• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Cold Fusion App Login functionality to be changed to use Single sign-on

Explorer ,
Sep 11, 2020 Sep 11, 2020

Copy link to clipboard

Copied

Hello,

  We have a Cold Fusion application running on Windows 2016/  using IIS  , this application uses database users to login to the front-end. Roles are then granted directly through code to  these database users. Its an old legacy application, we would like to change the method of logging in to use Windows Authentication and not a database users, how can this be done ? If we do this do we need to change a lot of code and how to grant roles once the users logins. Actually the system should directly let a user in since they are on the Intranet using Windows authentication. 

   Any suggestions ? 

Views

194

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 11, 2020 Sep 11, 2020

Copy link to clipboard

Copied

I've never tried anything like that, myself; not a legacy app, nor a brand spanking new one.  But I believe that CFLDAP would be in play, as that will access the Active Directory that the users exist in.  As far as code changes, the only thing that would change, just off the top of my head, would be setting the variables that grant the roles, etc.  Instead of being set by the result of a query, they would be set by whatever is returned in the CFLDAP results.

 

But, then I'm not at all familiar with your legacy app.. this is an assumption.

 

V/r,

 

^ _ ^

 

PS.  Personally, just from a security standpoint, I would be using CFLDAP on every page load; that way, if a user is online using this app, and (for whatever reason) said user has a role taken away, then the change will be reflected in real time, not upon the next time the user logs on.  Just my two cents.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 11, 2020 Sep 11, 2020

Copy link to clipboard

Copied

Depending on how things are set up in your environment, the easiest way to do this might be to just let your web server authenticate users instead of CF. If you're using IIS, and your web server is configured to use Windows Authentication, you'll have a CGI variable with the user's name in it that you can look up. You could then use this name to look up application-specific roles that are already in your database.

 

There are a lot of "ifs" to this, though. You might not be using Windows Authentication, or you might not be using IIS, or you might need to do authorization (the roles thing) somewhere other than in your web app. But this is what I'd try first, because it's very easy to try and see what you're getting - just set up a new web site or a test web site with Windows Authentication enabled, go to a CF page, and dump the entire CGI scope (I think the variable name is CGI.AUTH_USER but am not sure). You might need to talk to your network people about what exact form of Windows Authentication you need to use, because you have Kerberos, NTLM, forms-based authentication, and so on.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 20, 2020 Sep 20, 2020

Copy link to clipboard

Copied

Thanks for your suggestions Dave, I will try it out and let you know the easiest way s u suggested would be to use the IIS authentication , I do not want to break the existing legacy prod application though,as we eventually plan on using a newer application.

Just want to make sure if IIS can authenticate for intranet users who are internal to the organization.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Sep 21, 2020 Sep 21, 2020

Copy link to clipboard

Copied

LATEST

Yes, IIS can definitely do that if you set it up to do that.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation