Including Legacy Applications In A New Approach To Identity

**Work Completed By: **


Once we have identified the architecture and standards that we wish to employ for handing identity we will be able to clearly specify how all new applications/services that we develop, procure or consume must work.

However the bulk of our existing information and applications will not have been implemented with these measures in mind and are likely to not be conceptually or technically capable of working in the way we have defined in their current configuration.

We must investigate what approaches can be used in aligning legacy applications with a new standardised approach to identity based on the concepts we have been examining. 

This project is concerned with both:
- Demonstrating how a legacy application can be adapted/integrated/aligned with a centralised approach to identity and authentication.
- Gaining an understanding of the process that we would need to go through in order to evaluate and decide on how to integrate legacy applications into the new approach.


Details of where code, web pages etc can be found.


Describe the degree to which the work was successful in addressing the project description. Include reasons why or why not.


What immediate impact could the output of this R&D work have on the organisation – could it provide benefits without compromising our strategic approach?


How the work carried out fits with our strategic direction or how it should contribute to our strategic thinking.


SWOO notes

Connecting to Sharepoint web services using PHP

We've been struggling with trying to get PHP set up on our local machines to talk to Sharepoint. I've been using a PHP library called nusoap to try to access the various web services available, and I've come up against what seemed to be an authentication problem of some sort.

With very little to go on in the way of error messages, I resorted to Wireshark to sniff the packets - always makes me feel slightly uncomfortable, and we found the following…


This was expected - the "401 unauthorized" suggests I need to authenticate, and the "WWW-authenticate" in the header would suggest this would be via NTLM.

Fronting legacy systems with webservices

Choosing PHP and the framework for the application

We chose to build the application in PHP, because Terry and I are both used to it, we've both built websites with it before. PHP has a large community, long history on the web, and a well-packaged and easy to install stack in the form of XAMPP (which bundles Apache, MySQL and PHP along with support software such as MySQL client phpmyadmin). I'm sticking with XAMPP 1.7.1, which comes with PHP 5.2.9 rather than 5.3 - some features were deprecated in 5.3.

I chose the CodeIgniter framework to build the application because I've used it before with success. It's a stable, lightweight model-view-controller framework that's been around for about four years, with a good community behind it and excellent documentation.

The stability of CodeIgniter is a double-edged sword - to an extent it has suffered from not moving quickly forwards enough; it has stuck to being PHP4 and PHP5 compatible, which is great for those stuck on PHP4 (as I was with a particular host) but it does mean that the framework doesn't make best use of the new features in PHP5. The final version of PHP4 was out in mid-2008. EllisLab are working on a new version of their blogging/content management software Expression Engine which will be based on CodeIgniter, and it's expected that a version 2 of CodeIgniter will eventually fall out of that.

A subset of the CI community jumped ship a couple of years ago to create the open source and community-driven PHP5-only Kohana framework. It looks good, but at the time I looked at it last, it didn't come with particularly great documentation, although things might well have changed in that respect.

Implementing OpenID in PHP

First thing on my list was an authentication system, and it seemed natural to build OpenID into the application.

The strange thing is that so far, I've had a worse experience with PHP than using Ruby-on-Rails, despite being the tool I would normally reach for. With Ruby there are lots of gems available, and they near-enough worked straight away - the OAuth gem was particularly impressive in that respect.

I've been struggling with implementing OpenID in PHP, and the firewall could well be a factor, as usual.

The test consumer I was using works OK from home, using my Flickr account OpenID. At work, even after I'd set up Curl to run through the proxy, I was getting the same old "authentication error, not a valid OpenID". To get this far I had to use a packet sniffer called WireShark, which showed me I was getting a 503 "service unavailable" error, which I'm presuming is down to the firewall. For debugging HTTP connections between client and server, a packet sniffer (or proxy running on the client) is invaluable.



Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License