How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?

php apache active-directory ldap single-sign-on
29,318

Solution 1

Authentication is a confusing mess. Here is some background.

  • LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).

  • NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.

  • Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.

  • mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).

  • mod_auth_kerb: This is an Apache module that implements Kerberos.

  • mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).

  • Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.

  • mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.

Solution 2

Single-Sign-On and Shared-Authentication are related, but different, concepts. I think you may be confusing them. If you want true SSO, look in to CAS.

LDAP and AD are protocols for storing users and organisation data. They are not useful for doing the actual authentication over web, but you can use them behind an SSO (Such as CAS), as the "database".

Share:
29,318
Keyne Viana
Author by

Keyne Viana

"You don't really understand something unless you can explain it to your grandmother" Einstein

Updated on July 16, 2020

Comments

  • Keyne Viana
    Keyne Viana almost 4 years

    I need to get more understanding about SSO on a web app against Active Directory.

    For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap, adLdap and so on. But in this case, the user still need to type the login twice. For example: Authenticate against Active Directory/ISA from php

    Afaik, to use SSO for transparent login, I need to implement an extra apache module. For example: How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?

    Authenticate against ldap using PHP, active directory, while using IE/Firefox

    First I need to know which apache module I need to use and why. In this article for example there are three: mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. And the thosed one was Apache2:AuthenNTLM

    In the question described above the accepted answer was for mod_auth_sspi.

    When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap + kerberos + "a few other miscellaneous bits and pieces".

    I'm very confused about all these names, since I've nerver worked with it. Can someone clarify it to me? (ldap, kerberos, ntlm, sspi etc)

    Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?

  • Keyne Viana
    Keyne Viana over 13 years
    This is for an Intranet, so the user logged in the network can be automatically authenticated in the Intranet. Now I have another method CAS. I'd like to know the relation with the methods provided in the question.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP Auth on WAMP
LDAP Authentication on Windows
Using LDAP functions to get Active Directory tokenGroups attribute in PHP
Single Sign On with apache on windows 7 and mod_auth_sspi
LDAP Can't perform an authenticated bind - Windows Server 2008 R2 Using PHP/Apache
Password Self-serve Active Directory via LAMP environment
Is LDAP the only way to authenticate an web application against Active Directory?
Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
TLS_REQCERT and PHP with LDAPS
Binding to LDAP using SSL keeps failing - Windows Server 2008