CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cosign with multiple kerberos realms

On 3/10/05 2:47 PM, Ben Poliakoff wrote:

I haven't been able to find much info about how cosign might be able to
work with multiple krb5 realms.
Has such functionality (login page featuring a drop down menu of
realms) ever been implemented?

We're implementing multiple realm support, though not quite in that fashion. (Actually, I have a test server running early code right now, but need to rework it for distribution and newer features coming up in the next CoSign.)

We have two realms: the usual students+faculty+staff+etc one (Access Accounts), plus a "Friends of Penn State" (FPS) realm. There isn't any name collision between the two (in fact, accounts can move between them: when an applicant becomes a student, FPS->Access, when a student graduates, Access->FPS), which simplified our design.

Rather than have a drop-down and/or support "princ@realm" entries (most people don't know the actual realm anyway), we're leaving the login page as-is. The cgi tries to authenticate against the Access realm first, and if that fails, tries the FPS one. The matching K5 realm is set in the REMOTE_REALM.


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010