CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


It was a late night, so I finally had time to work on implementing

I gave up trying to get Kerberos working because I've never bothered
trying it on these unix boxen before (Debian Sarge) so I figured I'd
give it a go with HTTP Basic Authentication using the basicosign.cgi.
After a while of fiddling, I got this working correctly with the
two boxes, one for the daemon and one for the webserver.  Gotta say,
I hit a number of snags and confusing dead ends via the documentation,
so I will hopefully get what I have documented for others.  Since this
is the test instance, I'll need to re-create it all from scratch on
the real servers anyway, so it'll be a good test.

The one problem with basic authentication is that you don't get a
username/password form with pretty HTML explaining what's going on,
and to have things redirecting around you might think something was
amis.  So what I did instead was this.

	* Do not require HTTP Basic authentication at all

	* Have the /login/ DirectoryIndex choose my cgi,
	  let's call it "interceptor.cgi".

	* This CGI would present the username/password form.
	  The form is set to POST, and the URL is set to itself
	  including the ?cosign-service-blahblahblah&http://original/...
	  URL uglyness.

	* When you submit, the perl script does a look up against
	  Active Directory using LDAP+SSL.

	* If you're valid, it doesn't print anything, it simply
	  changes the REQUEST_METHOD env variable to GET,
	  the REMOTE_USER to the user it just authenticated, and
	  then exec's basicosign.cgi.

	* If not valid, it present the page along with helpful
	  error messages, etc, until you get it right.

This seemed like the best solution for me - it didn't involve
re-writing any of the basicosign.cgi functionality, got me around the
kerberos implementation agony (can I say I hate Active Directory?)
and I can have lots of pretty HTML for the user so they know what's
going on.

Anyone have any comments pro or con?

Brian Hatch                  If love is blind,
   Systems and                why is lingerie
   Security Engineer          so popular?

Every message PGP signed

Attachment: signature.asc
Description: Digital signature

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010