We are considering single sign-on implementations for several web applications, some of which are CakePHP (1.3), while others are not. I hope to get advice or comments from people who have done this before.
Here's the idea: access to the CakePHP application is controlled by the AuthType server. If the user does not authenticate, they cannot access the application at all, and instead return to the single sign-on login page. If they then log in successfully, they will be redirected back to the application and granted access to the web server.
At this point, CakePHP will read the content $_SERVER['REMOTE_USER']to identify the user and present him or her with the correct information.
Concrete questions:
- Assuming we can trust that SSO is secure, is this approach safe and reliable?
- Is it possible (or useful) to integrate this mechanism with the Cake Auth component?
- Is it Cakey to read super-global
$_SERVER? - Is there a more cake-like way to make the SSO app aware?
To clarify, I need to know only an authenticated user. I do not need (or do not want) to share the entire session with any other application.
Thank!
Edit: To repeat my comment below, SSO and all applications will be on our servers. We will not use RealID or any other external auth mechanism. Therefore, when I say "external" auth, I mean external to CakePHP, but not external to our web server.