Professional Web Applications Themes

web single signon - UNIX Programming

Hello, I have to develop a web single signon system for a company and perhaps someone has already done a similar project. The goal is that the user will be identified with a certificate, stored on an usb-token(eAladdin eToken), and that they only have to signon once to be able to use all the company wide wbesites. We already put in place a certificate server which works fine and imagined to store the information which user has access to which sites in an LDAP tree, is this a good idea. I am not really sure how I can now manage ...

  1. #1

    Default web single signon

    Hello,
    I have to develop a web single signon system for a company and perhaps
    someone has already done a similar project.

    The goal is that the user will be identified with a certificate,
    stored on an usb-token(eAladdin eToken), and that they only have to
    signon once to be able to use all the company wide wbesites.

    We already put in place a certificate server which works fine and
    imagined to store the information which user has access to which sites
    in an LDAP tree, is this a good idea.

    I am not really sure how I can now manage the single signon on the
    websites, can someone give me a explanation how this will be managed.
    I saw an example where perl-scripts are running in the back of every
    site and interfacing with the LDAP tree to veryfy the users access
    rights, is this a good idea or are there better possibilities

    Thanks in advance
    CB
    paul Guest

  2. #2

    Default Re: web single signon

    paul b spilled the following (to lots of different newsgroups):
     

    Of course there are other possibilities - just about anything you can write
    cgi scripts in, JSP, PHP.... Likewise there's lots of ways of implementing
    the control - an acl pr, only allowing configuring certain CAs on
    certain machines....wait a minute - do you really mean that you want to
    *verify* their access rights? The whole point of certificates is that the
    signature verifies that the client is who they say they are. Surely you
    mean control access?

    Actually, you can do all the access control within the apache config (if U R
    using apache of course) with the SSLRequire directive - but its likely to
    get messy if you go down this route.

    I'd love to know how you solved the problem of getting the certificate from
    the key into the browser / other applications. I've used a similar system
    which worked OK with Stunnel 'cos it just wants a filename for where to
    find the certificate, but the likes of Mozilla is a bit more complicated,
    and as for the Microsoft certificate store - I could find no doentation
    on how to reference a certificate stored in a known location other than
    importing it into the MS cert store (i.e. copying it to the local hard
    disk).

    C.
    Colin Guest

  3. #3

    Default Re: web single signon

    In article <google.com>, paul b wrote: 
    Why not use something like Kerberos ? Its well designed, has single-sign
    on capabilities, and be extensible enough to use a token on your usb thingy.
    You'll need to actually change the browser though..
    There are some sourceforge project that implements the web server side.
    IExplorer and IIS already have this capability, though I'm not sure its
    compliant with the relevant RFC draft.
    Nils Guest

  4. #4

    Default Re: web single signon

    Hello,
    the problem of "the certificate from the key into the browser / other
    applications" is solved by the eToken RTE, the run time environment of
    the eToken, which automatically initiates the Internet Explorer to
    look for the certificates on the etoken.

    I have found a parameter in the apache config called "SSFakeBasicAuth"
    which forces the clients to authenicate on the webserver using
    certificates. I am tryping to use this parameter to manage access to
    the server.

    CB




    Colin McKinnon <deletemeunlessURaBot.com> wrote in message news:<11cZb.2$P11.1newsfe1-win>... 
    >
    > Of course there are other possibilities - just about anything you can write
    > cgi scripts in, JSP, PHP.... Likewise there's lots of ways of implementing
    > the control - an acl pr, only allowing configuring certain CAs on
    > certain machines....wait a minute - do you really mean that you want to
    > *verify* their access rights? The whole point of certificates is that the
    > signature verifies that the client is who they say they are. Surely you
    > mean control access?
    >
    > Actually, you can do all the access control within the apache config (if U R
    > using apache of course) with the SSLRequire directive - but its likely to
    > get messy if you go down this route.
    >
    > I'd love to know how you solved the problem of getting the certificate from
    > the key into the browser / other applications. I've used a similar system
    > which worked OK with Stunnel 'cos it just wants a filename for where to
    > find the certificate, but the likes of Mozilla is a bit more complicated,
    > and as for the Microsoft certificate store - I could find no doentation
    > on how to reference a certificate stored in a known location other than
    > importing it into the MS cert store (i.e. copying it to the local hard
    > disk).
    >
    > C.[/ref]
    paul Guest

  5. #5

    Default Re: web single signon

    in comp.unix.misc i read:
     

    actually it's FakeBasicAuth which is an SSLOption, and causes the subject
    dn of the certificate to be translated for use as the http auth username
    and a fixed password of `password'. you can then use an authentication
    module with those credentials.

    --
    a signature
    those Guest

  6. #6

    Default Re: web single signon

    lu (paul b) writes:
     
    [...]

    Have a lok at "cosign":

    http://www.umich.edu/~umweb/software/cosign/

    I found it by chance a little while ago (I was more interested in
    Fugu), but it may be something you can use. The web site has links to
    similar projects at other universities.

    --
    David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
    Because the innovator has for enemies all those who have done well under
    the old conditions, and lukewarm defenders in those who may do well
    under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI
    David Guest

  7. #7

    Default Re: web single signon

    lu (paul b) wrote in message news:<google.com>... 


    I have built these for some very large companies. Quite simple
    actually. In a nut shell (at risk of leaving some stuff out) do this.
    You need to decide on 2 things. How will users be centrally
    authenticated and what is your common authorization framework. Pick
    an authentication package such as siteminder that allows you to set a
    cookie with a unique ID and session ID upon successful authentication.
    If the package has an API, simply reference it in the other sites
    prior to login to check for the cookie and verify its validity with
    the authentication server. The user will be logged in automagically
    if you programmed it right. Authorization is done by you as an API or
    security scheme to decide types of users and what they have access to
    and ensure that they only see stuff they are entitled to.

    Hope this helps.

    The Orlok
    The Guest

Similar Threads

  1. Single external signon with Integrated Auth apps and regular webs
    By Phillip Jubb in forum ASP.NET Security
    Replies: 1
    Last Post: December 13th, 11:08 AM
  2. Single signon (with FormsAuth) for mutliple web apps
    By Brad in forum ASP.NET Security
    Replies: 3
    Last Post: September 26th, 02:24 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139