We have a web-application, hosted externally. One client now asks for a SSO (single sign on) solution and suggested a LDAP link with our web-application.
Our website uses PHP. We prefer not to use something like VPN, but we have no experience at all with this stuff. Is it possible to use Windows authentication and somehow automatically login into our web application?
Any suggestions?
This can be done using NTLM authentication, but tying that to Windows credentials, is Internet Explorer spesific behaviour, and NTLM isn't that well supported in all browsers. I would reccomend you rather have an ldap authentication over ssl to your AD, and have a regular basic auth box pop up instead.
You then use PHP to bind with LDAP using the credentials supplied to determine if they're valid or not.
Related
I'm working on an authentication integration with PHP 7 to authenticate to an ActiveDirectory server, for that I use basic PHP functions like ldap_connect.
However, this mode doesn't seem very secure to me, as it requires that at some point I have the user's credentials in plain text to be able to use the connection.
Is there a more secure way to perform this authentication?
For example, send just one request directly to the client's server and there it makes this connection to the OpenLDAP/AD server?
Our company has a mobile app. Until now we used LDAP authentication using PHP code to login on the app using the company's Active Directory user and password.
Now they tell me we have to stop using LDAP because there has been some security breach.
My question is, is there an equivalent of ldap_bind for Azure AD?
I've been looking for information and the answers I found are too complicated and elaborated.
Would be better to use a Native Azure App to link to our mobile App or is the PHP aproach better?
I don't need to get the Azure AD token and be able to do some operations or anything. I just want to check if user & password are correct and that's it.
Any guidance would be apreciated.
You will need to redirect the user to authenticate e.g. by using the OpenId Connect protocol.
LDAP is not supported in AAD.
The user may have e.g. Multi-Factor Authentication enabled and thus there is no way to surely authenticate programmatically.
So the right way is to register a Native app, and authenticate from your mobile app using ADAL or MSAL.
I have a web application that I would like to allow persistent access to that is not dependent on the browser cookie system.
Is there something that will allow me to, upon the first user authentication, send the browser a certificate which the app can check for periodically or upon future returns to the site? Maybe some take on an SSL?
I would prefer some sort of PHP/JS solution but I could entertain other options as well. I can also dictate the browser that the user will use so a solution doesn't need to be browser specific.
Thanks,
I believe what you are looking for is PersistJS, a client-side JavaScript persistent storage library. It does not require the use of cookies.
If you need actual certificates, you should research the TLS protocol. TLS is the successor to SSL and support bilateral authentication (client certificates).
You may want to check out the opensource Forge project. It implements TLS in JavaScript and you can do neat things like store client-side certificates in local storage and use them for authentication when appropriate.
http://github.com/digitalbazaar/forge/blob/master/README
Something similar to what you may be trying to do is the WebID project. These two sites show a demonstration of WebID (which involves storing a client-side certificate locally and then using it to authenticate on another website). They use Forge:
https://webid.digitalbazaar.com/manage/
https://payswarm.com/webid-demo/
Since these sites are for demonstration purposes only, you will need to accept their self-signed SSL certificates to view them. No real personal information is required to try out the demos.
Scenario:
I have a area of a website that needs to be secure and accessible when offsite. I want the user to enter the username and password used to login at work in a web form. The form will send the username and password to authenticate it. If it works the user is logged in.
I need to use a form not a pop-up login box. PHP is preferred but I'm flexible. Any ideas to point me in the right direction?
My employer has a few secure areas they have set up that uses the "pop-up box". For what I need to accomplish I need to use a web form.
Try LDAP
http://www.devshed.com/c/a/PHP/Using-PHP-With-LDAP-part-1/
http://us2.php.net/ldap
I've written intranet web applications that use the local windows username and password to authenticate and LDAP is by far the best solution.
If you are using LDAP at work, go with that, if not, well you have to access it thru .NET.
Since there are several but not fully reliable .NET implementations for PHP, I would recommend using a WebService, which PHP would consume, that will pass the user and pass - encrypted would be nice - to it, and it will return if the credentials are valid or not.
You should be able to use LDAP, in your case it is most likely Windows Active Directory via IIS. There are php packages out there to interact with various types of LDAP implementations. Here is a link:
http://php.net/manual/en/book.ldap.php
use this http://pear.php.net/package/Auth and tie it in to ldap authentication at the back-end.
of especial interest to you would be the Auth::setShowLogin method...
I have a webpage that I only want a specific group to log into.
I work at a college and we use Active Directory accounts and only a certain group can access this php page (on apache server).
I know I can restrict access with some PHP code, but I want to accomplish seamless login.
Everyone uses IE7 at work (which are configured to pass the proper credentials), and are required to log into the computer (which logs them into the domain controller).
When the user goes to http://intranet, they will automatically be logged in, since they logged into their computer earlier.
If a user goes to http://intranet.domain.com, it will prompt them for their credentials.
I know I need to use kerberos for authentication and LDAP for authorization.
Has anyone had success at seamless authentication?
There are commercial products that offer this as Apache modules, see the links at the end of the Wikipedia article on SPNEGO (eg. Guide to SPNEGO with Apache). I know also of some php modules like php_krb5: php_krb5 beta / Negotiate auth with GSSAPI for PHP, or Apache modules like mod_auth_kerb. I never used them myself though.
As for going the whole 9 yards and implementing Negotiate auth in PHP, I did implement in my life RFC 2617 in PHP for Digest HTTP auth and I did implement Windows SSPI authentication modules, but I never tried to implement RFC 4559 in PHP. While the HTTP auth part is fairly trivial, the opaque GSS-API part is daunting, even provided you have a good GSS-API library at your disposal for RFC 2743.
This is because you need to add intranet.domain.local to the Local Intranet zone in IE. Check this article for details: http://www.sysadminlab.net/other/local-intranet-zone-in-ie8-exaplained-for-sysadmins