Page 1 of 1

Single-Sign-On-ish

Posted: Tue Nov 25, 2008 11:05 am
by apinto
Hi there,

I'm in the process of building what can be called a single sign-on system, based on PHP. The idea is to store all the necessary systems credentials in an LDAP server and use PHP to retrieve and use them.

Typically, the authentication in the target application is made with an HTTP POST. I already know how to make the POST in PHP, my question is about what happens with cookies, user agent, etc.. The actual client here is the PHP server and not the client web browser. Is there a way to sort this out is PHP, that is, delegating the login process do PHP but make everything run as if it was the client browser making the request?

Thank you very much, cheers,

AP

Re: Single-Sign-On-ish

Posted: Tue Nov 25, 2008 11:48 am
by pickle
I think the only way to do that would be cURL.

If you're still in the development stages of this project, I'd suggest re-thinking it. It doesn't sound very efficient at all to be using a PHP script as an intermediary to another PHP script.

Maybe if you could explain your process & problem a bit more...

Re: Single-Sign-On-ish

Posted: Tue Nov 25, 2008 2:47 pm
by apinto
Hello Pickle, thank you for your response.

I don't control the other systems, they are from various software providers. My task is to integrate them under a single login, and when the user browses to them, the "local" login is executed automatically. For example, one of the services is SquirrelMail; it's login procedure is a simple POST with a username and a password attributes. What I want is, when the user selects Webmail from the portal page, to do the POST automatically with PHP and present the user with the mail folder. Is this possible to accomplish with PHP?

Thank you again for your attention, cheers,

AP

Re: Single-Sign-On-ish

Posted: Tue Nov 25, 2008 2:56 pm
by pickle
Ugh. I hate gluing together disparate systems. But, I understand why you're stuck with what you're doing.

For SquirrelMail, perhaps an AJAX call would be easiest. The user's client would still be making the request, so any cookies or authentication tokens would be set immediately on the client. You also wouldn't have to worry about making a PHP script interpret between what the user sends, what gets sent to the app, what the app returns, and what the client sees as a result.

The only difficulty (which would still be present if you were using PHP) is how to handle a failed authentication. Does SquirrelMail (or any of the other apps you're contacting) have an API to use, or do you have to parse the output (what the app displays after authentication) to see if authentication was successful or not?

Are you wanting to direct the user to SquirrelMail's display of the mailbox, or somehow retrieve that & display it. Retrieving it could be tricky.