SSO from PHP?
I thought it would be useful to start a new thred on this topic...
My sysadmins have setup a central LDAP and have asked that I look at Access Manager as a means to provide a consistent login across all PHP applications.
My PHP applications will have to be able to perform several tasks including:
(1) Login authentication (SSO)
(2) LDAP interrogation (search and extract LDAP records)
Is it possible to do this with SAM or do I have a case for directly interrogating the LDAP? If anyone has any experience with PHP in this environment, it would be much appreciated.
(Platform: Solaris 9 / Apache 2.0.x/Php 4.4.x)
# 1
Whenver you say SSO, please remember it is a "session" issue, not a "identity" issue. A central LDAP doesn't mean you got SSO. The hard part of SSO is how to let Application B knows that the user of this request has been authenticated by Application A.
In addition, AM's Web SSO emphasize "True SSO", that means only one SSO Session created for each user authentication, and all web apps share this Session by retrieve it from browser cookie. AM provides a default Authentication UI (/amserver/UI/Login), you should use it as your login page. You better not to allow all PHP applications have their own authentication pages.
Don't try to create your own login page and leave /amserver/UI/Login unuse. You will lose many many AM build-in feature. Before abandon UI/Login, think about htis:
1. How to provide authentication failure message to user ? if you don't use /amserver/UI/Login.
2. When session timeout, user must be redirect to a timeout message page. Will the flow integrated with your UI ?
3. If you need to enable N password failure lock out, how you provide the warninig message (you have n time before lock out) to user if you don't use /amserver/UI/Login
4. If you enable firsttime password change or password reset, you better check out whether it still work if you don't use the default /amserver/UI/Login.
The last thing you should also remember is: AM is born to be a Java SSO framework. Although there are lots of Policy Agent for pure web container like apache, IIS, such integration is not very helpful and ugly.
For Apache+PHP, you can only pass user attribute via HTTP Header. But, header has limitation. We encounter several header issue and ends up with calling ldap to retrieve user role (in my case a user have more than 100 roles in LDAP, SJSWS won't take it). Or find a program to build a PHP version AMSDK based on C SDK. I know Sun doesn't have resource to do any non-Java AM SDK. But if you just need to do LDAP authentication via PHP, you should be able to find such example and PHP library for this purpose, but it is not AM specific.
