If an organisation is using single sign on authentication to authenticate all web applications, how can I add that to my application for multiple people in my organisation? Also, how does it work? What do I need to have from LDAP server?
Disclaimer: I only work with SSO/SSPI on Node.JS, so my info might not be 100% accurate.
When using LDAP, you need the credentials object from the browser and then test it against the AD via LDAP. You can get it using NTLM, Negotiate or Kerberos. Usually, you want to use some SSPI plugin which already implements one or several of the mentioned protocols with authentication for your webserver, though only Apache has one which seems to work (well, IIS has authentication integrated). The module for Apache does everything you need, when run on a Windows server which is part of the domain group. If you want to use a different web server, you will have to put Apache or IIS in front of it to handle authentication.
You must contact the organisation team managing the SSO, because there are big chances you will need to integrate into your application a "client" that will connect to the SSO server. This "client" depends on the technology you use to develop your application. By the way, I assumed you are talking about a Web SSO like OpenID or Google Authentication for instance.
Generally for all SSO, you must have a piece of code to bridge your system with the central authentication.
Active Directory uses Kerberos for instance, so you may want to use Active Directory as a central authentication system, which is not recommended yet.
Software Engineer, Technical Consultant & Mentor
Jeremy Bloomstrom
Programmer Analyst
I host a Laravel application on Apache for Windows. I use the mod_authnz_sspi module and have my site configured to require SSPI authorization. This populates $_SERVER['PHP_AUTH_USER'] with the Windows username of the visitor. I check this value against known users who are allowed to log in with Windows username. If the user is allowed, they are automatically signed in.
# httpd.conf snippet LoadModule authnz_sspi_module modules/mod_authnz_sspi.so # httpd-vhosts.conf snippet <Directory "foo"> Order allow,deny Allow from all #AuthName "SSPI Protected Place" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On Require valid-user </Directory>