I am looking at ways to tie together a number of Windows-based web services together under single-sign-on. Microsoft's Windows Identity Framework and ADFS 2.0 are the perfect tools for the job, except that not all of our web services are written in .NET. One is classic ASP and another PHP. Are there existing libraries that will work for those platforms, or will I need to build them from scratch?
There are two ways to do this that I can think of off the top of my head:
Find a product that will sit in your Web server that intercepts calls, bounces unauthenticated users to an IdP, parses the responses, and puts the data in the header of the requests that it then passes on to your ASP/PHP app. There are many types of products that do this, e.g., Shibboleth SP, Ping Identity, and OpenSSO. I think Centrify DirectControl and Quest Single Sign-on might also provide this sort of capability.
Build a comparable component yourself that can do this sort of thing and leverage frameworks to help with the parsing of SAML and/or WS-Federation messages. If you take this route, check out SimpleSAMLphp and OIOSAML.NET.
HTH!
Using IIS 7.0 pipeline you can write a http module that will handle authentication for all sites hosted on the iis. (including classic asp and php).
See: MSDN article