Re: used shibboleth
Re: used shibboleth
- Subject: Re: used shibboleth
- From: Daniel Beatty <email@hidden>
- Date: Fri, 27 Mar 2009 23:56:33 -0500
Greetings Chuck,
It seems that you are quite correct as I have started to investigate
this issue of SSO-WO. There is a page from Shibboleth that confirms
that REMOTE_USER is the header - environment variable needed (https://spaces.internet2.edu/display/SHIB2/NativeSPEnableApplication
).
What value it gives and how we can use that information is a whole
different story altogether. Would you be willing to advise me on
creating enough of a Shibboleth - WO framework such that we could
make good use of it? The work you did with Cosign and WebAuth may be
highly valuable in working up some "Federated WO Authentication
Framework".
Thank you,
Dan
On Mar 11, 2009, at 10:58 PM, Chuck Hill wrote:
On Mar 11, 2009, at 8:26 PM, TW wrote:
On Mar 11, 2009, at 7:37 PM, Chuck Hill wrote:
On Mar 11, 2009, at 6:31 PM, TW wrote:
All:
Our campus is going to be moving to shibboleth as the preferred
sso authentication system for web apps. Has anyone here had any
experience with deploying web objects apps behind this
authentication mechanism? My understanding is that shibboleth
really operates more at the apache/web server layer. Because of
that I'm wondering what if anything really needs to be done at
the app layer.
Any insights, opinions, experiences, etc., would be gladly
accepted and appreciated.
Tim
Programmer/Analyst III, UCLA GSE&IS
Do you need to know who the user is, or just that they are
authenticated?
Chuck
My apps will definitely need to know who the user is. Apparently,
with shibboleth you can designate somehow that certain data gets
sent back to the requesting server - I think in the http headers.
So, I'm assuming that there's some intention to return something
that will identify the user since other systems on campus are
already using it. And I think I've read that campus wants to
standardize what the returned items are.
I'd think that a very good idea.
If it works as described, is sounds like it has the potential to
make authentication to my apps easier if we choose to use this
instead of our LDAP auth. Have you looked at or used shibboleth
Chuck?
I have looked at it very briefly. I have worked with Cosign and
WebAuth which are somewhat similar. Both of those return the sign-
on ID in the REMOTE_USER header. Shibboleth, IIRC does not, or does
not guarantee it (something about authenticated yet anonymous
users?). It can make your apps easier write / manage. If you get
a request (or an HTTPS protected request depending on
configuration), then you can safely assume the request is from an
authenticated user. From there it is a simple matter to examine the
data (usually a HTTP header) to determine user identify.
Chuck
--
Chuck Hill Senior Consultant / VP Development
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Dan Beatty, M.S. CS (B.S. EECS)
Ph.D. Student
Texas Tech University
email@hidden
http://venus.cs.ttu.edu/~dabeatty
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden