Is there a stand开发者_运维问答ardized way to set up AD authentication for a web service that does not have direct access to the AD controller? I'm thinking of a cloud application such as Google Apps that wishes to authenticate against an organization's AD.
I have googled around quite a bit but I don't seem to know the right keywords. Maybe someone else can elighten me or give me some search pointers.
FWIW, our applications are written in PHP using Zend Framework.
The most elegant solution to your problem would be using identity federation. The basic idea is to authenticate your user locally like you do on your regular apps and send a security token to your cloud provider, proving the identity of your users. SAML is the most common federation protocol used for achieving this. Google has a nice page explaining the details and the wikipedia page is also insightful:
There are plenty of identity federation solutions, for example:
- Active Directory Federation Services (ADFS)
- SimpleSAMLphp
- Shibboleth
- OpenAM
SimpleSAMLphp may be a good start to familiarize with SAML, as it is.. simple :) The procedure to connect it to google apps is described here.
ADFS would be an AD-centric solution, but is a bit more complex to configure.
精彩评论