• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

Single Sign On - Best Route?

We are running a Windows network (w/2 mac clients) with Active Directory for authentication.  We are going to be rolling out some various web applications (project management, etc) and would like to have a Single Sign On solution so that users can authenticate once (via a website?) and access all of them.  Some of the systems will be PHP/MySQL and some ASP/MSSQL.

I am trying to figure out how to accomplish this as easily as possible in terms of management of the solution.  I found ADFS with google, but wasn't sure that would work with PHP systems.  I found CROWD (http://www.atlassian.com/software/crowd/) and a few others too.  I do not have a large enough budget to bring in a consulting group to accomplish this, so I am trying to find something I can implement myself.

Any ideas or thoughts?  I am completed open to ideas here (open source, Microsoft solution, etc).  Thanks!!
0
uiclas
Asked:
uiclas
  • 3
  • 3
1 Solution
 
uiclasAuthor Commented:
If it matters, all of the web applications we are wanting to use will authenticate against Active Directory for user accounts.  I am thinking that this could make it easier, but I am not sure.  Thanks!
0
 
mirzasCommented:
Since you have AD, you do not need any special stuff for single sign on. Just make sure every application uses AD as its auth method.

Now for auth information to be persisted across applications you would need to do some work but this should not be a problem if all of the applications are made by you.
0
 
patricka_0377Commented:
been involved in a corporate prokect to make all apps available via a portal website that logs into all different types of applications (not just ones that support AD)......after single sign on

BEA AquaLogic User Interaction
Various Database Servers
Glue Code to tie all apps together
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
uiclasAuthor Commented:
Several of the applications will probably be third-party or open source applications (like activeCollab), so I am not sure if that is a problem.  I will be developing several in house too though.

My ideal setup would be to have users log into a "portal" that would then have links to each of these different applications and when they would choose one, it would open that web app in a new window with the user already authenticated and ready to go.

I know if all of my apps are authenticating off of AD, they the users logons for any of the systems will be the same (if the system authenticates against AD), but I was hoping to save my users from having to enter in a user name and password for every app.

Does this make sense and is it even possible given my setup/situation?
0
 
mirzasCommented:
You should be able to modify/adapt all of the applications to have a common way of authenticating.

You could use cookies to store login information that can work between different applications.
But all of the applications should be able to interpret such a cookie.
0
 
uiclasAuthor Commented:
So would I still need to implement something like ADFS?  Or would it be a matter of collecting their login info from the initial portal login and passing (via cookie, link, etc) to the application?

I do not know if I will be able to modify all of the applications code (depending on if it's open source or closed source) though.

I don't suppose anyone has ever written a "For Dummies" on this type of situation...
0
 
mirzasCommented:

The hard part here is how to adapt multiple applications to use the same auth scheme.


Just ignore everything about single sign on and think how would a single application be able to do these cases:

- is the user logged in?
- authenticate user


For the first part, you could have a  cookie that marks the user as logged in.
The second part would need to be common for all applications. i.e single page that sets/deletes the cookies when needed.

When you solve it for one application just apply the same generic logic to all others.


Hope this helps.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now