Hello, I need to implement a SSO between a SharePoint site and a custom PHP-based site wich reside on a different domain. I need to use the SharePoint user accounts to log in the PHP site. (I'll have a full controll over the PHP source)
Is this possible? Any tips and tricks?
I don't know much about this area but hopefully this might help point you in the right direction.
Investigate LDAP...
You can set up PHP to use LDAP credentials. If your SharePoint site uses Active Directory, then you can expose this directory as an LDAP source and use that in the PHP application.
Automated sign-in...
Having the sign in happen automatically between each site is a very different matter. e.g. I'm logged into MOSS already, click on a link that goes to the PHP app and find that I'm already logged in there as well. For this you will need to investigate using something like Kerberos keys/authentication. It's a messy and difficult area.
My assumption is you have full control over your php app/domain, but a different team is managing the sharepoint server. Also assume you can ask the sharepoint team to create a simple webpart for your SSO functionality.
If this is the case, you can ask the sharepoint team to create a webpart which has a link to your site on it. When the user clicks the link, the request is made back to the sharepoint server, the sharepoint server takes the user's logon name, encrypts it using your public key, and adds it to a url on your php site then sends this as a redirect back to the browser. So the location looks like this:
https://your.php.domain/sso.php?logon=encrypted_users_logon_name&api_key=some_token
Your sso.php script will verify the api_key is a valid token from your sharepoint partner, and then decrypt the logon name of the user trying to get in. You can get more fancy, and have a callback on the sharepoint site to confirm the logon request is legitimate within some time window, or bake that into the encrypted logon name, but this is a barebones way to do it, assuming you trust requests coming from the sharepoint partner.
The sharepoint .net developers will probably be able to do any encryption you want, so pick an algorithm you can use on both php and .net sides and give them the key to use for encryption, and the format of the information to encrypt. something like n=logon_name;expire=timestamp; then when you decrypt, if it is after the expire time then you deny the logon.
well, we have been in same situation, but we are using asp.net in combination with php for SSO. the asp.net code does windows authentication, and creates a record in mysql database, which contains username and a unique key, and assign these values to a cookie. then, redirects the user to PHP app.
the php app reads those cookie values and compare them with database values to ensure the request to authentic. well thats the workaround to have single signon in PHP and have share point working together with PHP. but i would still recommend to use Kerb_auth_mod for SSO in php. which we eventually did.