On 12.12.2012 11:33, Trever L. Adams wrote:
Hello Everyone,
I am looking at Shibboleth. I have seen one example
(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
for using it with Squid. I am afraid it makes no sense to me.
I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.
I see an easy way for this to work, but need help figuring it out.
If a user isn't authenticated, I need to send them to a url.
acl bounce src all
acl auth proxy_auth REQUIRED
deny_info 307:http://example.com/ bounce
http_access deny !auth bounce
... but see below...
How do I know if a user is authenticated? Well, it seems that this is
going to have to be passing the requesting client's ip address to a
program and get the response back if they are authenticated or not.
NOTE: user != IP address. Therefore user authentication doe not imply
IP address is authenticated, particularly in HTTP where one client (IP
address) can be presenting traffic from multiple users.
Essentially stateful connection-based authentication and stateless
HTTP do not mix well - as is constantly being 'discovered' by NTLM
people.
It
would be nice if I could pass a user name, but I am not sure how to
do
this as this would require interaction with the browser and this
should
be SSO.
The ACLs above pass the Proxy-Authenticate header to a helper program
for authentication tests. That header contains username and security
token, sometimes domain if the auth type uses domains.
SSO is a property of the *backend* accepting the credentials supplied
by the client to Squid. SSO is simply the process of the backend
accepting the same credentials from multiple services (Squid being one).
It is no more different than a user signing up at two separate
websites with identical username/password details and being able to
login to both.
So, is it possible to do an auth_param to a special program that just
looks at the ip address? Have it return yes/no for if it is an
authenticated session?
No. auth_param is about verifying that the user is who they say they
are. Cousin Bob arriving in Alices car ('from' IP address) does not
verify that Bob == Alice, only that the vehicle is a car not a truck.
IP can at most be used as an authorization check to make some handling
decision about the particular request. Authorization is done with
external_acl_type helpers.
If no, then do a url_rewrite_access (I am assuming this is correct)?
redirector helper is one way to do it. But these must first accept the
request for processing (http_access allow). It is more efficient to do
the above ACLs I listed and alter the denial message sent by Squid into
a 307 redirect message.
** redirectors like external ACL helpers, do not perform HTTP
authentication. Just authorization.
Finally, is it possible to have multiple authentication algorithms?
When using Proxy-Authenticate: yes of course.
Some
of the users will be local and be able to do krb5/spnego. So, if at
all
possible, I would like to have the option of trying krb5, then
spnego,
then Shibboleth.
I suggest you work along the lines of using an external_acl_type helper
for Shibboleth. Since it is more about authorization of a request to be
processed than authenticating that the source IP is a genuine user
account.
You can use localnet ACL or a similar check for internal/external
clients to skip or require the authentication with Negotiate/kerberos.
Amos