-1

What clients requirement :

Organizational users don’t have to provide UN and PASS each time when they try to access MY PRODUCT [which is kind of SAAS]. Users will be validated on bases of their AD credentials using LDAP.

What I have:

My Product is written in PHP and it is public facing, that is client end users access PRODUCT using UN and PASS which is shared with them at the time of creation of the user account.

What is my question here :

I have a scenario where I need to use IdP (Identity Provider) which will use LDAP to connect to clients AD and will validate certain user and provide me response token.

Now I have came across such a identity provide like SimpleSALMphp [https://simplesamlphp.org/] and Centrify [http://www.centrify.com/products/overview.asp ]

My Question here is,

  1. Identity provider which will be used will be hosted at CLIENT environment or at my SERVER where my PRODUCT resides OR it can be used as a third party software.

  2. Also, Need to identify a way when XYZ user hits my PRODUCT [ which is written in PHP ] identify his windows credentials which can be passed to IdP and then IdP will validate those credentials against clients LDAP and provide MY PRODUCT valid response so that I can initiate session for that XYZ user directly without his UN and PASS.

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
Chetan T.
  • 3
  • 4
  • This is a "Question and Answer" site, not "QuestionS". The guideline here is one question per post, so it can be directly and specifically answered. If you have multiple questions, create more than one post (you can provide a link to keep them related, and to prevent repeating all of the details). Also, it's not necessary to SHOUT here. :-) Typing in ALL CAPITAL LETTERS makes your question harder to read, it's rather rude (and annoying), and it won't get you answers any more quickly. There's a reason there are Shift keys on both sides of the keyboard; it's to make them easy to use. :-) – Ken White Jul 29 '14 at 23:27
  • Yes i know but those are related questions,And WHY to open separate thread for them? And about using caps -->in between<-- not for all text shows "Contextual emphasis" hope you get my point here.. ;) – Chetan T. Jul 30 '14 at 06:57
  • It doesn't matter if they're related questions; as I said, you can link them. The guidelines here are "one question per post". I don't see anything that says "one question per post unless they're related" or "one question per post unless you feel like asking more". :-) As far as the ALL CAPS, there's no "contextual emphasis" that couldn't be made with **bold** instead of ALL CAPS. There is absolutely no need to SHOUT at us here. :-) – Ken White Jul 30 '14 at 12:29
  • The reason for separate threads for separate questions is that it's possible for someone to only answer one question, and a different person to answer the other. You can only choose one as being right. Which one do you choose to accept, the answer to #1, or the answer to #2? If you place them in two separate posts, they can properly be answered separately, and you can accept an answer on each of them as being correct. (And as I said, this is a Question/Answer site, not a QuestionS/AnswerS. You can spend time in the [about] and [help] pages if you're not sure how things work here. :-) – Ken White Jul 30 '14 at 12:32
  • Thanks for your precious input Ken :) – Chetan T. Jul 30 '14 at 12:51

1 Answers1

0

a. Identity provider which will be used will be hosted at CLIENT environment or at my SERVER where my PRODUCT resides OR it can be used as a third party software.

If you plan on using simplesamlphp, you will need to enhance your SaaS backend Service for Saml Service Provider capabilities - which are documented here: https://simplesamlphp.org/docs/stable/simplesamlphp-sp These capabilities will enable your SaaS Service to tie into IdP such as Centrify for Active Directory authentication.

b. Also, Need to identify a way when XYZ user hits my PRODUCT [ which is written in PHP ] identify his windows credentials which can be passed to IdP and then IdP will validate those credentials against clients LDAP and provide MY PRODUCT valid response so that I can initiate session for that XYZ user directly without his UN and PASS.

Once the customer sets up the SAML trust between your SaaS service and IdP, you will have to maintain IdP lookup database i.e., your customer account on your service and IdP to route to.

I.e., Box uses email address of the account to lookup which IdP to route to; Salesforce uses domain i.e., xxx.my.salesforce.com to route to the IdP.

Sumana Mehta
  • 2,663
  • 1
  • 14
  • 10
  • So I assume IdP has to be selected by client in the 1st place.And then I need add SAAS backend. according to the IdP. – Chetan T. Jul 30 '14 at 07:01