Ross Boylan wrote: ...Without going into the details of the why and the when and the where, let's assume that if the organisation has decided to implement some global authentication scheme, and roll it out over time, then the first thing I would do, before starting to implement my own temporary and maybe conflicting solution, is finding out what this scheme really is, how it works, if it has plugins for Apache or anything else, etc..
Even if the instances that be have temporarily suspended the general rollout for whatever reason, it may still be so that they would welcome anyone willing to look at it and roll it out on his own for a new project. Better still, since their general rollout has been suspended, they may even have some competent people with some free time, to help doing so.
And it may also be so that this scheme does have an easy-to-use plugin which does provide an authenticated user-id for Apache to use, and that it allows users to login only once per day (with a nice login page) no matter what application they want to use, and that it frees the departmental level of taking care of managing user-ids and so on.
One can at least hope, and there would not be much lost by asking.So let's suppose it does work with Apache (*), and any user hitting this Apache server ends up authenticated from an Apache point of view.
Then it is time to start figuring out how each application running under Apache might get hold of this Apache-level user-id for its own purposes of access-control or authorization or customisation.
And there may be issues there, because not all applications are flexible in how they can get a user-id.
But then there also exists an arsenal of ways in Apache to get hold of the Apache user-id and pass it on to applications in a specific way.
I am thinking of mod_rewrite, request filters, etc..But without knowing at least what the upper-level authentication method even looks like, it is all a bit pointless to elaborate.
And if the application is not Apache-based, then it may also be the time to go have a look at the support forum for the application in question, and ask if and how it can interface to the global SSO solution.
(*) and if it doesn't, then there would be some serious reason to question the wisdom of the overall scheme, not only by one department, but by many I would presume. Despite many years in this business, and despite having lived through some really interesting cases, I can't quite imagine that an IT department of a large university would adopt a scheme which does not work with Apache.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|