单点登录基于Web的身份验证系统

I'm hoping for feedback on an authentication system I have designed.

The requirements are to create a closed, single sign on web environment, where by once one of our employees visit one of our web applications, they are asked to sign in with their credentials backed by our LDAP. Once signed in, they retain this login for a set time period, or the browser session, and across all our web applications. Much how Google's web properties work with a google account, but for our internal systems.

The users themselves operate from windows, mac or linux, and some from just tablets, so this authentication environment needs to exist solely online, kerberos with mod_auth_kerb etc aren't going to cut it.

All our current web applications use PHP.

The system I have so far works like below.

There exists one central authentication system, which I will call the Authentication Handler, or "handler" for short, and one or more authentication "client" web apps, which I will call Authentication Requestor, or "requestor" for short. I will call the user and their browser just "user".

Also, for it to work, the requestor needs to be preconfigured at the handler with a unique requestor_id and return URL for that ID. A private key for handler is generated and a public key given to all requestors before hand too.

user visits requestor

1. user enters URL for requestor.
2. no session exists for this user on requestor, so requestor creates a new SESSION_ID in PHP (with the built in session handler and session_start).
3. the session has no authentication, so requestor will then generate a URL to the configured handler consisting of two parts, an authrequest token and an envelope.
   1. requestor first regenerate a new session_id (session_regenerate_id in PHP) for this auth request for the client.
   2. requestor then generates a random password, in this case using PHP's openssl_random_pseudo_bytes and stores this in the session data
   3. requestor then encrypts the SESSION_ID using AES256 with the random password for the authrequest in PHP using openssl_encrypt.
   4. requestor then generates envelope data by concatenating it's unique requestor_id, a ':', and the base64-encoded random password.
   5. requestor's envelope data is then encrypted using the pre-shared public key for the handler using openssl_public_encrypt in PHP.
4. requestor then sends a location: header to user that contains the encrypted envelope and the authrequest as URL parameters to handler.
5. handler will decrypt the envelope using it's private key, and separate the clientID and password.
6. handler will check the requestor_id to see if we have this configured, if not, will inform the user that the requestor was not recognised.
7. handler will authenticate the user (in this case, via asking for username and password and checking against LDAP and/or via a preauthenticated session)
8. handler will then generate a return authtoken to requestor
   1. handler will decrypt the SESSION_ID from authrequest using the decrypted and decoded password from the envelope
   2. handler will encrypt a new string containing SESSION_ID and an ID of the logged in credentials (username, GUID, etc) with the decrypted and decoded password from the envelope
9. handler then sends a location: header to user that contains the authtoken as URL parameter to a preconfigured URL for this requestor_id.
10. requestor receives the request, and will decrypt the token using the password in the users session.
11. requestor will confirm the SESSION_ID matches the users current session, else it will restart authentication.
12. requestor can then use the returned crednetialID to identify a local user as authenticated.

This process can be repeated across different systems to give a single signon behaviour.

So, questions:

1. Does anyone know of a pre-existing, standardised authentication system that meets the requirements and preforms similarly to above?
2. If not, and given that I'm no security expert, is there anything above that would could be broken? i.e. what is/are the weak point(s) of this method?