PHP Active Directory LDAP Single Sign-On

This LoginShare module is intended to facilitate a true pass-thru enabled Single Sign-On experience for users. Once set-up has been completed, users should be automatically logged into the Support Center, without being prompted for authentication.

1. Webserver: IIS (tested with 7.5)
2. PHP: 5.x (tested with PHP 5.2.17 & 5.3.13)
3. adLDAP (tested with 4.0.3) - get it here: http://adldap.sourceforge.net/download.php

1. Download and extract custom.zip from the files page. The "custom" folder contained in the ZIP file needs to go in the root of your Kayako install (the same folder that has key.php). This can be changed, but the relative path ./custom/* is called by several of my modifications, so you'd have to search out these paths and update them if you were to place the files elsewhere.
2. Download and extract adLDAP from the project's homepage (http://adldap.sourceforge.net/download.php). I used the latest version (4.0.3 as of this writing). Extract the adLDAP files into the "custom" folder that was created in step 1.
3. Now open config.php and modify the configuration to suit your environment. This is the only file you should have to modify (there's no need to configure adLDAP.php separately, as our script will pass the required values for us).
4. In IIS Manager, make sure to enable Windows Authentication for (at a minimum) the folder containing login.php ("custom" in my example). The web.config file in the "custom" folder will disable anonymous authentication for login.php, so we'll be relying on (pass-thru) Windows Auth at that point. Set permissions on login.php on your IIS server to include your helpdesk users (i.e., "Domain Users").
5. Now, log into your Admin CP and find the "header" template for the template group you want to enable SSO on. Open the file "template_Default_General_header.htm" from the Files section. The modifications that need to be made to the "header" template start on line 74 of this file, and end on line 122. Simply add this content to your "header" template, in the same spot.
6. Still in Admin CP, you need to enable LoginShare now. The URL will be something like this: http://your-iis-server/custom/ad-ldap-sso.php. Be sure that LoginShare is enabled for your template group as well.
7. That's it. Fire up your browser, and open up your helpdesk as a valid user and see if you're automatically authenticated. You should be.

Since, in the above steps, you should have enabled Windows Authentication for at least part of your helpdesk site, your browser is going to have to support NTLM authentication for seamless pass-thru authentication to work. Internet Explorer and Chrome should support this out of the box. Firefox supports NTLM authentication, but requires some additional configuration. This extension can help: https://addons.mozilla.org/en-US/firefox/addon/integrated-auth-for-firefox/. Alternately, you can modify the "network.automatic-ntlm-auth.trusted-uris" string in about:config to include the URL of your helpdesk server.

As a final note, this is intended to be used for authentication within a company's Intranet. While it should work on the Internet (provided IIS is properly configured), that's beyond the scope of what this was designed to do. The "Security" this module uses for authentication is likely not the best, but on an Internal network with trusted users, the main objective was to simplify authentication for employees, rather than put a huge emphasis on security.