is far more complex than what you need.
I would suggest you try looking at Kentor's open source stuff:
http://coding.abel.nu/2013/09/an-open-source-asp-net-saml2-service-provider/ It's pretty recent, and I've seen others use it successfully.
Yes, your application has to act as a Service Provider.
Try SimpleSAMLphp Service Provider. I haven't used it personally for integration with an existing application, but seems it should work for you.
Please refer: http://simplesamlphp.org/docs/1.5/simplesamlphp-sp#section_6
Try OpenAm's Fedlet library for .Net applications :
http://docs.forgerock.org/en/openam/10.1.0/dev-guide/index/chap-fedlet-dotnet.html
Related
I have a scenario, we have an PHP based website through which the users login using credentials stored in a database. Now we have another SPA website with .NET CORE as API layer.We don't have an option of having a central authentication server like Azure. If I want to let the users of SPA to access the website since they have already been authenticated in PHP, What should I do? Can PHP generate a JWT to pass it to API? How does that JWT then gets to SPA and how do I validate it? Please be kind as I am a newbie to website programming.
Json Web Tokens are a very specific format for a Bearer token. There are protocols like OpenID Connect that provide more structure around the login and trust process but at their heart, JWTs are just BASE64 encoded json with a verification hash.
You can roll your own SSO with JWT but as with everything in security, rolling your own comes with significant risks of making a bone head mistake and compromising your security. So research research and research some more if you take this route.
I did a very similar thing but stayed purely in the .net world. I used a .net library to build the JWT (https://learn.microsoft.com/en-us/previous-versions/visualstudio/dn464181(v%3Dvs.114)) and ASP.NET Core Identity to handle verification of the JWT (https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer) so I didn't write the code to actually generate the JWT. There is also only SSL connections made between the servers so some of the risk of the token getting sniffed is mitigated.
There are libraries for PHP to generate JWT or you could stand up your own JWT token provider in any language.
There also may be the possiblility of finding an OpenId Connect provider that could hook into your existing database. Identity Server 4 is one for .net but there may be one to be found in the PHP world. This introduces some overhead but does solve the problem of not having the ability to have a third party OpenId Connect provider.
Its not too terrible but security is one place where you wnat to be absolutely sure you get things right.
Authenticating from another server is SSO. There are lots of ways you could do this, but SSO protocols like OpenID Connect and SAML are specifically designed for what you're trying to do.
However, those protocols are anything but simple. You should try to see if you can find existing libraries to have your PHP application act as an Identity Provider (IdP), and your SPA to act as a Service Provider (SP) using the same protocol.
An idea that's a stretch - you didn't explain WHY you can't use a central authentication server. You might consider something like Keycloak (there are other options - that's the one I've used), which you can self-host, and can serve as either an IdP or an SP using OpenID-Connect or SAML 2.0.
You definitely shouldn't build this from scratch on your own (unless this is a hobby project). Authentication is full of security pitfalls that can trip up even the most experienced programmers.
Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP.
I have found list of PHP extensions from:
https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support
All of these extensions have little documentation or are too complex. For example I haven't found a way to use SimpleSamlPHP in my application and also extracting useful code out of it looks very time consuming (which I really don't have anymore). Also I find all of them hard to implement into website.
I have been googling and checking github for days now, trying to find easy way to use some library (right now I'm trying to implement Lasso, which seems reasonable, but unfortunately lacks good examples / information how to use it as IDP).
Any kind of criticism, ideas, help or tutorial/code examples would be useful.
I wrote a guide about how deploy on an open source software (Tiki-wiki) an IdP using simplesamlphp, and how to connect the IdP to google or salesforce. Take a look:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst
SimpleSAMLphp seems intimidating at first but it can handle all the SAML responses for you.
Have you looked at creating custom authentication module - http://simplesamlphp.org/docs/stable/simplesamlphp-customauth
You can tie this module to your existing login mechanism pretty easily.
Check out PingFederate and the PHP Integration Kit from Ping Identity. Alternatively there is the Agentless Integration Kit (instead of PHP) which allows you to integrate using a RESTful API call to the PingFed server instead of embedding any PHP libraries.
HTH,
Ian
Is there a standardized way to set up AD authentication for a web service that does not have direct access to the AD controller? I'm thinking of a cloud application such as Google Apps that wishes to authenticate against an organization's AD.
I have googled around quite a bit but I don't seem to know the right keywords. Maybe someone else can elighten me or give me some search pointers.
FWIW, our applications are written in PHP using Zend Framework.
The most elegant solution to your problem would be using identity federation. The basic idea is to authenticate your user locally like you do on your regular apps and send a security token to your cloud provider, proving the identity of your users.
SAML is the most common federation protocol used for achieving this. Google has a nice page explaining the details and the wikipedia page is also insightful:
There are plenty of identity federation solutions, for example:
Active Directory Federation Services (ADFS)
SimpleSAMLphp
Shibboleth
OpenAM
SimpleSAMLphp may be a good start to familiarize with SAML, as it is.. simple :)
The procedure to connect it to google apps is described here.
ADFS would be an AD-centric solution, but is a bit more complex to configure.
Is there any way that I can integrate the UserCake user management system with MediaWiki? I want to link the accounts in each system so users can log into both with the same username and password.
There is no existing system to do this. You can create an extension for MediaWiki to do this without too much trouble. Basing it off an existing extension is probably a good starting point. By looking at AuthJoomla, AuthBugzilla and AuthSymfony you should get a good idea of how MediaWiki's authentication extension API operates. It's really just a matter of creating the class, getting it to call the relevant UC functions and then loading it as an extension into MW.
Having said that, UserCake seems unmaintained. It may be worth taking this opportunity to migrate your users to another authentication system. If you are using credentials between several applications you might want to look at something like LDAP.
I know that this is a really old question, but UserSpice is the fully PDO/OOP spiritual successor to UserCake and would probably be better equipped to handle this. It would take some modification, but it could be done.
May I recommend that you use other ways to secure you applications. Take a look at Windows Azure ACS that gives you security federation to Facebook, Google, Yahoo and more.
This allows you to focus on your application and not security protocols.
Azure ACS supports many different of protocols and works great with PHP as well as .Net based applications.
I did a quick search and found the http://www.mediawiki.org/wiki/Extension:OpenID that can use Azure ACS. (Access Control Services)
There are other alternatives to ACS such as Ping Identity and OpenSSO; But ACS is a cheap alternative to Ping.
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.