7
I need to develop a system to be used by the user. The user will be registered in another system, where we will have the registration, contracted plans and financial control of the same...
The idea is that when the user tries to log into his system, instead of him authenticating inside the database the user information, he goes to the system "master", authenticate the user and provide the information of his plan...
Then from there the user receives the confirmation of authentication of the "master" system and can use his system...
My question is how do I do it safely? do not want to expose user information and mainly, do not want to expose the "master" system that will have very important data within it...
I am right now going through the same problem, and a good answer would help me a lot! But if you want me to share the strategies I’ve been designing for this - and the pros and cons I’ve already identified - I can do that soon. In addition, I would like you to clarify the following: 1) are both systems under the control of the same entity (e.g., your company) or not? In other words, does system A consider system B "reliable" and vice versa? 2) It is important to you that when authenticating on system A the user is automatically authenticated on system B or not?
– mgibsonbr
@mgibsonbr the 2 systems will be from my company, the system user A will not have access to anything from system B, however, the authentication must be done using the information that will be contained in the system B. The use of this is to allow me to have the freedom to create N user for the system A, control its packages among other things centrally to automated, without running the risk that an intrusion or anything of the kind on system A will affect system B that we will try to make as "invisible" as possible...
– RodrigoBorth
@mgibsonbr if you want, you can have the freedom to edit my question to inform the pros and cons among other information you have identified in your analysis (if the comments are too short for this) I believe we have a long way to go
– RodrigoBorth
Have you ever considered the idea of using the
OpenId
to carry out this process?? Openid site PHP Openid It’s an interesting idea. Of course it all depends on the architecture of your system, and the need. But here’s the hint. Logging into one system, when accessing another it automatically logs into the user.– Fernando A.W.
Thanks, but that won’t be necessary: I intend to post as an answer. His case is simpler than mine, where although one of the systems is "master" he also receives logins directly. And one requirement of my client - which for security reasons is now being reviewed - is that "single login" be done, i.e. when authenticating in one service the user should automatically be authenticated in the other. I mean, it’s a little more complicated... P
– mgibsonbr
Openid (and Oauth2) are interesting yes, but in the case where both systems are logged in directly. In the case of AP, the "master" system is not directly accessible to the user, only indirectly through the "slave" system. So, although the suggestion is good, I do not believe it applies here...
– mgibsonbr
@mgibsonbr Haaaaaa ta.. If the master system is not visible, the applicability of Openid is not valid.. Now I understand.
– Fernando A.W.
I believe you can implement this as a webservice on system B (they are safe and the user does not even realize that he is authenticating on another system) http://php.net/manual/en/refs.webservice.php
– Ricardo Cruz
The case of @mgibsonbr
ao se autenticar em um serviço o usuário deveria automaticamente estar autenticado no outro
reminded me of the Google sites, i.e. when you log in to Youtube, you are automatically already logged in to Google+... Anyway, just sneezing. : P– KaduAmaral
Take a peek at this: Application separate authentication server
– Bacco
@Rodrigoborth, I believe what you need can be seen in this answer I just posted a short while ago: CAS
– cantoni