Single Sign On, Kerberos & PHP

General discussion on Zend Core for IBM System i
Post Reply
Posts: 9
Joined: Mon Jun 15, 2009 8:24 pm

Single Sign On, Kerberos & PHP

Post by sidewinds » Mon Jun 15, 2009 8:27 pm

We have SSO working with green screen, on the apache server and working with our cgi programs, but having a little trouble with the php part. We have apps that we make people sign in to use, and we'd like for the kerberos piece to let them in automatically if they're authorized. However, we still need a way to determine in the app who the user actually is, as we are running some of the I5 API's that require username and password to work.
Anyone have any suggestions?

Posts: 1
Joined: Tue Jul 07, 2009 6:58 pm

Re: Single Sign On, Kerberos & PHP

Post by ericksonrs » Tue Jul 07, 2009 6:59 pm

Did you receive any help with this problem, we are trying to do the exact same thing....

Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Single Sign On, Kerberos & PHP

Post by scottgcampbell » Wed Jul 08, 2009 3:00 pm

Maybe something like this would work, I've never looked at it, so I don't know if it will work on the i.


User avatar
Zend Global Support
Posts: 139
Joined: Mon Dec 29, 2008 2:38 pm

Re: Single Sign On, Kerberos & PHP

Post by shlomov » Wed Jul 08, 2009 4:53 pm

1. Using the apache module is one way to be explored with the i5.
2. Can you share more information on the first two posts and the idea behind.

3. PHP contains an LDAPS extension to query the active directory it is a the SSO pre-connection to the i5, rather more of an application trigger and the credentials read from the active directory can be used for all php connect usage (i.e - db2/toolkit)

4. The issue is explored further update will follow.
Shlomo Vanunu
IBM System i

Posts: 9
Joined: Mon Jun 15, 2009 8:24 pm

Re: Single Sign On, Kerberos & PHP

Post by sidewinds » Tue Jul 28, 2009 8:37 pm

Let me see if I can explain further. We currently are using (testing) SSO with our green screen and email. The user logs into their workstation, and when they start their email or green screen no password prompt occurs, this is handled by Kerberos. We also have Kerberos working with some of our CGI programs that required login info to pull specific info for a particular user.
In some of our PHP apps, we use the I5_ API's to make connections to DB2. We query the post or get arrays to pull username & password info from these applications.
Kerberos actually works with PHP, in that it allows a user into a secured application, it negotiates their authority correctly. The problem occurs in the fact that since no actual login is being done through the browser, the username and password are not available as usual in the POST or GET arrays. I've banged around on the internet quite a bit and done a lot of testing but so far, no luck.
Hopefully this gives a better idea of what we are trying to accomplish.
Thanks for any input or ideas anyone may have.

The post above mentions a way to query Active Directory for signon information... Could you explain further? That sounds like what I'm looking for!

Posts: 16
Joined: Thu Sep 03, 2009 10:29 pm

Re: Single Sign On, Kerberos & PHP

Post by nl059810 » Thu Sep 03, 2009 10:55 pm

We also have SSO working on al native OS/400 options (green screen, netserver, Apache) and wanted something like that as well in Zend PHP. However, we did not find a (simple) way to get such a scenario working.

So, instead, we use CGIDEV to retrieve the current (OS/400) user, by first using a html page in which a post is automatically done to a second cgidev page. That second page resides in a secured directory, so the current (OS/400) user is automatically verified with his or her Kerberos ticket. The CGI programm uses an API to retrieve the current userID and posts back to the original host (which is a parameter in the first html page) using the userID as a parameter.

From that moment on, all php programms know the actual os400 UserID and we can use that the change the default php user (NOBODY) to the actual user, so we can log user's activity within php scripts.

If you like, I can mail some html, php and RPG scripts to get you started.
Henri Timmermans, Software Engineer at FH Holding BV
Internet :

Posts: 12
Joined: Thu Dec 17, 2009 11:27 pm

Re: Single Sign On, Kerberos & PHP

Post by ajlisowski » Thu Dec 17, 2009 11:34 pm

Hi, this post may be dead by now...but maybe I can revive it.

I recently have been placed in a situation a little above my head where we are looking to consolodate a bunch of green screen applications and other systems into a single sign on PHP portal using AD.

Now, today is my second day here and I was brought on to begin working on this project. I have done a ton of reading the last two days, and to be honest, before yesterday words like Kerberos and Active directory were unknown to me.

I do not believe we hav kerberos set up. We do have AD set up, however.

What would the first step in accomplishing this goal be? Again, I am new so I am unsure of exactly what systems are already in place. If we have a SSO system already in place for some greenscreen type applications, would kerebos have to be used already?

I have seen a bunch of apache mods which claim to allow for user authentification...

such as described here:

I am definately in sink or swim territory here with this project. I think next week I am going to focus on some other aspects of the project assigned to me, and for the time being require a login prompt and then bind the AD user based on that. But for the future, what is a good place to start with a SSO php system?

Posts: 8
Joined: Mon Dec 07, 2009 7:56 pm

Re: Single Sign On, Kerberos & PHP

Post by norminnorman » Tue Jan 12, 2010 9:47 pm


This is exactly what I am trying to do. Please help.

Posts: 14
Joined: Thu Feb 26, 2009 11:25 am

Re: Single Sign On, Kerberos & PHP

Post by sirshurf » Thu Mar 18, 2010 12:14 pm


Posts: 8
Joined: Mon Dec 07, 2009 7:56 pm

Re: Single Sign On, Kerberos & PHP

Post by norminnorman » Thu Mar 18, 2010 1:21 pm

We have put our true single signon on hold for a bit but now use CAS. With CAS you can use a single server to log in once and access any application on any server, whether it's your as400 or some other web server. It's pretty cool. Right now our CAS server is running on the AS400 and you have to enter your credentials into a web form (once) to access an application. Our websphere AND php applications use it for authentication and you only have to log in once. You COULD set CAS up on a linux/windows machine though (something with actual kerberos documentation and support) and then use it to do your silent single signon for you. So basically instead of the CAS server asking for your credentials through a web form, it would pull your windows kerberos ticket, validate it, then let your application know the username. The beauty behind CAS is it will fall back to another method if it doesn't work. So let's say your user isn't on the domain so he doesn't have a windows kerberos ticket. Well, CAS will go ahead and throw up a screen and ask for your credentials to validate another way (through kerberos, ldap, a database, etc).

Obviously this all takes some work and server setup but I think it's worth it in the end run. If anyone is interested, here is a link to the example code for the php CAS client:

Post Reply