I'm hoping for feedback on an authentication system I have designed.
The requirements are to create a closed, single sign on web environment, where by once one of our employees visit one of our web applications, they are asked to sign in with their credentials backed by our LDAP. Once signed in, they retain this login for a set time period, or the browser session, and across all our web applications. Much how Google's web properties work with a google account, but for our internal systems.
The users themselves operate from windows, mac or linux, and some from just tablets, so this authentication environment needs to exist solely online, kerberos with mod_auth_kerb etc aren't going to cut it.
All our current web applications use PHP.
The system I have so far works like below.
There exists one central authentication system, which I will call the Authentication Handler, or "handler" for short, and one or more authentication "client" web apps, which I will call Authentication Requestor, or "requestor" for short. I will call the user and their browser just "user".
Also, for it to work, the requestor needs to be preconfigured at the handler with a unique requestor_id
and return URL for that ID.
A private key for handler is generated and a public key given to all requestors before hand too.
user visits requestor
- user enters URL for requestor.
- no session exists for this user on requestor, so requestor creates a new
SESSION_ID
in PHP (with the built in session handler andsession_start
). - the session has no authentication, so requestor will then generate a URL to the configured handler consisting of two parts, an
authrequest
token and anenvelope
.- requestor first regenerate a new session_id (
session_regenerate_id
in PHP) for this auth request for the client. - requestor then generates a random password, in this case using PHP's
openssl_random_pseudo_bytes
and stores this in the session data - requestor then encrypts the
SESSION_ID
usingAES256
with the random password for theauthrequest
in PHP usingopenssl_encrypt
. - requestor then generates envelope data by concatenating it's unique
requestor_id
, a ':', and the base64-encoded random password. - requestor's envelope data is then encrypted using the pre-shared public key for the handler using
openssl_public_encrypt
in PHP.
- requestor first regenerate a new session_id (
- requestor then sends a
location:
header to user that contains the encryptedenvelope
and theauthrequest
as URL parameters to handler. - handler will decrypt the envelope using it's private key, and separate the clientID and password.
- handler will check the
requestor_id
to see if we have this configured, if not, will inform the user that the requestor was not recognised. - handler will authenticate the user (in this case, via asking for username and password and checking against LDAP and/or via a preauthenticated session)
- handler will then generate a return
authtoken
to requestor- handler will decrypt the
SESSION_ID
fromauthrequest
using the decrypted and decoded password from the envelope - handler will encrypt a new string containing
SESSION_ID
and an ID of the logged in credentials (username, GUID, etc) with the decrypted and decoded password from the envelope
- handler will decrypt the
- handler then sends a
location:
header to user that contains theauthtoken
as URL parameter to a preconfigured URL for thisrequestor_id
. - requestor receives the request, and will decrypt the token using the password in the users session.
- requestor will confirm the
SESSION_ID
matches the users current session, else it will restart authentication. - requestor can then use the returned crednetialID to identify a local user as authenticated.
This process can be repeated across different systems to give a single signon behaviour.
So, questions:
- Does anyone know of a pre-existing, standardised authentication system that meets the requirements and preforms similarly to above?
- If not, and given that I'm no security expert, is there anything above that would could be broken? i.e. what is/are the weak point(s) of this method?