Jump to content
Peter Knight

What are you currently building ?

Recommended Posts

17 minutes ago, WinnieB said:

I came to this thread searching for Active Directory solutions. Does anyone have wisdom to share on the best LDAP for AD to work with PW3.x these days? Just arose as a possible requirement on a project.

I'd first look into setting up SAML integration. Overall I think that a SAML powered SSO solution is always easier and more user-friendly approach. SAML Auth handles this quite nicely, though it may take a bit of configuring to get everything right, and it also looks like the module hasn't been updated in a couple of years – so I'd first make sure that there are no issues with the bundled OneLogin's SAML PHP Toolkit.

... and if there are, perhaps you could try updating it and submitting a pull request? 🙂

There are some LDAP modules as well, and I actually have one just sitting on my local machine that I'd really like to share. It's a module I built in my last job for a client project, and I know it's powering at least one production site already, but I just haven't had the time to add the last finishing touches on it yet. Also, I don't really have a need for LDAP stuff in my personal projects, so there's that 😅

Anyway, I can't give a specific timeframe but I'll make a note to get the module finished and published.

  • Like 6

Share this post


Link to post
Share on other sites

Thank you Teppo, to be honest I had never heard of SAML before. This project has undergone quite a bit of scope creep so I'm hoping to implement the simplest sufficient solution.

Share this post


Link to post
Share on other sites
7 hours ago, WinnieB said:

Thank you Teppo, to be honest I had never heard of SAML before. This project has undergone quite a bit of scope creep so I'm hoping to implement the simplest sufficient solution.

Sounds familiar 🙂

SAML is actually a pretty simple concept. I'm not an expert, but to summarise:

  • LDAP is a general purpose protocol for communicating with directory services. When it comes to authentication, typically the way you'd set this up is by providing a local login form (ProcessWire's native one or something else), and when the user has provided credentials, you use the LDAP protocol to pass them to the AD server for validation, and then – depending on the reply – either log the user in (creating user object in the process if necessary), or display an error if provided credentials couldn't be validated.
  • SAML is a SSO standard for authentication. Here the identity provider (often ADFS or Azure AD) takes on more responsibilities: in the case of SAML Auth 1) the user attempts to access the admin or other protected area, 2) the module detects this and redirects the user to the IDP's web based GUI, where 3) (unless there's already an open session) the user has to provide authentication details, after which 4) IDP redirects the user back to the site with a SAML response, and finally 5) the module either logs the user in (creating user object if one didn't exist yet) or displays an error.

The reasons I personally prefer SAML is that it's an SSO solution – which means that if the user is already authenticated to the AD server they don't have to authenticate again – and that the IDP actually handles a bigger part of the process, meaning that you don't have to pass credentials to third party services, etc. That being said it doesn't really matter that much which approach you use.

If the client has a backend capable of using SAML, I'd recommend that, but if not then LDAP is a decent fallback. To be honest I'm not really familiar with the service layer, but most commonly you'll find some Microsoft product from the other end. If there's ADFS (Active Directory Federation Services), it should support SAML. On the other hand if the client is using Azure AD, there's actually no LDAP support at all (unless they also use Azure AD DS), so in this case SAML might be your only option.

  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...