18 Replies Latest reply on Sep 17, 2009 11:17 AM by emmim44

    Single Sign on Coldfusin App

    emmim44 Level 1

      hi all, I am trying to login to my application using my network user/pass, is there way to pass those values to my application? I heard of #cgi_user# but I need to pass the password as well...Thank u all.

        • 1. Re: Single Sign on Coldfusin App
          ilssac Level 5

          No the browser does not pass the password to the web server to pass on the the ColdFusion applicaiton server.

           

          At least I have never heard of this, and I am not sure I would want to live in a world where it does.

           

          I have frequently used the Windows Integrated Security feature of the IIS web server to pass the Domain\UserName string to ColdFusion in the cgi.auth-user parameter.  There is a lot that can be done with the infomation combined with the <CFLDAP...> tag to retreive the rest of the user record from the active directory depository.

           

          But no password.

          • 2. Re: Single Sign on Coldfusin App
            emmim44 Level 1

            Same idea as MS Outlook...currently once i logged into windows, I dont have to enter the same credentials to the outlook...it just opens it...so there is no way to retrieve nt username and pass?

            • 3. Re: Single Sign on Coldfusin App
              ilssac Level 5

              Not that I know of, but why do you think you need the user's password?

               

              NTLM authentication, aka 'Windows Integrated Security' works by saying, this user is authenticated on the client machine.  Here is their domain/userName value.  Use it as necessary.  I have never needed to have the password passed in behind the scenes to authorize users to a web site, or portion there of.  And honestly that sounds like a bad idea to me.

               

              When I have need a password to authenticate a user, I have asked for it with a form, at the moment the authentication is required.  Because any earlier authentication may no longer be valid.  I.E. the user has left their desk and somebody else has sat down at their computer.

               

              Remember there are two parts to security:

               

              Authentication:  Prove you are you.

              Authorization:  Here is that access you are allowed.

              • 4. Re: Single Sign on Coldfusin App
                emmim44 Level 1

                This is for our internal network...only

                • 5. Re: Single Sign on Coldfusin App
                  Adam Cameron. Level 5

                  Ian's question is: if you've already used integrated authorisation @ web server level, why do you need the password.  IE: what would you be using the password for?  Generally, all one needs as password for is to verify the user and grant the authorisation, but in this situation the authorisation has already been done by the web server.  So all CF should need to know is "yes, the user has been authorised, and I verify that this is who they are" (which is the value passed in the CGI.auth_user variable).  So if you have that auth_user value, it's safe to assume they've been authenticated: that is the whole intent of the mechanism.

                   

                  There could be a good reason you need to know the pwd too, but you're not articulating why.  What do you need to do with it.  IE: how are you needing to use it in your CF code.

                   

                  --

                  Adam

                  • 6. Re: Single Sign on Coldfusin App
                    emmim44 Level 1

                    How will i auth the user against a corporate ldap? Dont i need to pass the password and username?

                    • 7. Re: Single Sign on Coldfusin App
                      Adam Cameron. Level 5

                      On the first hit to the site, the client will pass both login and pwd to the web server, and the webserver will do the authentication.  This authentication will be achieved by the webserver asking the directory service (or whatever mechanism is in place) if the user/pwd combo is valid.  The directory service will say "yes" or "no", and will also probably pass back some directory security settings too (authorisation).  Once that's done, the web server will tell CF "this user is authenticated to access the site (the authorisation is handledby the web server, so CF doesn't need to know about that), and in case you need to know which specific user it is, here's their login name in CGI.auth_user".

                       

                      The passing of the login/pwd can be handled automatically between IE and IIS, although will probably need to be captured manually if other browsers / web servers are involved.

                       

                      It's at that first hit to the site the auth is done, and it's done between client, web server and whatever back-end system does the authorisation.  but after that it's done.  This all takes place before CF is involved, and all CF should need to know is who the user is.

                       

                       

                      Are you saying that after that happens you need to authenticate to some other system?

                       

                      You're not really being very clear about what you are setting out to do here.  Can you please describe more thoroughly what you need to do?

                       

                      --

                      Adam

                      • 8. Re: Single Sign on Coldfusin App
                        ilssac Level 5

                        One thing I will add to Adam's excellent reply (Welcome back Adam by the way).

                         

                        You often do need to have a user name and password to access data in the activie directory or other ldap depository.  Seldom does this user name and password need to be those of the user accessing the web site.  But just needs to be an account that can read the desired information in the ldap records about the web site user.

                         

                        On our system we have a specific ColdFusion domain user, creatively named "cfldapuser," that grants this access.  With this user it is reletively trivial to read a web site user record with the <cfldap....> tag and get all their groups and other activie directory data.

                        • 9. Re: Single Sign on Coldfusin App
                          emmim44 Level 1

                          This outputs nothing:

                           

                          <cfoutput>#cgi.auth_user#</cfoutput>

                          • 10. Re: Single Sign on Coldfusin App
                            ilssac Level 5

                            Confirm that you have "Windows Integrated Security" selected and "Anonymous" is NOT selected in the IIS configuration.

                            • 11. Re: Single Sign on Coldfusin App
                              emmim44 Level 1

                              I did then...a dialog box is asking a user/pass??

                              • 12. Re: Single Sign on Coldfusin App
                                ilssac Level 5

                                Then you are not using a Microsoft Browser.

                                 

                                NTLM "Windows Integrated Security" being a Microsoft standard, only works siliently in a Microsoft Browser on a Microsoft client connecting through a Microsoft domain to a Microsoft Web Server running on a Microsoft server.

                                 

                                Presuming you maybe using Firefox as a browser, it does of an option in it's configuration (about:config in the url) that allows you to set it up to siliently pass NTLM authentication just is Internet Explore does.  I have no idea if other browsers have a feature such as this.

                                • 13. Re: Single Sign on Coldfusin App
                                  emmim44 Level 1

                                  I am using ie 8

                                  • 14. Re: Single Sign on Coldfusin App
                                    ilssac Level 5

                                    OK!

                                     

                                    Then are you logged into the client machine?

                                     

                                    Do you, or any group you are a member of, have some type of permissions to the web site resources you have just locked down with Windows integrated security?

                                     

                                    Those are the only three causes of which I can think that would cause a dialog box being shown.  Non IE browser, no premissions to the website or you are not logged into the domain.

                                    • 15. Re: Single Sign on Coldfusin App
                                      Adam Cameron. Level 5

                                      It sounds like the domain you're accessing is in the internet zone in your browser config.  It needs to be in the intranet zone (I think... I don't use IE, and it's been a while since I've had to do this).

                                       

                                      Can I recommend you do some reading up on how all this is supposed to work, and get more of a handle on how this is supposed to work.

                                       

                                      All this is really well documented (and covered in numerous forums elsewhere about the place... Google will find 'em).

                                       

                                      I'm getting the distinct feeling we're participating in a wheel-reinvention exercise here.

                                       

                                      --

                                      Adam

                                      • 16. Re: Single Sign on Coldfusin App
                                        Adam Cameron. Level 5
                                        (Welcome back Adam by the way).

                                        G'day mate.

                                        I'm out of work @ present (well... since March - long story), so have some time on my hands, but also want to keep my hands in.  Often sorting out the answers to people's questions lead me down a path I hadn't trod before.

                                         

                                        These forums haven't improved, have they (the software, not the content)?  Plus the traffic seems well down on what it was like before the change over.  Big props to Adobe there.  Well done.  You must be proud.

                                         

                                        --

                                        Adam

                                        • 17. Re: Single Sign on Coldfusin App
                                          ilssac Level 5

                                          Not to hijack the thread too much.

                                           

                                          No, not much has improved in the forums as far as I can tell.  I'm just too bulldog stuborn to leave.

                                           

                                          But, I can so for sure, that I respond to less threads then I would have without nntp or something equally convieant.

                                          • 18. Re: Single Sign on Coldfusin App
                                            emmim44 Level 1

                                            thank you for your input guys... I think my idea will dissolve itself...