My company creates a lot of applications that have very similar functionality, with a few differences between each one. For example, some sites have a group creation feature, others have user profile pages, and yet others allow users to accumulate achievement points and such.
Our clients want users to be able to log in to each application with the same username/password, since it doesn't really make sense for the user to have to register a different account for each site.
How do we design our database? Is it better to have a single central database for all of our applications, or separate them into individual databases and do JOINs across databases? Which is better performance-wise and design-wise?
Thanks for any insight!
Just go with OpenID. Simplest to just use Facebook Connect as a provider. They let you get to all of your user's data (like name etc.) so you can identify and data mine them if need be.
If you don't want to rely on an external provider to handle your user accounts, then become your own OpenID provider.
I would have a central server, which hosts a user db and web services to access that user db.
That way you can use the same DB, and perform logins over web services to that system from your front end.
This is also scalable and can grow in complexity with your applications.
I would take the other two answers and combines them to make a private OpenId Provider.
This way you can use the standard OpenId clients for your developments, and possibly even open your applications up for external OpenId providers if you developments need them.
This gives scalability and open standards for other applications within the organisations to use the same provider.
In a general way I would develop tables that would be Master Data, they will be single version of the truth application wide. Each and every application will access the same "clients base". In your case it seems that the concept of Master Data can be applied to your applications database.
If the applications are hosted within the company you can use active directory.
You can access active directory from php with the ldap functionality. You can than add users to groups in active directory to give them access to various functionality within the application.
Related
I'm developing a system using Yii framework and mysql
and after finishing it i'm going to develop another one.
Those two systems should be shared with the same authentication module.
And maybe there are more systems coming up.
But I don't want to have two separate module for each project doing the authentication and authorization and I don't want to assign each user two passwords.
I'm searching for a mechanism to make the A&A process done with one external and shared system and let those two systems communicate with this system to get the rights for the current logged in user.
You need to implement SSO (Single Sign On) or to use some other method to overcome this.
Check here for a simple guide on how to implement SSO: http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
Also check some enterprise implementations like http://www.onelogin.com/
Finally some open source implementations will probably help you like https://github.com/jasny/sso
I have an open question about my idea. Here's some background:
I'm developing a PHP application for the company I work in. It's meant to be used only by its employees. Every employee has access to our SharePoint portal. Basically the app has to be accessible only for people, that have access to our SharePoint.
I've got an idea to use SP to authorize users in my app. Authorization would be based on downloading a secured file from SP (one for all users), using CURL. If the file is correctly downloaded you're logged in. If it isn't, you're not allowed to access the app (there would be exception handling of course).
So, each person, who has access to SP, would have access to the app. The app and SP are located at different servers.
What do you think about that idea? Will it be safe? Is it a good idea at all?
I've listed some pros and cons that came to my mind...
Pros:
easy to develop
access control is held by SharePoint
users don't have to learn new logins and passwords
IMO it should be safe, because no passwords would be stored in the app's database
Cons / vulnerabilities:
possibility that the file will be accidentally deleted
Cheers,
Zibi
This is not a good idea. You are basically trusting the client to authenticate itself, which is very bad. You must assume that the client code is completely compromised and has been modified by an attacker to bypass your controls.
Generally speaking, "roll-your-own" security is a recipe for disaster. You should take advantage of PHP's built in session tracking mechanism. You can find a good tutorial here if you don't know how to use it yet. Your user's will have to authenticate again, but unfortunately that is necessary for proper security.
Also keep in mind that with your suggested solution there could be no access controls beyond "employee." This is severely limiting in the future if you ever need to provide the ability to restrict users access to resources based on user ID, roles or groups. You'll be much happier in the future if you do it properly at this point in the game.
This will look like range of questions but all are related to SaaS and PHP based application we have been building. We are conscious about our application architecture and studying it so that we ensure to encounter all essential techniques before we move to production and do not face any failure.!
To support SaaS we have decided to make our database multi-tenant where each customer will have its own database. My mind is boggling around following list of questions further.
How to provide ability to customize a SaaS multi-tenant application to suit individual tenant needs?
How to ensure security of each tenant database so that they do not access each other's data accidently?
What are clusters and how do we add new instances of application and database to them in case of increasing no. of customers?
What do we do to ensure performance and scalability of SaaS website?
How do we handle failures of SaaS application, especially when we launch new versions and updates, (continuous integration)?
Any special solutions for handling subscribers/customers and permissions of activated and deactivated modules in SaaS application?
I have attached block diagram of DB we have decided to go with
I have written a good article with many of the items which we need to consider while developing a SaaS application in PHP. Check the SaaS application development using PHP in Zend Framework
Answers to some of your questions are below:
How to provide ability to customize a SaaS multi-tenant application to suit individual tenant needs?
Its like a normal site development. Suppose you have resources A to Z then you need to keep the assigned or accessible resources of reach Tenants inside database. Then while accessing you can simply check the permissions.
How to ensure security of each tenant database so that they do not access each other's data accidently?
The database design on SaaS application is a topic which is discussed lots of times on Stack Overflow. You can go with Single database or unique database for each Tenants. For Big Projects the second one is suitable.
If you are going with Single Database, simply store the TENANT ID in all tables. And then while Authenticating the Tenant, keep the TENANT ID in SESSION based on the Sub Domain which the request coming from. Then pass this ID in all database operations and thus, it doesn't affect the data of any other Tenants accidentally.
What would be recommended as an authentication solution for a Software-as-a-service product?
Specifically, my product would have clients that would typically have low information technology skills, potentially not even having an IT department within their organization. I would still like to have my application authenticate against their internal directory service (eDirectory, Active Directory, etc.). I don't want them, however, to have to open/forward ports (for instance, opening up port 636 so I can do LDAPS binds directly to their directory service).
One idea I had was to have an application installed on a server within their organization's network that would backconnect to my service. This would be a persistant socket. When I need to authenticate a user, I send the credentials via the socket (encrypted) - the application then performs a bind/whatever to authenticate against the directory service and replies with OK/FAIL.
What would you suggest? My goal here is to essentially have the client install an application within their network, with very little configuration or intervention.
This vendor, Stormpath, offers a service providing exactly what you are asking for: user authentication, user account management, with hookups to your customers’ on-premise directories (if need be, as is your case).
I think in your case, it'd be necessary to drop an agent on to their network which performs the authentication locally, then creates a signed token which "proves" to your SaaS app that it has done so; this can be passed on by the browser in a query string or form post (for example).
The agent might be an IIS-installable web app which can just authenticate the user and then direct them on to your servers in the cloud. This should not be a major hassle to install, but will create tech support issues. In particular, you need to get this component right first time, as users are not going to update it on a regular basis.
Making it work securely may be interesting.
Take for instance Yahoo Mail or Twitter. When someone signs up to use their service, they'll need to automatically deploy a new database, application folder and so on - I assume!
I am planning to write an PHP application to let people add and edit invoices. Good examples would be Zoho Invoice, http://www.getballpark.com/, etc. They sure would be deploying microsites for each customer wouldn't they?
How do you do this? Would it be PHP that will handle it, or some Linux based thing.
Or if I am wrong, correct me. Maybe they have just one huge database and manage their signups from one single application.
Please guide.
Well most applications don't do that. Just imagine Twitter will have to deploy the whole Ruby on Rails Twitter application or the whole Yahoo Mail Server System for every single User.
You only choose the solution you suggest if users really need to customize their app (like plugging in own modules or change core functionality). Usually a (more or less) simple User, user options (like themes) and ACL management (e.g. for the enabled modules) should be sufficient for most applications.
Usually, it is best to use one big database. Using a combination of primary keys, foregin keys, you can easily ensure that you only display data which a user's role entitles him to.