httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] WAMP SSO
Date Mon, 10 Sep 2012 13:07:06 GMT
On September 9, 2012 23:44 , Satya Prakash Prasad 
<satyaprakash.prasad@gmail.com> wrote:
> I need to implement SSO (Single Sign On) for a tool to be launched for
> people of our organization only.

For true SSO solutions, look at

cosign: http://weblogin.org/
PubCookie: http://pubcookie.org/
CAS: http://www.jasig.org/cas


> The tool should be able to detect
> which intranet user is visiting our site automatically instead of
> promptly asking organization n/w username / password.

All of the SSO solutions I mention above will prompt the user for their 
username and password, unless the user is already authenticated.

Rhetorically speaking, how would a SSO system "detect" the user's 
identity?  There is nothing in standard web technologies that does this 
by default -- you would need to set up something for each user that 
differentiates that user from other users which the users' web browsers 
will share with your web servers.  One choice is a long-lived cookie, 
but of course you'll have to take into account that this cookie could be 
stolen or forged, and so you'll still need to perform some sort of 
strong authentication (usually by prompting the user for a password).  
Another choice is to use a client-side X.509 certificate for each user.  
A third choice, if you are in an "enterprise environment" (e.g., all 
clients use Active Directory) is using SPNEGO.  Most SSO solutions do 
not rely on any of these things being in place, and hence will prompt 
the user for their username and password.


> I am not sure
> how to implement that both at Apache and back end code side (PHP
> script) - such that a PHP script should be able to detect the 'USER'
> at least.

If you set up any of the solutions listed above -- *except* for the 
cookie solution -- then Apache HTTP Server will put the identity of the 
authenticated user into the REMOTE_USER environment variable, which can 
be accessed in your PHP script with the code $_SERVER['REMOTE_USER']

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message