[FX.php List] [OFF] SSO from another site, via LDAP w/ AD...

Joel Shapiro mail at jsfmp.com
Mon Oct 20 19:38:15 MDT 2014

Hi all

I've got a client using Active Directory for FM's External Authentication.  They maintain AD Groups, and we use these accounts for both FMP & CWP logins.  It all works well.

They also use a service that's got a separate, non-FM web 'portal' that users log into with their AD credentials, using an LDAP server in the client's network.  (I'll call this site ExternalSite)

They would like to allow a user who's logged into ExternalSite to access their CWP site(s) without having to log in again through the CWP interface. (SSO)

I don't know LDAP very well.  Here are my thoughts:

a) It seems to me that in order to log into the current CWP sites with authentication data from ExternalSite we'd need to get the password as well as the username so that we could hit the AD server and determine the user's AD Group.  

b) If we don't get the password from ExternalSite, we could potentially create a generic "web" account in FM and allow verified users to log in with that -- but then we woud not have access to their AD Group to determine their role, so it seems we'd need to maintain a User/Access table in FM (ugh).

ExternalSite's IT says they *can* include the password in their hashed string but would rather not.

Have any of you dealt with this before?  Is it a bad idea to have ExternalSite include the password in their hashed string?  Could there be a way to get something from ExternalSite and use that to hit the LDAP server again to somehow get AD credentials?  (remember, I don't know LDAP well :-P)  Any other thoughts/suggestions?


More information about the FX.php_List mailing list