CoSign: Collaborative Single Sign-On  
AnnouncementsDiscussion
 
 
home
download
build
overview
wiki
faq
filter
roadmap
license

cosign-discuss at umich.edu
general discussion of cosign development and deployment
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign with multiple kerberos realms

Thanks for the reply Brett,

The underlying krb5 layer should be relatively straight forward I
would think, given that a krb5.conf file can hold info about lots of
realms.  But I guess I was specifically wondering whether a single
cosign weblogin server could be made to do initial authentication from a
pool of user selectable realms (hence my reference to a drop down menu
on the login page).  So there would be explicit control over the allowed
realms (and the weblogin server would need to have service principals in
its keytab file from all of the participating realms).  

To give a more specific example, we're toying with the idea of enabling
cosign on some existing web apps that serve two distinct groups: users
with current accounts and alums.  The two groups can't be merged due
to namespace (principal name) collisions, but they could "coexist"
within two distinct krb5 realms.  If our weblogin server could allow
the user to select the realm to which to authenticate then we could
use cosign auth for both groups of users.  Our web apps could readily
distinguish the populations by reading the value of the CGI variable,
"REMOTE_REALM".

Has this sort of thing been discussed before?  I know umich maintains
a collection of different realms.....

Ben

* Brett Lomas <b.lomas@xxxxxxxxxxxxxx> [20050310 13:17]:
> I don't believe it has.
> 
> Having said that most of the code will handle multiple realms already.
> The only problem i could see with this how you handle an application
> getting an incorrect kerberos ticket (in a realm it know nothing about).
> e.g. a user chooses to authenticate to realm A and accesses web service
> X which is part of realm B and get a kerberos ticket from the cosign
> server for A. The possibly needs to be a mechanism for the webservers to
> requests a ticket in a certain realm, and if not there get the user to
> re-authenticate in that realm?? Unless you can build kerberos trust?
> (not sure on this)
> 
> Brett
> 
> On Fri, 2005-03-11 at 08:47, Ben Poliakoff wrote:
> > I haven't been able to find much info about how cosign might be able to
> > work with multiple krb5 realms.
> > 
> > Has such functionality (login page featuring a drop down menu of
> > realms) ever been implemented?
> > 
> > Ben
 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010