SharePoint SSO 与不同服务器上的 PHP 应用程序? [英] SharePoint SSO with a PHP application on a different server?
问题描述
我需要在 SharePoint 站点和驻留在不同域中的基于 PHP 的自定义站点之间实施 SSO.我需要使用 SharePoint 用户帐户登录 PHP 站点.(我将完全控制 PHP 源代码)
I need to implement a SSO between a SharePoint site and a custom PHP-based site which resides on a different domain. I need to use the SharePoint user accounts to log in the PHP site. (I'll have a full control over the PHP source)
这可能吗?有什么提示和技巧吗?
Is this possible? Any tips and tricks?
推荐答案
我的假设是您可以完全控制您的 php 应用程序/域,但另一个团队正在管理 sharepoint 服务器.还假设您可以要求 sharepoint 团队为您的 SSO 功能创建一个简单的 webpart.
My assumption is you have full control over your php app/domain, but a different team is managing the sharepoint server. Also assume you can ask the sharepoint team to create a simple webpart for your SSO functionality.
如果是这种情况,您可以要求 sharepoint 团队创建一个 webpart,其中包含指向您网站的链接.当用户单击链接时,请求将返回到 sharepoint 服务器,sharepoint 服务器获取用户的登录名,使用您的公钥对其进行加密,并将其添加到您的 php 站点上的 url,然后将其作为重定向发送回来到浏览器.所以位置看起来像这样:
If this is the case, you can ask the sharepoint team to create a webpart which has a link to your site on it. When the user clicks the link, the request is made back to the sharepoint server, the sharepoint server takes the user's logon name, encrypts it using your public key, and adds it to a url on your php site then sends this as a redirect back to the browser. So the location looks like this:
https://your.php.domain/sso.php?logon=encrypted_users_logon_name&api_key=some_token
您的 sso.php 脚本将验证 api_key 是否是来自您的 sharepoint 合作伙伴的有效令牌,然后解密试图进入的用户的登录名.您可以更花哨,并在 sharepoint 站点上有一个回调确认登录请求在某个时间范围内是合法的,或者将其放入加密的登录名中,但这是一种简单的方法,假设您信任来自 sharepoint 合作伙伴的请求.
Your sso.php script will verify the api_key is a valid token from your sharepoint partner, and then decrypt the logon name of the user trying to get in. You can get more fancy, and have a callback on the sharepoint site to confirm the logon request is legitimate within some time window, or bake that into the encrypted logon name, but this is a barebones way to do it, assuming you trust requests coming from the sharepoint partner.
sharepoint .net 开发人员可能能够进行您想要的任何加密,因此请选择一种您可以在 php 和 .net 双方使用的算法,并为他们提供用于加密的密钥,以及信息的格式加密.类似于 n=logon_name;expire=timestamp;然后当你解密时,如果是在过期时间之后,那么你拒绝登录.
The sharepoint .net developers will probably be able to do any encryption you want, so pick an algorithm you can use on both php and .net sides and give them the key to use for encryption, and the format of the information to encrypt. something like n=logon_name;expire=timestamp; then when you decrypt, if it is after the expire time then you deny the logon.
这篇关于SharePoint SSO 与不同服务器上的 PHP 应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
