I am looking at ways to tie together a number of Windows-based web services together under single-sign-on. Microsoft's Windows Identity Framework and ADFS 2.0 are the perfect tools for the job, except that not all of our web services are written in .NET. One is classic ASP and another PHP. Are there existing libraries that will work for those platforms, or will I need to build them from scratch?
There are two ways to do this that I can think of off the top of my head:
Find a product that will sit in your Web server that intercepts calls, bounces unauthenticated users to an IdP, parses the responses, and puts the data in the header of the requests that it then passes on to your ASP/PHP app. There are many types of products that do this, e.g., Shibboleth SP, Ping Identity, and OpenSSO. I think Centrify DirectControl and Quest Single Sign-on might also provide this sort of capability.
Build a comparable component yourself that can do this sort of thing and leverage frameworks to help with the parsing of SAML and/or WS-Federation messages. If you take this route, check out SimpleSAMLphp and OIOSAML.NET.
HTH!
Using IIS 7.0 pipeline you can write a http module that will handle authentication for all sites hosted on the iis. (including classic asp and php).
See: MSDN article
Related
Just wanted to check whether its possible to do an HTTP request to get Presence data on Lync 2010, sort of like how it done on Lync 2007 e.h.
<cwaRequests xmlns="http://schemas.microsoft.com/2006/09/rtc/cwa" sid="91">
<queryPresence rid="4">
<uris>
<uri>sip:jessicaa#contoso.com</uri>
</uris>
</queryPresence>
</cwaRequests>
I wanted to make this request from a PHP script on a Linux machine. Is this possible, without having to install any additional software?
Any help would be awesome.
If you are interested in creating a Web Service that exposes UCMA functionality you will want to consider looking into:
Download the UCMA 4.0 SDK
If you have access to PluralSight it would be worth checking out Introduction to UCMA 4.0 and if not you may need to spend some time on MSDN looking over https://msdn.microsoft.com/en-us/library/office/dn466088.aspx
Samples that are part of the UCMA SDK - SubscribePresence (QuickStart) / SubscribePresenceView (QuickStart)
Some things to keep in mind when designing/devloping the Web API portion is that UCMA is a 64-bit assembly meaning you should not expect to run it under a 32-bit process. IF you ever forget this you will run into an issue with a dependent assembly called SIPEPS not being found.
Once you have your feet wet with UCMA you will want to look into developing a Web API to expose this UMCA presence functionality. I will leave the Web API portion a little sparse as there are many different options on how to host and expose a Web API, but I would suggest looking into Getting Started with ASP.NET Web API 2 (C#) as a start.
The two current web-based API's Skype Web SDK and UCWA aren't supported on Lync 2010. I think the only way is as #ShellbyZ has said, exposing a UCMA 4 application through a Web API.
Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP.
I have found list of PHP extensions from:
https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support
All of these extensions have little documentation or are too complex. For example I haven't found a way to use SimpleSamlPHP in my application and also extracting useful code out of it looks very time consuming (which I really don't have anymore). Also I find all of them hard to implement into website.
I have been googling and checking github for days now, trying to find easy way to use some library (right now I'm trying to implement Lasso, which seems reasonable, but unfortunately lacks good examples / information how to use it as IDP).
Any kind of criticism, ideas, help or tutorial/code examples would be useful.
I wrote a guide about how deploy on an open source software (Tiki-wiki) an IdP using simplesamlphp, and how to connect the IdP to google or salesforce. Take a look:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst
SimpleSAMLphp seems intimidating at first but it can handle all the SAML responses for you.
Have you looked at creating custom authentication module - http://simplesamlphp.org/docs/stable/simplesamlphp-customauth
You can tie this module to your existing login mechanism pretty easily.
Check out PingFederate and the PHP Integration Kit from Ping Identity. Alternatively there is the Agentless Integration Kit (instead of PHP) which allows you to integrate using a RESTful API call to the PingFed server instead of embedding any PHP libraries.
HTH,
Ian
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
We're planning a new project which will feature an API available to customers to interact with our app from their own web sites and systems. However never having built anything close to an full-fledged API in the past, I am not aware of any standards or recommendations that are available and could be used to make the API more easily adapted by our customers.
We will build the API using PHP and some parts of the API will need authentication while others don't. As of today, I have read a little about Oauth, SOAP & REST, but I have no idea on what is good practiec.
What technology/standard is recommended to base an API for 2011+ upon?
There are a number of options, but I would suggest that you may find publishing a SOAP API from PHP quite tricky to maintain.
The reason for this is that there is no inherent WSDL generation within PHP, so you'll either have to roll your own (and modify it each time), or experiment with one of the 3rd party tools - none of which I have found particularly satisfactory in the past.
I would suggest that a more straightfoward method for implementing an API in PHP would be to go down the RESTful route.
I would check out the choices made by successful APIs that are available through sites like Mashery or Programmable Web. By focusing on the successful API patterns before choosing a technology you will have a better chance that the API will work and be successful.
There id this existing ASP.NET (2.0) web service that's called from PHP. Runs fine. Now the need arises to restrict access. Constraint: I currently don't have access to IIS/Windows account management to implement something robust,.
I'm thinking about adding a SOAP header to the PHP call, containing a secret key, and then checking the contents of the header in the ASP.NET web service.
I'm fairly new to SOAP, so I might be way off though, any better ideas are appreciated!
SOAP Headers would work. So would a client certificate. The question will be: what can PHP handle?
I recommend the book Mastering Web services security By Bret Hartman, Donald J. Flinn, Konstantin Beznosov, Shirley Kawamoto
SUMMARY:Authorization policies
restrict access to many different
collections of ... of Web Services
security. For this scenario, we've
chosen to use ASP.NET.