Incorporating SAML or other SSO

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Incorporating SAML or other SSO

Michael Check
Hi all, long time no talk (I miss it here),

Wondering if any of you have implemented a SAML or other Single Sign On
(SSO) solution with A4D?

I have a client looking for an implementation direction for SSO and they're
suggesting SAML with a small A4D app.

Thanks!

Michael Check
_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Incorporating SAML or other SSO

Perkins, Bradley D
Michael,

When we did this in the past we did so by using an Apache  auth module that was compatible with the SSO solution we used (Jasig CAS). It worked for us because we had A4D behind Apache. We had to remove it when a Mac OS major version update broke that module and replaced it with LDAP based authentication (The SSO solution uses the same credentials).  There might be an Apache (or Nginx) module for your SSO solution.

Hope that helps,

Brad Perkins

On 4/23/18, 8:46 AM, "Active4D-dev on behalf of Michael Check" <[hidden email] on behalf of [hidden email]> wrote:

    Hi all, long time no talk (I miss it here),
   
    Wondering if any of you have implemented a SAML or other Single Sign On
    (SSO) solution with A4D?
   
    I have a client looking for an implementation direction for SSO and they're
    suggesting SAML with a small A4D app.
   
    Thanks!
   
    Michael Check
    _______________________________________________
    Active4D-dev mailing list
    [hidden email]
    http://list.aparajitaworld.com/listinfo/active4d-dev
    Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Incorporating SAML or other SSO

Michael Check
Thanks Brad.

Can you explain further how A4D then serves pages with user data after the
Apache Auth module interaction?
User Auth in Jasig --> Apache Auth --> A4D ?
If that is the case, how do (did) you pass along user data to A4D?

Our client is running a SitePoint system that would, I think, pass along
the user and token data to our Windows system running Apache --> A4D (on
the same box). I'm just unclear on how we unpack the authenticated user
data in A4D - or if that is even available from within A4D without first
querying or placing it somewhere retrievable by A4D.

Thanks,

Michael Check

On Mon, Apr 23, 2018 at 10:07 AM, Perkins, Bradley D <[hidden email]>
wrote:

> Michael,
>
> When we did this in the past we did so by using an Apache  auth module
> that was compatible with the SSO solution we used (Jasig CAS). It worked
> for us because we had A4D behind Apache. We had to remove it when a Mac OS
> major version update broke that module and replaced it with LDAP based
> authentication (The SSO solution uses the same credentials).  There might
> be an Apache (or Nginx) module for your SSO solution.
>
> Hope that helps,
>
> Brad Perkins
>
> On 4/23/18, 8:46 AM, "Active4D-dev on behalf of Michael Check" <
> [hidden email] on behalf of
> [hidden email]> wrote:
>
>     Hi all, long time no talk (I miss it here),
>
>     Wondering if any of you have implemented a SAML or other Single Sign On
>     (SSO) solution with A4D?
>
>     I have a client looking for an implementation direction for SSO and
> they're
>     suggesting SAML with a small A4D app.
>
>     Thanks!
>
>     Michael Check
>     _______________________________________________
>     Active4D-dev mailing list
>     [hidden email]
>     http://list.aparajitaworld.com/listinfo/active4d-dev
>     Archives: http://active4d-nabble.aparajitaworld.com/
>
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/
_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Incorporating SAML or other SSO

Perkins, Bradley D
Michael,

The way it worked was that the auth module would look for a token. If it didn't exist the user would be redirected to our SSO login page (not A4D, hosted elsewhere).
Once the logged in, the token was visible, the user was allowed access to our A4D site and we could identify them based on information in the request headers. There was either a username or person_id that we could use to lookup details via LDAP.
If I recall we would pack the details into the A4D Session once they had access.

It has been a few years since we had to abandon it because the auth module was no longer supported. Jasig CAS is/was an open source project and their Mac support was very limited. I no longer have access to a version of the A4D code that implemented SSO or I'd pass it on.

Hope that helps,

Brad

On 4/25/18, 9:28 AM, "Active4D-dev on behalf of Michael Check" <[hidden email] on behalf of [hidden email]> wrote:

    Thanks Brad.
   
    Can you explain further how A4D then serves pages with user data after the
    Apache Auth module interaction?
    User Auth in Jasig --> Apache Auth --> A4D ?
    If that is the case, how do (did) you pass along user data to A4D?
   
    Our client is running a SitePoint system that would, I think, pass along
    the user and token data to our Windows system running Apache --> A4D (on
    the same box). I'm just unclear on how we unpack the authenticated user
    data in A4D - or if that is even available from within A4D without first
    querying or placing it somewhere retrievable by A4D.
   
    Thanks,
   
    Michael Check
   
    On Mon, Apr 23, 2018 at 10:07 AM, Perkins, Bradley D <[hidden email]>
    wrote:
   
    > Michael,
    >
    > When we did this in the past we did so by using an Apache  auth module
    > that was compatible with the SSO solution we used (Jasig CAS). It worked
    > for us because we had A4D behind Apache. We had to remove it when a Mac OS
    > major version update broke that module and replaced it with LDAP based
    > authentication (The SSO solution uses the same credentials).  There might
    > be an Apache (or Nginx) module for your SSO solution.
    >
    > Hope that helps,
    >
    > Brad Perkins
    >
    > On 4/23/18, 8:46 AM, "Active4D-dev on behalf of Michael Check" <
    > [hidden email] on behalf of
    > [hidden email]> wrote:
    >
    >     Hi all, long time no talk (I miss it here),
    >
    >     Wondering if any of you have implemented a SAML or other Single Sign On
    >     (SSO) solution with A4D?
    >
    >     I have a client looking for an implementation direction for SSO and
    > they're
    >     suggesting SAML with a small A4D app.
    >
    >     Thanks!
    >
    >     Michael Check
    >     _______________________________________________
    >     Active4D-dev mailing list
    >     [hidden email]
    >     http://list.aparajitaworld.com/listinfo/active4d-dev
    >     Archives: http://active4d-nabble.aparajitaworld.com/
    >
    > _______________________________________________
    > Active4D-dev mailing list
    > [hidden email]
    > http://list.aparajitaworld.com/listinfo/active4d-dev
    > Archives: http://active4d-nabble.aparajitaworld.com/
    _______________________________________________
    Active4D-dev mailing list
    [hidden email]
    http://list.aparajitaworld.com/listinfo/active4d-dev
    Archives: http://active4d-nabble.aparajitaworld.com/

_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
Reply | Threaded
Open this post in threaded view
|

Re: Incorporating SAML or other SSO

Michael Check
It does help, thanks, Brad.
I was unclear on how the A4D side gets the information once authenticated.

It's a little like what we do now with the client: We have an application
for service that only members can fill out.
They click a link that only exists when they're logged in. It performs a
blowfish hash on their member ID and sends that in the request to our
server. We pick it up, decode the hash with the blowfish key, lookup their
member id and get them into the application. It works pretty well.

If our server will receive a SAML token once authenticated, I suppose we
can figure out a way to use that token to lookup the information on
whatever database they're using.

Thanks again for your time,

Mike

Thanks,

Michael Check

On Wed, Apr 25, 2018 at 1:09 PM, Perkins, Bradley D <[hidden email]>
wrote:

> Michael,
>
> The way it worked was that the auth module would look for a token. If it
> didn't exist the user would be redirected to our SSO login page (not A4D,
> hosted elsewhere).
> Once the logged in, the token was visible, the user was allowed access to
> our A4D site and we could identify them based on information in the request
> headers. There was either a username or person_id that we could use to
> lookup details via LDAP.
> If I recall we would pack the details into the A4D Session once they had
> access.
>
> It has been a few years since we had to abandon it because the auth module
> was no longer supported. Jasig CAS is/was an open source project and their
> Mac support was very limited. I no longer have access to a version of the
> A4D code that implemented SSO or I'd pass it on.
>
> Hope that helps,
>
> Brad
>
> On 4/25/18, 9:28 AM, "Active4D-dev on behalf of Michael Check" <
> [hidden email] on behalf of
> [hidden email]> wrote:
>
>     Thanks Brad.
>
>     Can you explain further how A4D then serves pages with user data after
> the
>     Apache Auth module interaction?
>     User Auth in Jasig --> Apache Auth --> A4D ?
>     If that is the case, how do (did) you pass along user data to A4D?
>
>     Our client is running a SitePoint system that would, I think, pass
> along
>     the user and token data to our Windows system running Apache --> A4D
> (on
>     the same box). I'm just unclear on how we unpack the authenticated user
>     data in A4D - or if that is even available from within A4D without
> first
>     querying or placing it somewhere retrievable by A4D.
>
>     Thanks,
>
>     Michael Check
>
>     On Mon, Apr 23, 2018 at 10:07 AM, Perkins, Bradley D <
> [hidden email]>
>     wrote:
>
>     > Michael,
>     >
>     > When we did this in the past we did so by using an Apache  auth
> module
>     > that was compatible with the SSO solution we used (Jasig CAS). It
> worked
>     > for us because we had A4D behind Apache. We had to remove it when a
> Mac OS
>     > major version update broke that module and replaced it with LDAP
> based
>     > authentication (The SSO solution uses the same credentials).  There
> might
>     > be an Apache (or Nginx) module for your SSO solution.
>     >
>     > Hope that helps,
>     >
>     > Brad Perkins
>     >
>     > On 4/23/18, 8:46 AM, "Active4D-dev on behalf of Michael Check" <
>     > [hidden email] on behalf of
>     > [hidden email]> wrote:
>     >
>     >     Hi all, long time no talk (I miss it here),
>     >
>     >     Wondering if any of you have implemented a SAML or other Single
> Sign On
>     >     (SSO) solution with A4D?
>     >
>     >     I have a client looking for an implementation direction for SSO
> and
>     > they're
>     >     suggesting SAML with a small A4D app.
>     >
>     >     Thanks!
>     >
>     >     Michael Check
>     >     _______________________________________________
>     >     Active4D-dev mailing list
>     >     [hidden email]
>     >     http://list.aparajitaworld.com/listinfo/active4d-dev
>     >     Archives: http://active4d-nabble.aparajitaworld.com/
>     >
>     > _______________________________________________
>     > Active4D-dev mailing list
>     > [hidden email]
>     > http://list.aparajitaworld.com/listinfo/active4d-dev
>     > Archives: http://active4d-nabble.aparajitaworld.com/
>     _______________________________________________
>     Active4D-dev mailing list
>     [hidden email]
>     http://list.aparajitaworld.com/listinfo/active4d-dev
>     Archives: http://active4d-nabble.aparajitaworld.com/
>
> _______________________________________________
> Active4D-dev mailing list
> [hidden email]
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/
>
_______________________________________________
Active4D-dev mailing list
[hidden email]
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/