[FX.php List] [OFF] SSO from another site, via LDAP w/ AD...
Joel Shapiro
mail at jsfmp.com
Mon Oct 20 23:01:27 MDT 2014
Hi Kevin
In this situation, I fortunately don't need to (fully) reinvent any wheels. Your "another option" is actually what ExternalSite can make available to us - their "custom SSO":
"... pass-through authentication... The hash is a combination of a number of fields appended (concatenated) with a long, random alphanumeric key. This combined set of characters is then encrypted using an industry-standard cryptographic hash function such as MD5 or, for added security, Secure Hash Algorithm (SHA-1 or SHA-256). Alternatively, if the HMAC-SHA1 method is used, the shared key is instead used to ‘salt’ the hash."
So they can send us a hashed string to verify the user, but we'd need them to include the password (which they *can* do but recommend against) if we were to authenticate against AD to get the user's Group. Otherwise, we'd have to "bypass the AD auth check" as you mention and just log them in with a generic FM "web" account.
...
-Joel
On Oct 20, 2014, at 7:29 PM, Kevin Futter <kfutter at sbc.vic.edu.au> wrote:
> Another option might be to pass some kind of encoded user token between
> web resources, via GET or POST, but that’s probably even less secure, and
> relies on you having control over the login functionality, as you’d have
> to bypass the AD auth check. I gather you’re trying to automate it, rather
> than bypass it.
More information about the FX.php_List
mailing list