我如何可以实现单点登录（SSO）使用微软AD为内部的PHP应用程序？ [英] How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?

问题描述

我隐约知道，在计算机加入域的IE浏览器可以要求发送，我可以用它来自动登录到应用程序的一些额外的头。我有一个Windows服务器与mod_php，并且在Apache上运行。我希望能够避免在必要时登录的用户。我发现一些链接谈论Kerberos和Apache模块。

I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.

HTTP：// WWW。 onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=last https://metacpan.org/pod/Apache2::AuthenNTLM

由于我在Windows上运行它被证明是不平凡的，以获取安装Perl或Apache模块。但是没有PHP已经用上了HTTP头？

Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?

我发现了这一点，但它不会做任何认证，它只是显示了PHP可以读取NTLM头。 http://siphon9.net/loune/2007/10/简单轻便，NTLM功能于PHP /

I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers. http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/

我希望能有我的用户只需指向应用程序，并让它们自动进行身份验证。有没有人有任何这方面的经验或得到它在所有的工作？

I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?

更新 由于最初发布这个问题，我们已经改变了设置让nginx和php-FCGI还是在Windows上运行。的Apache2和Windows下的PHP-CGI可能是你可以配置在Windows上速度最慢的设置之一。它看起来像Apache可能仍然需要（它与PHP-FCGI），但我会preFER一个nginx的解决方案。

UPDATE Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.

我也还是不明白（并会喜欢被教育）为什么HTTP服务器插件是必要的，我们不能有一个PHP，Web服务器无关的解决方案。

I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.

推荐答案

所有你需要的是 mod_auth_sspi Apache模块。

All you need is the mod_auth_sspi Apache module.

示例配置：

AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain

# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On

# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On

# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user

和不要忘了，你也可以使用Firefox浏览器的透明SSO在Windows域< /一>：只要到 about：config中，搜索 network.automatic-NTLM身份auth.trusted-URI的 ，然后输入主机名或您的内部应用程序的FQDN（如MYSERVER或myserver.corp.domain.com）。你可以有多个入口，这是一个逗号分隔的列表。

And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.

这篇关于我如何可以实现单点登录（SSO）使用微软AD为内部的PHP应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！