I am trying to implement single sign-on authentication between two of my applications one in PHP and the other in .NET. The PHP site currently makes a Web Service call to a .NET Web method to authenticate the user. Both the .NET site and the PHP site use the same database. I was inclined to think I could implement a single sign on mechanism where if the user logs in to the php site he is automatically authenticated to the .net site as well. CAS authentication seems to be somewhat relevant to my case. But I am not sure where it exactly fits between my applications. So let me break it down into distinct steps please let me know if I am right?
User visits www.myphpsite.com/login
He supplies the username and password and clicks on the login button.
A web service call is then made to the .NET web method hosted in the same server as my .NET application www.myDotNetApp.com
The Web service uses the database to authenticate the user.
Somewhere here CAS has to fit in and has to ensure that I am authenticated for both www..com and www.myDotNetApp.com. In addition to doing this it has to set some session variables for the www..com site for the user to be able to view the different pages in the site.
Then the Web method has to redirect the user to the homepage in the www.myphpsite.com.
Now if the user clicks the link to www.myDotNetApp.com from www.myphpsite.com he must be taken to his profile page in www.myDotNetApp.com because he is already authenticated.
Now, is it possible to achieve this? If so, how?
What you propose is possible but I would suggest doing a little reading about how CAS works, the CAS Protocol is a good resource.
What CAS provides is an authentication provider trusted by each of your websites. It is an additional hosted website / service along side your other websites wanting to use CAS to provide authentication.
Based on the information you provided in your example, here is how it would mostly likely play out:
User visits the PHP website www.myphpsite.com/login, recognizing the user is not yet authenticated the PHP website redirects the user to your CAS website.
The CAS website also does not recognize the user as authenticated and so presents the user with a login screen. The user enters their credentials which CAS verifies against the database and then redirects the user back to the PHP website.
The PHP website receives a service-ticket from CAS via URL parameter which it verifies with CAS making a back-end web-service call. Having received a confirmation from CAS that the service ticket was valid PHP then logs the user in using its built-in authentication procedure (i.e. instead of validating against the database the PHP website now validates with CAS to assert that a user is authentic).
At this point if the user attempts to access the .NET website www.myDotNetApp.com it would not be able to recognize the user as authenticated using its built-in authentication procedure and so it would redirect the user to the CAS website.
However, the CAS website would already recognize the user as authenticated. Instead of prompting the user to login, CAS would automatically redirect the user back to the .NET website providing a service-ticket as a URL parameter. The .NET website would then make a back-end web-service call to CAS verifying the service-ticket and log the user in using its built-in authentication procedure.
In summary, CAS provides a single place for users to authenticate. Other websites can then direct needs for authentication to CAS where CAS either asks the user to login or recognizes the user as already logged and notifies the website.
Think of CAS as being the HUB and your apps as being spokes in the hub & spoke model. A lot is based on implementation, but here's the general process.
When a users hits a protected area of your php app they will be redirected to CAS. They will authenticate against CAS which has been setup against your database. After successful authentication, they are routed back to your application with a token that gets verified and they are signed in. If the app is implemented correctly, then they end up back on the same page they were attempting to navigate to.
When they hit a link that sends them to your .net app, they will go over like normal. If the page requires authentication, then they are routed to CAS which already knows them and passes them back to the app with a token that gets verified and then get in, and most likely never realized they hit the CAS application.
Just in case it is pertinent, let's assume that the PHP app needs to call the .net app as the user, not just linking to a page, but needs to get .net content as the user him or herself... CAS also supports proxying, so the php application can impersonate the user and call .net directly.
Check out the CAS architecture and the protocol for more details.
Related
I have a webservice created in PHP/MySQL. I have also created a simple RESTful API for the webservice and what I want is, to create an iOS app (in SWIFT).
What I need is a system for users to login via the iOS app.
If the user, successfully logs in via a web browser, a session starts so it keeps the user authenticated and logged in.
If the user logs in via the iOS app, I know how to validate the user (check email/password) by making a call to my API but I have no idea how I should handle the next step after a successful login. What should be the corresponding "session" for the iOS app?
Please note that I don't want to validate a user via google, facebook or whatever, I only want to validate a user against my database.
Two possible solutions that I have read about are oauth and JWT but their purpose is not clear to me. Especially oauth looks like I should use it if I want users to login to my service via google, fb, etc.
I'm trying to authenticate a username and password with a CAS server using phpCAS but didn't find anything relevant on the internet. Once the user inputs their username and password how do I authenticate it with a CAS server using phpCAS? Also, how do I redirect user to a different .php page? I saw that we can use phpCAS:foreAuthentication() to authenticate users, but I'm trying to understand how a user is authenticated using this. Thanks!
Once the user inputs their username and password how do I authenticate it with a CAS server using phpCAS?
You do not. The CAS server authenticates the credentials, not the phpCAS library.
Also, how do I redirect user to a different .php page?
Redirects are controlled by the initial service parameter that CAS would use, after issuing a ticket. Once you are at that location, you can redirect to anywhere you like.
I'm trying to understand how a user is authenticated using this.
The authentication strategies are defined inside the CAS server, which takes the credentials provided and verify them against relevant account sources. You, as the client, do not need to bother with how that happens; just that it happens and that you are provided a ticket and that you need to validate it; a task that the CAS client library does for you.
I am creating an react-native-ios app that communicates with a php web app hosted on azure.
How I understand it works:
The user signs up to the app, the server communicates with auth0 server which then returns a JWT token to the php server, saves the token to the database and then sends the token back to the client-device where it is then stored on device.
The user must send the JWT token as a header whenever communicating with the server.
Whenever the user logs out the token is deleted and when signing in, a new JWT must be received.
The user can sign in via using credentials that match what is on the database or sign-in with Google or facebook.
Or is Auth0 just for signing-in with enterprises such as Google or can I use it to sign in to my app also that has login credentials on the database?
I have found the
npm react-native-lock-ios but it doesn't work the way I described above.
In summary, How should I go about this and is what I have explained above correct?
The main problem here is that you did not understand how to work with JWTs. I would advise you to take a deeper look on how this technology works and how Auth0 can help you. But, in summary, this is the workflow for authentication that you must aim:
Your user will choose one of the many identity providers supported by Auth0(e.g. Facebook, Twitter, LinkedIn, SAML, WS Federate and so on).
Your react native app will communicate directly to Auth0 API through the react native lock.
Auth0 will interface with the chosen provider and redirect the user to an authorization page in this provider (case it is needed and it is the first time the user logs in).
Auth0 will generate a JWT and send back to your react native app.
Your react native app will send this JWT to the server (usually on the Authorization HTTP header) when issuing requests to your endpoints.
Your PHP backend will check if this JWT is really valid. This is can be done with Auth0 PHP SDK.
In case the JWT sent has not been tampered (changed irregularly), your backend will accept it as the user identifier and respond the request as expected by your react native app.
As you can see the biggest issue in the approach that you thought you would follow is that the login process does not go through your backend server. It happens on your front-end app (react native) communicating with Auth0 and the identity provider chosen.
JWTs are tokens that hold information (claims) about a subject. These tokens can be validated by anyone that possess a key (public or private). That is, having this key you can validate the token and can rest assured that it has not been changed improperly.
Further more, to answer the question regarding the usage of Auth0 with credentials on your database, you can bet that you can use it. Auth0 provides ways to integrate with your own database to check the existence of a user. This is called a customer user store.
Happy studying.
So my scenario goes like :
I have two sites a.com and site b.com and one authentication server cauth.com.
what client wants is ...
When user lands on a.com or b.com user fills in the login form on respective site , but the action of form will be on cauth.com (cauth.com/authenticate). when user is authenticated on cauth he is loggined on the both sites.
I am thinking to implement SAML to achieve the same and flow is like
after authentication iDP(cauth.com) will send SAML response to the both the service providers and user will be given access to both the sites .
I am novice in SAML and unable to get proper documentation and comprehension for the same.
What I want to know is :
Is my solution to the problem worth implementation ?
Is it possible to make site (cauth.com) as identity provider.I have looked at thread Making your PHP website into SAML Identity Provider but not able to get proper solution.
SimpleSamlPHP should be pretty easy to set up. You'll want to make a copy of the folder modules/exampleauth/ and then alter the file modules/<yournewmodule>/lib/Auth/Source/External.php to work for your site. The documentation is good though and it's definitely the easiest thing for your need, and the right one.
I should add that following the instructions to set up SimpleSamlPHP should give you a basic understanding of which metadata files are most important and where they live and how things interact.
I am not sure which technology you are using for your application. If you are free to switch to JAVA then I can suggest you Spring-Saml because its very easy to implement and fulfill your requirement. Spring-Saml has good documentation and online support as well being it as open-source project.
You can refer this link for Spring-saml and for code-repo use this link
You can integrate spring-saml in your abc.com and xyz.com application to make it Service provider(SP) and you can deploy it on different domain as well. Then you need to have one IDP (identity provider server) for your SPs. So you can use either ADFS with Active directory or LDAP to act as IDP.
We had similar requirement for our customer. I recently integrated spring-saml in my project.
Please let me know for any help
A federated Single Sign On (SSO) mechanism like SAML or OpenID Connect will give you what you want.
This comes with the important distinction that the login form would not be presented on a.com or b.com but those sites would rather redirect to cauth.com and the user would authenticate there. cauth.com would then send a verifiable "assertion" to a.com and b.com that the user has authenticated successfully. This constitutes one of the major goals of federated SSO, namely that the user credentials should not be presented/stored-by foreign websites and makes the means of authentication independent from the target websites ("Relying Parties").
So what you should be looking for is a suitable implementation of SAML or OpenID Connect for your platform (don't write it yourself!) and leverage that.
Shibboleth is open source and one of the most popular SSO solutions. It includes a SAML Identity Provider which you can download here: https://shibboleth.net/downloads/identity-provider/latest/ .
If your client is willing, one approach would be to use a cloud SSO provider like Okta which has a developer program and could make things easier.
I think there is a subtle misunderstanding in your description. For SAML authentication, if a user at site a.com either clicks a login link/button or tries to access a secure page, that user will receive an http 305 redirect to cauth.com. There the user will enter their credentials, and the user will be redirected back to a.com. If that user then goes to site b.com and tries to access secure content, b.com sends the user to cauth.com with the same http 305 redirect. This time, as there is an active session for the user's browser at cauth.com, the user does NOT see the credential form. Instead, the IDP returns the user with a successful authentication to b.com. It appears to the user that they are automatically logged on to site b, but in truth a SAML authentication flow has occurred.
Hans Z's answer elides the fact the that IDP only sends the assertions on the request of a or b (the Relying parties or RPs, also known as Service Providers or SPs). It is not a broadcast to all RPs.
I'll reinforce that SAML does NOT support a.com receiving the credentials from the user and then passing them to the authentication engine. This is a pattern one may be familiar with from LDAP.
Take a look at the sequence diagram in the wikipedia entry on SAML.
Follow below instruction to get SAML implimentation with PHP.
SAML login setup is very easy in php.
First register on onelogin server
https://www.onelogin.com/signup and create demo app on it. After
it follow all instruction to set Idp (Identity provider setting ) and
sp (service provider setting) to settings.php
https://developers.onelogin.com/saml/php
It worked perfect for me with CI and and php
I'm writing an iPhone app which works against my own server.
Basically, it's a forum where users can post. I don't want users to sign-in for an account on my server but I rather prefer them to login using any existing account they have: Facebook, Linkedin, Foursquare, etc.
So from the app itself, I want them to be able to login using their existing account which will then allow them to post on the forum.
My question is that: when a user is posting a message, how can I verify whether or not he is logged in with any service? I need to validate it both on the client and server side. I plan on writing the server side using PHP.
Thanks
See this question for a similar discussion (just limited to Facebook sign on). Here's a high-level overview of what should happen (taken from that discussion I linked to):
User opens the app on the phone. Chooses a service with which to authenticate.
Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
Your app takes the token and sends it to your server.
Your server receives the token and validates it. It checks it against the service's API and (at least for Facebook and Twitter) get the corresponding user ID.
Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn't been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
The session key is used for all further communication between your app and your server until the user logs out.
On the phone, you're going to want some OAuth library to allow users to authenticate with another service. You'll probably want to use the Facebook iOS SDK to allow them to use Facebook and use one of the suggested OAuth libraries here for your other authentication services. I have only used the Facebook SDK, so I can't speak as to the general OAuth libraries.
Once logged in, the phone should not store the access token, only the session key.
Assuming that users can use more than one service to access their account, you will also want some way of connecting two services to the same user (probably by email address).
It's up to you to decide how your app and your server communicate. I'd go for a JSON+REST API for communications with the server.
Another option to get your users to login using multiple services is Socialize (www.getsocialize.com). It's an open source SDK that manages your users and authentication so you don't have to implement all the steps that cbrauchli has outlined above.
I was exploring if better/easy to use/implement options exist in 2020 using third party libraries to allow login with social accounts. And found two options:
AuthorizeMe - https://github.com/rubygarage/authorize-me & https://rubygarage.org/blog/authorizeme-ios-libary
Auth0 - https://auth0.com/learn/social-login/ & https://auth0.com/blog/using-centralized-login-to-add-authentication-to-your-ios-apps/
AuthorizeMe supports:
Facebook
Twitter
Google
Instagram
LinkedIn
plus custom providers
Auth0 supports:
Facebook
Twitter
Google
Microsoft (Windows Live)
Yahoo
Instagram
Amazon
LinkedIn
Github
PayPal
vKontakte
Yandex
Box
Baidu
Ren Ren (Xiaonei)
Weibo
Shopify
Wordpress
Yammer
SoundCloud
and custom providers as well
Disclaimer: I am not affiliated with Auth0 or AuthorizeMe.