I'm building a multi-tenant web application in PHP which is hosted on a dedicated Ubuntu 14.04 server (LAMP). I'm trying to figure out the simplest method of allowing my customers (SME's) to connect the application to their active directory server to authenticate users. The only issue is, I don't want all of my customers to have to whitelist my IP's on their firewall (change management will kill my sales) and I don't want them to expose their Active Directory servers to the internet.
The best I've come up with so far is setting up my own IIS server and asking all of my clients to connect to is using federation, but this is very long and very messy.
I'm happy to use a third party such as OneLogin for the task but that requires my customers to trust a third party and install a third part app on at least one of their servers. At least if I've created the connector (whatever it is) I can show this to the customers and over-document the process to provide ease of mind.
I can't help but feel like I'm missing something obvious. I don't even need to store user details as I could use
ldap_bind() but this function obviously requires every customer to have their AD server public facing with either a publiv IP or a DNS A record.
It can't be this hard; can it?