[Opensource] Single sign on

pierre.damas at damas.be pierre.damas at damas.be
Thu Dec 4 16:25:44 PST 2003 

A "classical" cookie for single sign-on would need
a) to contain sensitive information (because on presentation to any
application, it would need to present user identity and the fact that it is
authenticated, so the application has to "trust" the cookie
b) to be a domain cookie, to be presented to any application of the same
domain, in that case any application on the domain could see the cookie,
take it and impersonate the user towards any service without his knowledge
c) to be a unsecure cookie (presented on http) to allow any application to
receive it, not only SSL applications.

So, it is obviously a weak solution.  A more secure solution would be to
"sign" the cookie (with some hash (or the whole cookie) encrypted with the
central authentication server's private key), so that any application could
a) request the authentication server's public key (or have its certificate
installed)
b) validate that the cookie was signed by it.

However, although it attests that the cookie was issued by the
authentication server, it does not asserts that the current presenter was
the same as the one that authenticates (cookie stolen).

An additional check could be to include the IP address, but all the proxies
are not passing the IP address (you got the proxy IP), or the same user
could have a different ip address (renewed by the provider for example)
between two calls (although it is rare).

Pierre A.

----- Original Message ----- 
From: "avidfly" <avidfly at free.fr>
To: <opensource at jcorporate.com>
Sent: Thursday, December 04, 2003 8:45 PM
Subject: Re: [Opensource] Single sign on



Bonjour,

Je ne vois pas le progrès comme ça par rapport à un cookie classique, tu
peux m'éclairer un peu plus ...

Merci
----- Original Message -----
From: <pierre.damas at damas.be>
To: <opensource at jcorporate.com>
Sent: Thursday, December 04, 2003 5:25 PM
Subject: Re: [Opensource] Single sign on


> Have a look at the CAS (Central Authentication Service) of Yale
University.
>
> http://www.yale.edu/tp/auth/
>
> Basically, it is a web application with a logon page to which your
> application redirects (on HTTPS) the user browser if he has no session and
> no token.
> This Authentication service authentifies the user (with a PasswordHandler
> that you can develop yourself to suit your needs), then redirects (on
> authentication success) to the initial application url, providing as
> parameter a one-time token containing no user identity information.  Your
> application, if the user has no session and a token, connects via HTTPS to
> the CAS server, and asks whose token it is.  The application server
provides
> the userid, and invalidates the token so that it cannot be reused.  So the
> window of possibility of replaying the authentication is very short (<5
sec)
> (After that time, the CAS invalidates the token anyway).
>
> The Authentication Service also creates an SSO cookie, which is a secure
> (only sent on HTTPS), session (dies when user closes his browser) server
> (only sent to the CAS server) cookie.  If this cookie is present when the
> application redirects the browser to the CAS, the CAS bypasses the login
> page presentation and directly redirects to the application with the
token -
> so automatic single sign-on for the user.
>
> The CAS comes with several CAS "clients", the most interesting for you
being
> a filter to put in your web.xml with some configuration URLs.  Works
nicely.
>
> The hardest configuration part is to get or create a certificate for SSL
on
> the CAS server, and to ensure that the calling application trusts that
> certificate (make sure that its Certification Authority is in the keystore
> of your application, or import the certificate itself to trust it).
>
> And of course, it is Open Source.
>
> Pierre A.
>
> P.S. Amongst the other clients, there is an ISAPI filter (that I have not
> checked yet), and an Apache module, allowing to use your single sign-on on
> other server technologies or with static restricted sites.  There is also
> examples for other web technologies (asp, perl, python) so that you can
have
> a real single sign-on at your customer's site (at least for all web
> applications, not only Java webapps)
>
> ----- Original Message -----
> From: "larry hamel" <expresso at codeguild.com>
> To: <opensource at jcorporate.com>
> Sent: Monday, December 01, 2003 6:19 AM
> Subject: Re: [Opensource] Single sign on
>
>
> >
> > can you say a bit more?
> >
> > do you have an LDAP directory or a DB that can be accessed by all
systems
> which need sign on?
> >
> > larry
> >
> > At 10:48 AM 11/30/2003, you wrote:
> > >Hi Everybody,
> > >
> > >   I am looking for somebody that has implemented single sign
> > >preferrably with Expresso. I am thinking about taking that route in
some
> > >Expresso code that I am about to undertake, and I have some questions
> > >about the design and what are the gotchas that I have to watch out for.
> > >Thanks in advance.
> > >
> > >-Tino
> > >
> > >_______________________________________________
> > >Opensource mailing list
> > >Opensource at jcorporate.com
> > >http://mail.jcorporate.com/mailman/listinfo/opensource
> > >Archives: http://mail.jcorporate.com/pipermail/opensource/
> >
> > _______________________________________________
> > Opensource mailing list
> > Opensource at jcorporate.com
> > http://mail.jcorporate.com/mailman/listinfo/opensource
> > Archives: http://mail.jcorporate.com/pipermail/opensource/
>
> _______________________________________________
> Opensource mailing list
> Opensource at jcorporate.com
> http://mail.jcorporate.com/mailman/listinfo/opensource
> Archives: http://mail.jcorporate.com/pipermail/opensource/
>

_______________________________________________
Opensource mailing list
Opensource at jcorporate.com
http://mail.jcorporate.com/mailman/listinfo/opensource
Archives: http://mail.jcorporate.com/pipermail/opensource/

More information about the Opensource mailing list