How to integrate Active Directory in PHP Application for SSO
Our story of ADFS integration with PHP Based LMS Application
The Intent : Why did we write this story
As we embarked on the ADFS SSO integration with our PHP based LMS system, we could not find much available on the internet. Finally after much iterations and frustrations we were able to integrate.
More than talking about advantages of SSO (which is much understood anyways), our main aim is to leave the (PHP) developers with an article, so that their struggle may reduce in case they embark on a similar journey
Short Background
We run a LMS (Learning Management System) software product team. This LMS was developed in house, using PHP MVC framework.
As we moved up the value chain of integration, our larger clients expected a closed integration with their existing system.
One key requirement that our client came up was they want us to integrate with SSO (Single Sign On) integration with their existing identity provider.
Why Enterprise require SSO
Imagine that you work in a company, which is progressive and is adopting various 3rd party technologies be it, Learning Management System, CRM System, Collaboration Systems.
Now for each of these application you have to remember username and password for each application. How difficult it would become for the end user.
SSO comes as an answer : as long as they are signed into the main company app, all other 3rd party app (like our LMS in this case) would not ask for login and password, they would piggy ride on your primary authentication. Providing a singularity in login.
SSO is actually a UX pattern, it allows end users to not remember /store passwords
ADFS — Active Directory Federation Server
Many enterprises are still running Windows Framework, they have an Active Directory setup, which becomes the start point for SSO operations.
https://docs.microsoft.com/en-us/windows/desktop/srvnodes/active-directory-federation-services
SimpleSaml and Setting up Terminology
Since we were using PHP, we made use of SimpleSAML.php
Background of SimpleSAML.php + Thanskgiving !
It is an award-winning application written in native PHP that deals with authentication. The project is led by UNINETT, has a large user base, a helpful user community and a large set of external contributors.
At this moment, we are much obliged to thank team UNINETT for creating an awesome module— so “Thank you UNINETT” .. drum-rolls.. !
Introducing SP and IdP
Only two terminology we need to know
Service Provider (SP) : SP is an entity that provides Web Services based on the assertions provided to it via its trusted Identity Provider
Identity Provider (IdP) : Authenticates users on the Internet by means of security tokens, one of which is SAML 2.0.
The main focus of SimpleSAMLphp is providing support for:
SAML 2.0 as a Service Provider [SP]
SAML 2.0 as an Identity Provider [IdP]
In our case who was the SP and IdP
In the above context our LMS application would work as Service provider and organisation ADFS would work as an Identity provider. A SAML assertion would be the security token that is passed from IDP to SP.
SP = LMS (Our Product)
IdP = ADFS (Client’s Server)
The Gory Details of Integration for Developers
This section is for developers who would like to know the step wise process of integration of SimpleSAML.php with our LMS product
So that its easy to understand, I will break it into 2 parts
Part 1 : How our SP consumes the metadata provided by the IDP.
- The first thing is to configure the SimpleSAMLphp with the ADFS configuration file i.e the metadata.xml , To do this there is a requirement of a metadata.xml file from the Identity Provider this file is a XML file describing the various things.
a. Enable appropriate sharing of identity, authentication, and authorisation of data and hiding of identity information and other attributes - Parse the XML file and convert it into a php meta data format.
3. Paste the converted php metadata file in the metadata directory of SimpleSAMLphp for remote Identity Provider.
Part 2 : How to create service provider configuration and pass the metadata to the IDP
- In SimpleSAMLphp one has to create a service provider configuration in the authsources directory where in one has to specify to which idp is this service provider linked with and what kind of encryption is used.
Now that the Service Provider configuration is complete, SimpleSAMLphp creates the SAML 2.0 SP metadata that we can use to import in to ADFS.
- Navigate to the web application’s /simplesaml application and click the Federation tab
2. There one can see the metadata link of the service provider which needs to be provided to the IDP to be added as a relying party.
Once the relying party is added one can test the authentication by going to the web application/simplesaml and then select the Authentication tab and click Test configured authentication sources and then click on the created Service Provider link, Immediately the control will be redirected to the ADFS server
Once signed in, you’ll be bounced back to SimpleSAMLphp and shown your claims
This is how the authentication claims would look like
Other Side Business Advantage of SSO
Like a great man once said “you cant pour from an empty cup, take care of yourself first”
Q : Can you guess whats the most frequently asked ticket that our Help Desk handles ?
Ans : 30% of help desk calls were that end user is not able to login. In most of the cases it was an end user’s error, with his caps lock to be blamed or she has mistyped the password.
With SSO login, there was no concept of passwords to be punched it, and it suddenly reduces those 30% call !
Conclusion
Well the fun of tech journey is in going through the cycles of
- Challenges
- Frustration of finding solution
- Joy of solutioning
Repeating the same loop over.
While one part of the team is extending this flow further to integrate SSO with social account providers like Google, Facebook, LinkedIn.
Guys wrapping up, just heard my manager shout out “Whats the status of ticket ATBM-892” :-) !!
Reach out to us in case you are facing issues in a similar setup !
Authored by Sarthak Kapoor (sarthak@stratbeans.com)