如何使用 Microsoft AD 为内部 PHP 应用程序实现单点登录 (SSO)? [英] How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?

问题描述

我隐约知道，在加入域的计算机上，可能会要求 IE 发送一些额外的标头，我可以使用这些标头自动登录到应用程序.我已经在带有 mod_php 的 Windows 服务器上运行了 apache.我希望能够避免用户在必要时登录.我找到了一些讨论 Kerberos 和 Apache 模块的链接.

I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.

http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=lasthttps://metacpan.org/pod/Apache2::AuthenNTLM

由于我在 Windows 上运行，事实证明安装 Perl 或 Apache 模块并非易事.但是 PHP 不是已经可以访问 HTTP 标头了吗?

Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?

我发现了这个，但它没有进行任何身份验证，它只是表明 PHP 可以读取 NTLM 标头.http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/

I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers. http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/

我希望能够让我的用户只指向应用程序并让他们自动进行身份验证.有没有人有过这方面的经验或让它发挥作用?

I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?

更新自从最初发布此问题以来，我们已将设置更改为 nginx 和 php-fcgi 仍在 Windows 上运行.Windows 上的 Apache2 和 php-cgi 可能是您可以在 Windows 上配置的最慢的设置之一.看起来可能仍然需要 Apache(它适用于 php-fcgi)，但我更喜欢 nginx 解决方案.

UPDATE Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.

我仍然不明白(并且很想接受教育)为什么 HTTP 服务器插件是必要的，我们不能有一个 PHP、Web 服务器不可知的解决方案.

I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.

推荐答案

您只需要mod_auth_sspi Apache 模块.

All you need is the mod_auth_sspi Apache module.

示例配置:

AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain

# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On

# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On

# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user

不要忘记，您还可以使用 Firefox 进行透明 SSO在 Windows 域中:只需转到 about:config，搜索 network.automatic-ntlm-auth.trusted-uris，然后输入主机名或您的内部应用程序的 FQDN(如 myserver 或 myserver.corp.domain.com).您可以有多个条目，它是一个以逗号分隔的列表.

And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.

这篇关于如何使用 Microsoft AD 为内部 PHP 应用程序实现单点登录 (SSO)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！