Re: web single signon
From: paul b (bisibis_at_pt.lu)
Date: 02/20/04
- Next message: John: "empty authuser field in web log"
- Previous message: Nils O. Selåsdal: "Re: web single signon"
- In reply to: Colin McKinnon: "Re: web single signon"
- Next in thread: those who know me have no need of my name: "Re: web single signon"
- Reply: those who know me have no need of my name: "Re: web single signon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Feb 2004 07:59:49 -0800
Hello,
the problem of "the certificate from the key into the browser / other
applications" is solved by the eToken RTE, the run time environment of
the eToken, which automatically initiates the Internet Explorer to
look for the certificates on the etoken.
I have found a parameter in the apache config called "SSFakeBasicAuth"
which forces the clients to authenicate on the webserver using
certificates. I am tryping to use this parameter to manage access to
the server.
CB
Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessURaBot.com> wrote in message news:<11cZb.2$P11.1@newsfe1-win>...
> paul b spilled the following (to lots of different newsgroups):
>
> > Hello,
> > I have to develop a web single signon system for a company and perhaps
> > someone has already done a similar project.
> >
> > The goal is that the user will be identified with a certificate,
> > stored on an usb-token(eAladdin eToken), and that they only have to
> > signon once to be able to use all the company wide wbesites.
> >
> > We already put in place a certificate server which works fine and
> > imagined to store the information which user has access to which sites
> > in an LDAP tree, is this a good idea.
> >
> > I am not really sure how I can now manage the single signon on the
> > websites, can someone give me a explanation how this will be managed.
> > I saw an example where perl-scripts are running in the back of every
> > site and interfacing with the LDAP tree to veryfy the users access
> > rights, is this a good idea or are there better possibilities
> >
>
> Of course there are other possibilities - just about anything you can write
> cgi scripts in, JSP, PHP.... Likewise there's lots of ways of implementing
> the control - an acl parser, only allowing configuring certain CAs on
> certain machines....wait a minute - do you really mean that you want to
> *verify* their access rights? The whole point of certificates is that the
> signature verifies that the client is who they say they are. Surely you
> mean control access?
>
> Actually, you can do all the access control within the apache config (if U R
> using apache of course) with the SSLRequire directive - but its likely to
> get messy if you go down this route.
>
> I'd love to know how you solved the problem of getting the certificate from
> the key into the browser / other applications. I've used a similar system
> which worked OK with Stunnel 'cos it just wants a filename for where to
> find the certificate, but the likes of Mozilla is a bit more complicated,
> and as for the Microsoft certificate store - I could find no documentation
> on how to reference a certificate stored in a known location other than
> importing it into the MS cert store (i.e. copying it to the local hard
> disk).
>
> C.
- Next message: John: "empty authuser field in web log"
- Previous message: Nils O. Selåsdal: "Re: web single signon"
- In reply to: Colin McKinnon: "Re: web single signon"
- Next in thread: those who know me have no need of my name: "Re: web single signon"
- Reply: those who know me have no need of my name: "Re: web single signon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
