I have a SaaS (cloud software) project which currently has login privileges; Username and password. I want to integrate Active directory / ADFS. This is so clients have the option to use our way of logging in or their own.
We understand that the client would have to set-up things their side in order to do the handshake (SAML). Here's a link to something Zendesk have in place for their client solution, just so you know where I'm headed. [url removed, login to view]
We have a secure VPS hosting Linux server. I have a technical guide to assist with server access privileges should you need access or further information.
A basic front-end is also required in order for the client to setup/activate ADFS/AD/LDAP (something like the attached image example).
Please remember that although the process of setting up ADFS is complicated for the client. The front-end process for access is fairly basic, as for the connection process, it's simply the thumbprint of the token-signing certificate which verifies the permission for access. For those customers (businesses) who do not utilise ADFS they should have the option to choose an alternative such as LDAP. Although there are several methods for integrating LDAP, there are some methods and practices that should be followed. SASL authentication is a recommend practice.
As LDAP is often used to validate passwords for other services this is likely to
be a very common situation. RFC4513 says that servers SHOULD disallow
the use of passwords when TLS is not in use.
Tests should cover at least:
• Accesscontrol rules
• Authentication methods
• Size limits
• Referential integrity (We may have to configure the server to enforce this)
For licence encryption we use: mcrypt_decrypt (MD5)
User passwords are hashed