Single Sign-On

  • Hopefully this is a fairly simple question since it deals with the behavior of one of the WCF plugins designed and maintained by Woltlab.


    I have built a stand-alone forum system, that is, the forum itself is responsible for maintaining user accounts and handling logon requests. In the future, I plan to add applications running on WCF code to my environment, but with different applications, and I'd like to enable SSO across the different systems.


    I have a few questions to this end....


    • If an account was created locally (that is, on the forum), can it be connected to an account through LDAP at a later point, and what is the process for this?
    • Are users able to create their own accounts through the LDAP connection so that SSO capability is automatic, or will a member of staff be required to establish an account?
    • Are groups and group memberships managed through Active Directory Group Membership or is this an isolated system?


    One thing I'd like to avoid is a user signing up on site A and then finding that SSO doesn't work on site B so they make a new account. If I need a member of staff to establish an account for the user in the account store with the information provided and then to merge the local account with the account in the store, then I can change my registration model to "Require Administrator Approval." However, my preferred method would to allow an application (like the WoltLab LDAP provider) to be able to create user accounts within certain AD Groups.


    Lastly, just to make sure my understanding of how authentication works is correct, can someone verify this model below?


    [Application] -\
    [Application] -- [Kerberos Authentication Service] -- [Account store, like Active Directory]
    [Application] -/

    • Official Post

    The single sign-on based on Windows authentication requires Windows (client) as well as Microsoft IIS 7.5 or higher (server). In addition, the target server must exist in the Intranet zone.


    For the alternative manual login, you need the PHP extension php_ldap.


    • If the LDAP authentication is activated, the authentication is purely via the LDAP server. Burning Board has nothing to do with it. A local user would therefore not be found in the frontend. For security reasons, a separate local user is only required for the backend (ACP).
    • No, thats not possible with our plugin. The account must exist on the LDAP server.
    • Only the user name and the e-mail address are transfered by the LDAP server. You have to assign the user to other user groups (except "Everyone" and "Users") manually in the ACP.
  • Say I enable php-ldap since I'm running on FreeBSD with Apache...


    What would registration look like at that point? Would the registration page be disabled entirely or would the "Require Administrative Approval" be the only option?


    For existing local user accounts, what would the transfer process look like? Would there be some kind of option to associate it with an LDAP account or would they have to get an entirely new account and have staff members merge them? Or does it automatically associate based on the user's email address?


    Lastly, do you have any documentation for administrators looking to move to an ldap-auth environment?

    • Official Post

    The registration page must be disabled manually. The login into the front end is only possible via ldap as soon as ldap authentication is activated.


    If the user name and the e-mail address of the local user match ldap, no new user is created during login.



    After installing the plugin you will find the configuration options under System -> Options -> User -> LDAP Authentication.


    The single sign-on based on Windows authentication requires Windows (client) as well as Microsoft IIS 7.5 or higher (server). In addition, the target server must exist in the Intranet zone. If you are using a browser other than the IE / Edge, you may need a browser plug-in for the correct authentication.


    For the alternative manual login, you need the PHP extension php_ldap.


    You need the IP address or host name of the domain controller, and the name of the domain where the users are (e.g., woltlab.local).
    The login is done exclusively with the user name without domain name, an example:


    Domain: woltlab.local
    Username: johndoe


    The userprincipalname would then be johndoe@woltlab.local, but the login is only necessary to specify "johndoe" as user name.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!