I need to implement SSO (Single Sign On) for a tool to be launched for people of our organization only.
For true SSO solutions, look at cosign: http://weblogin.org/ PubCookie: http://pubcookie.org/ CAS: http://www.jasig.org/cas
The tool should be able to detect which intranet user is visiting our site automatically instead of promptly asking organization n/w username / password.
All of the SSO solutions I mention above will prompt the user for their username and password, unless the user is already authenticated.
Rhetorically speaking, how would a SSO system "detect" the user's identity? There is nothing in standard web technologies that does this by default -- you would need to set up something for each user that differentiates that user from other users which the users' web browsers will share with your web servers. One choice is a long-lived cookie, but of course you'll have to take into account that this cookie could be stolen or forged, and so you'll still need to perform some sort of strong authentication (usually by prompting the user for a password). Another choice is to use a client-side X.509 certificate for each user. A third choice, if you are in an "enterprise environment" (e.g., all clients use Active Directory) is using SPNEGO. Most SSO solutions do not rely on any of these things being in place, and hence will prompt the user for their username and password.
I am not sure how to implement that both at Apache and back end code side (PHP script) - such that a PHP script should be able to detect the 'USER' at least.
If you set up any of the solutions listed above -- *except* for the cookie solution -- then Apache HTTP Server will put the identity of the authenticated user into the REMOTE_USER environment variable, which can be accessed in your PHP script with the code $_SERVER['REMOTE_USER']
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx