CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cosign Multi-factor Authentication Spec


Thanks! I am glad we cleared that up. The "-fakedout" parameter is
passed on the back-channel, not on the query string. I assume we all
want to proceed with this design. Sorry, all, for any confusion I
inadvertently caused.


-----Original Message-----
From: Wesley Craig [mailto:wes@xxxxxxxxx] 
Sent: Tuesday, October 11, 2005 8:04 PM
To: Drumm, Daniel
Cc: Carson, Cassandra; Meyer, Seth; Linderman, Mark; cosign-discuss
Discussion;; Dandamudi, Bindu; Thomas,
Subject: Re: Cosign Multi-factor Authentication Spec

On 11 Oct 2005, at 16:39, Drumm, Daniel wrote:
> Seth mentioned the futility of passing a "OTP=BOGUS" name/value pair 
> back in the query string from weblogin. It informs the referring 
> filter that the OTP validation wasn't "real", but there is no way of 
> informing any further websites of that fact.

There seems to be some confusion, here.

Nothing like OTP=BOGUS is passed on any query string.  A protected
application might pass "factors=OTP" on the query string.  The UI would
present OTP as a requirement.  The PAM implementation in the spec is
sensitive to the return value "user_unknown", and appends some string
("-junk" in the example in the spec) to the factor.  The browser would
then be redirected back to whatever URL the application gave as

Back in the application, the filter gets back from the server which
factors, if any, have succeeded.  One such factor might be "OTP- junk".
The filter may have the option "CosignIgnoreFactorSuffix" set to
"-junk", in which case "OTP-junk" and "OTP" would seem to be equivalent
to the filter.  If "CosignIgnoreFactorSuffix" wasn't set, the filter is
able to count "OTP-junk" and "OTP" as different.


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010