Solved

Single Sign On - Best Route?

Posted on 2008-10-16
7
340 Views
Last Modified: 2013-12-24
We are running a Windows network (w/2 mac clients) with Active Directory for authentication.  We are going to be rolling out some various web applications (project management, etc) and would like to have a Single Sign On solution so that users can authenticate once (via a website?) and access all of them.  Some of the systems will be PHP/MySQL and some ASP/MSSQL.

I am trying to figure out how to accomplish this as easily as possible in terms of management of the solution.  I found ADFS with google, but wasn't sure that would work with PHP systems.  I found CROWD (http://www.atlassian.com/software/crowd/) and a few others too.  I do not have a large enough budget to bring in a consulting group to accomplish this, so I am trying to find something I can implement myself.

Any ideas or thoughts?  I am completed open to ideas here (open source, Microsoft solution, etc).  Thanks!!
0
Comment
Question by:uiclas
  • 3
  • 3
7 Comments
 

Author Comment

by:uiclas
ID: 22730906
If it matters, all of the web applications we are wanting to use will authenticate against Active Directory for user accounts.  I am thinking that this could make it easier, but I am not sure.  Thanks!
0
 
LVL 6

Expert Comment

by:mirzas
ID: 22730961
Since you have AD, you do not need any special stuff for single sign on. Just make sure every application uses AD as its auth method.

Now for auth information to be persisted across applications you would need to do some work but this should not be a problem if all of the applications are made by you.
0
 
LVL 1

Expert Comment

by:patricka_0377
ID: 22731048
been involved in a corporate prokect to make all apps available via a portal website that logs into all different types of applications (not just ones that support AD)......after single sign on

BEA AquaLogic User Interaction
Various Database Servers
Glue Code to tie all apps together
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:uiclas
ID: 22731068
Several of the applications will probably be third-party or open source applications (like activeCollab), so I am not sure if that is a problem.  I will be developing several in house too though.

My ideal setup would be to have users log into a "portal" that would then have links to each of these different applications and when they would choose one, it would open that web app in a new window with the user already authenticated and ready to go.

I know if all of my apps are authenticating off of AD, they the users logons for any of the systems will be the same (if the system authenticates against AD), but I was hoping to save my users from having to enter in a user name and password for every app.

Does this make sense and is it even possible given my setup/situation?
0
 
LVL 6

Expert Comment

by:mirzas
ID: 22731101
You should be able to modify/adapt all of the applications to have a common way of authenticating.

You could use cookies to store login information that can work between different applications.
But all of the applications should be able to interpret such a cookie.
0
 

Author Comment

by:uiclas
ID: 22731171
So would I still need to implement something like ADFS?  Or would it be a matter of collecting their login info from the initial portal login and passing (via cookie, link, etc) to the application?

I do not know if I will be able to modify all of the applications code (depending on if it's open source or closed source) though.

I don't suppose anyone has ever written a "For Dummies" on this type of situation...
0
 
LVL 6

Accepted Solution

by:
mirzas earned 500 total points
ID: 22731330

The hard part here is how to adapt multiple applications to use the same auth scheme.


Just ignore everything about single sign on and think how would a single application be able to do these cases:

- is the user logged in?
- authenticate user


For the first part, you could have a  cookie that marks the user as logged in.
The second part would need to be common for all applications. i.e single page that sets/deletes the cookies when needed.

When you solve it for one application just apply the same generic logic to all others.


Hope this helps.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now