|
Home > Archive > Unix Programming > February 2004 > web single signon
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| paul b 2004-02-18, 10:33 pm |
| Hello,
I have to develop a web single signon system for a company and perhaps
someone has already done a similar project.
The goal is that the user will be identified with a certificate,
stored on an usb-token(eAladdin eToken), and that they only have to
signon once to be able to use all the company wide wbesites.
We already put in place a certificate server which works fine and
imagined to store the information which user has access to which sites
in an LDAP tree, is this a good idea.
I am not really sure how I can now manage the single signon on the
websites, can someone give me a explanation how this will be managed.
I saw an example where perl-scripts are running in the back of every
site and interfacing with the LDAP tree to veryfy the users access
rights, is this a good idea or are there better possibilities
Thanks in advance
CB
| |
| Colin McKinnon 2004-02-19, 10:34 am |
| paul b spilled the following (to lots of different newsgroups):
> Hello,
> I have to develop a web single signon system for a company and perhaps
> someone has already done a similar project.
>
> The goal is that the user will be identified with a certificate,
> stored on an usb-token(eAladdin eToken), and that they only have to
> signon once to be able to use all the company wide wbesites.
>
> We already put in place a certificate server which works fine and
> imagined to store the information which user has access to which sites
> in an LDAP tree, is this a good idea.
>
> I am not really sure how I can now manage the single signon on the
> websites, can someone give me a explanation how this will be managed.
> I saw an example where perl-scripts are running in the back of every
> site and interfacing with the LDAP tree to veryfy the users access
> rights, is this a good idea or are there better possibilities
>
Of course there are other possibilities - just about anything you can write
cgi scripts in, JSP, PHP.... Likewise there's lots of ways of implementing
the control - an acl parser, only allowing configuring certain CAs on
certain machines....wait a minute - do you really mean that you want to
*verify* their access rights? The whole point of certificates is that the
signature verifies that the client is who they say they are. Surely you
mean control access?
Actually, you can do all the access control within the apache config (if U R
using apache of course) with the SSLRequire directive - but its likely to
get messy if you go down this route.
I'd love to know how you solved the problem of getting the certificate from
the key into the browser / other applications. I've used a similar system
which worked OK with Stunnel 'cos it just wants a filename for where to
find the certificate, but the likes of Mozilla is a bit more complicated,
and as for the Microsoft certificate store - I could find no documentation
on how to reference a certificate stored in a known location other than
importing it into the MS cert store (i.e. copying it to the local hard
disk).
C.
| |
| Nils O. newsgroup user 2004-02-19, 7:33 pm |
| In article <1f716d42.0402190325.5a7e7172@posting.google.com>, paul b wrote:
> Hello,
> I have to develop a web single signon system for a company and perhaps
> someone has already done a similar project.
>
> The goal is that the user will be identified with a certificate,
> stored on an usb-token(eAladdin eToken), and that they only have to
> signon once to be able to use all the company wide wbesites.
>
> We already put in place a certificate server which works fine and
> imagined to store the information which user has access to which sites
> in an LDAP tree, is this a good idea.
>
> I am not really sure how I can now manage the single signon on the
> websites, can someone give me a explanation how this will be managed.
> I saw an example where perl-scripts are running in the back of every
> site and interfacing with the LDAP tree to veryfy the users access
> rights, is this a good idea or are there better possibilities
>
> Thanks in advance
Why not use something like Kerberos ? Its well designed, has single-sign
on capabilities, and be extensible enough to use a token on your usb thingy.
You'll need to actually change the browser though..
There are some sourceforge project that implements the web server side.
IExplorer and IIS already have this capability, though I'm not sure its
compliant with the relevant RFC draft.
| |
| paul b 2004-02-20, 2:34 am |
| Hello,
the problem of "the certificate from the key into the browser / other
applications" is solved by the eToken RTE, the run time environment of
the eToken, which automatically initiates the Internet Explorer to
look for the certificates on the etoken.
I have found a parameter in the apache config called "SSFakeBasicAuth"
which forces the clients to authenicate on the webserver using
certificates. I am tryping to use this parameter to manage access to
the server.
CB
Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> wrote in message news:<11cZb.2$P11.1@newsfe1-win>...
> paul b spilled the following (to lots of different newsgroups):
>
>
> Of course there are other possibilities - just about anything you can write
> cgi scripts in, JSP, PHP.... Likewise there's lots of ways of implementing
> the control - an acl parser, only allowing configuring certain CAs on
> certain machines....wait a minute - do you really mean that you want to
> *verify* their access rights? The whole point of certificates is that the
> signature verifies that the client is who they say they are. Surely you
> mean control access?
>
> Actually, you can do all the access control within the apache config (if U R
> using apache of course) with the SSLRequire directive - but its likely to
> get messy if you go down this route.
>
> I'd love to know how you solved the problem of getting the certificate from
> the key into the browser / other applications. I've used a similar system
> which worked OK with Stunnel 'cos it just wants a filename for where to
> find the certificate, but the likes of Mozilla is a bit more complicated,
> and as for the Microsoft certificate store - I could find no documentation
> on how to reference a certificate stored in a known location other than
> importing it into the MS cert store (i.e. copying it to the local hard
> disk).
>
> C.
| |
| those who know me have no need of my name 2004-02-20, 3:33 pm |
| in comp.unix.misc i read:
>I have found a parameter in the apache config called "SSFakeBasicAuth"
>which forces the clients to authenicate on the webserver using
>certificates. I am tryping to use this parameter to manage access to
>the server.
actually it's FakeBasicAuth which is an SSLOption, and causes the subject
dn of the certificate to be translated for use as the http auth username
and a fixed password of `password'. you can then use an authentication
module with those credentials.
--
a signature
| |
| David Magda 2004-02-22, 4:34 am |
| bisibis@pt.lu (paul b) writes:
> I have to develop a web single signon system for a company and
> perhaps someone has already done a similar project.
[...]
Have a lok at "cosign":
http://www.umich.edu/~umweb/software/cosign/
I found it by chance a little while ago (I was more interested in
Fugu), but it may be something you can use. The web site has links to
similar projects at other universities.
--
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
| |
| The Orlok 2004-02-25, 1:34 pm |
| bisibis@pt.lu (paul b) wrote in message news:<1f716d42.0402190325.5a7e7172@posting.google.com>...
> Hello,
> I have to develop a web single signon system for a company and perhaps
> someone has already done a similar project.
>
> The goal is that the user will be identified with a certificate,
> stored on an usb-token(eAladdin eToken), and that they only have to
> signon once to be able to use all the company wide wbesites.
>
> We already put in place a certificate server which works fine and
> imagined to store the information which user has access to which sites
> in an LDAP tree, is this a good idea.
>
> I am not really sure how I can now manage the single signon on the
> websites, can someone give me a explanation how this will be managed.
> I saw an example where perl-scripts are running in the back of every
> site and interfacing with the LDAP tree to veryfy the users access
> rights, is this a good idea or are there better possibilities
>
> Thanks in advance
> CB
I have built these for some very large companies. Quite simple
actually. In a nut shell (at risk of leaving some stuff out) do this.
You need to decide on 2 things. How will users be centrally
authenticated and what is your common authorization framework. Pick
an authentication package such as siteminder that allows you to set a
cookie with a unique ID and session ID upon successful authentication.
If the package has an API, simply reference it in the other sites
prior to login to check for the cookie and verify its validity with
the authentication server. The user will be logged in automagically
if you programmed it right. Authorization is done by you as an API or
security scheme to decide types of users and what they have access to
and ensure that they only see stuff they are entitled to.
Hope this helps.
The Orlok
|
|
|
|
|