Integrating with client's existing active directory

Question

I have a running website which has its own set of users and have an authentication system which does a basic database lookup to authenticate the users to login to the site. A client of ours is interested in the website and has a requirement that instead of registering all their existing users with us again they have an Active Directory and I should use it to authenticate them. This prevents the client from registering all their users with us and from remembering another set of username and password.

My website is built with Java and I am looking at a solution where in I can integrate with active directory.

I am new to Active Directory and have been searching through the web but failed to find an optimum solution. My understanding of Active Directory is that it would have a set of username and passwords and if I am successfully able to integrate with it, in addition to having my own database of users I will have to look up in client's Active Directory as well and if a match is found, I can authenticate the user.

Please correct me if my understanding is wrong and could you please point me to the right direction?

Thanks,

Mayank

Answer 1

Where is your app deployed? If it is on your customer's premises, then the easiest might be to do an LDAP query against AD (an LDAP server) like @nzpcmad suggests. Tomcat has support for Windows Authentication too if I'm not mistaken, so it might be easier to go that path.

If it is off-premises, you will have to use an identity federation approach. You will have to change your app to accept SAML tokens and implement the SAML protocol (because you are in the Java world that might be the best option). Your customer will need to deploy an STS (like ADFS).

It really depends on how your app is designed and accessed by your customers (on-prem vs hosted, single tenant vs multi-tenant).

Answer 2

Try my Tomcat SPNEGO/Active Directory Authnz if you are on Tomcat 6 and up. The code has production quality, the release is upcoming. Build the site and read the docs, everything is described.

Answer 3

You've tagged this with adfs but nothing on the question refers to that?

Funny enough, you may be able to do this with ADFS.

If you can integrate an STS on your side, then you can federate with ADFS and then the user can choose which repository to authenticate on.

I'm not sure how your DB does the authentication? If it's custom then there may not be a STS that supports this.

Alternatively, add another screen in front of your authentication screen. This screen asks the user which repository to use. If they choose AD, then just access the AD via the Java API's for Active Directory - such as JNDI.