On September 9, 2012 23:44 , Satya Prakash Prasad
<satyaprakash.pra...@gmail.com> wrote:
I need to implement SSO (Single Sign On) for a tool to be launched for
people of our organization only.
For true SSO solutions, look at
cosign: http://weblogin.org/
PubCookie: http://pubcookie.org/
CAS: http://www.jasig.org/cas
The tool should be able to detect
which intranet user is visiting our site automatically instead of
promptly asking organization n/w username / password.
All of the SSO solutions I mention above will prompt the user for their
username and password, unless the user is already authenticated.
Rhetorically speaking, how would a SSO system "detect" the user's
identity? There is nothing in standard web technologies that does this
by default -- you would need to set up something for each user that
differentiates that user from other users which the users' web browsers
will share with your web servers. One choice is a long-lived cookie,
but of course you'll have to take into account that this cookie could be
stolen or forged, and so you'll still need to perform some sort of
strong authentication (usually by prompting the user for a password).
Another choice is to use a client-side X.509 certificate for each user.
A third choice, if you are in an "enterprise environment" (e.g., all
clients use Active Directory) is using SPNEGO. Most SSO solutions do
not rely on any of these things being in place, and hence will prompt
the user for their username and password.
I am not sure
how to implement that both at Apache and back end code side (PHP
script) - such that a PHP script should be able to detect the 'USER'
at least.
If you set up any of the solutions listed above -- *except* for the
cookie solution -- then Apache HTTP Server will put the identity of the
authenticated user into the REMOTE_USER environment variable, which can
be accessed in your PHP script with the code $_SERVER['REMOTE_USER']
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org