NYCPHP Meetup

[Michael B Allen]

On 2/4/08, Marc Antony Vose <suzerain at suzerain.com> wrote:
> Hi there:
>
> I have built a system that consists of one centralized user database,
> and a few other things, that have multiple sites around the outside
> connecting to it.  So, a login on one of the satellites happens
> through ajax connecting to a little proxy script on the satellite that
> uses curl to perform the actual login remotely.  each satellite
> resides on its own domain.
>
> This is all fine, until other people on the project request that
> logins be preserved, regardless of which domain the login happened on.
>
> I know that cookies have domain limitations, and so I'm trying to come
> up with a way in my head this can work, and work efficiently and
> effectively.  Anyone have any ideas?  Ever attempted something similar
> in the past?
>
> My first idea is something like that evil facebook script that updates
> the feed on status with things people do at other web sites (fandango,
> etc.).  I suppose if some piece of javascript in the page is loaded
> remotely from the central domain, that it could look for a cookie from
> the central domain, and call a PHP script that sets a session variable
> on the satellite.  (The problem I have, of course, is that my login
> technically occurs solely on the satellite, even though it connects to
> a database remotely, so I will have to rearchitect that somehow;
> perhaps forcing the entire login process to run through a JavaScript
> loaded from the central server.)
>
> Does that approach seem feasible?

Hi Marc,

If you really care about security this isn't really the kind of thing
that you should dream up on your own. What your describing is called
"Single Sign-On" or SSO for short.

Are your sites on the IntErnet or on an IntrAnet?

If your sites are on the IntErnet OpenID is one solution although I
don't know what sort of access control it offers such that you can
stop anyone with an OpenID account from accessing protected parts of
your sites. There's also something called Stanford WebAuth which is
Free so you can setup your own isolated auth server.

If you're on an IntrAnet there are a lot of products that do this sort
of thing. SiteMinder is one that's been around for a long time.

Although SiteMinder, Stanford WebAuth and products like it are not
*true* SSO since you have to enter your credentials twice - once to
login to your workstation and then again with the auth site. With true
SSO users never have to enter their credentials at all when they
access a site, they just go right on. True SSO is sometimes referred
to as Enterprise Single Sign-On.

If you want "Enterprise SSO" there's something called SPNEGO
authentication which is a special feature of IE and some other
browsers like Firefox. Microsoft calls this Integrated Windows
Authentication or IWA. IIS supports SPNEGO but PHP can't access much
info about the user once your authenticate and of course you have to
use a Windows web server.

Finally, my company (yes this is a proprietary pitch after all) offers
a full featured SPNEGO solution specifically for PHP on Linux and
FreeBSD. See sig for details.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/